Subject: Electronic CIPHER, Issue 24, October 5, 1997 _/_/_/_/ _/_/_/ _/_/_/_/ _/ _/ _/_/_/_/ _/_/_/_/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/_/_/_/ _/_/_/_/ _/_/ _/_/_/_/ _/ _/ _/ _/ _/ _/ _/ _/ _/_/_/_/ _/_/_/ _/ _/ _/ _/_/_/_/ _/ _/ ==================================================================== Newsletter of the IEEE Computer Society's TC on Security and Privacy Electronic Issue 24 October 5, 1997 Carl Landwehr, Editor Bob Bruen, Book Review Editor Hilarie Orman, Assoc. Editor ==================================================================== Contents: [1150 lines total] o 1998 IEEE Symposium on Security and Privacy Call for Papers o Letter from the Editor o Tribute to Harold Highland by Gene Spafford Security and Privacy News Briefs: o Privacy: Internet Explorer 4.0 Privacy Issue? Census Survey, HHS recommendations o U.S. Crypto Legislation Makes Headlines But not Law o Experian Experiences Privacy Problems o BSI Offers Free IT Baseline Protection Manual, Solicits Comments Commentary and Opinion: [none this issue] Conference Reports: [none this issue] Cipher Research Registry: new entry New reports available via FTP and WWW: DIMACS workshop papers and more Interesting Links: Who's Where: recent address changes: Goldschlag, Han, Marks, Millen Calls for Papers: Oakland, ESORICS 98, several more Reader's guide to recent security and privacy literature o Conference Papers: RBAC 97 and more o Journal and Newsletter articles: several o Books: Schneier & Banisar, Denning & Denning, ... Calendar Data Security Letter subscription offer Publications for sale -- CSFW proceedings available TC officers Information for Subscribers and Contributors ____________________________________________________________________ CALL FOR PAPERS: 1998 IEEE Symposium on Security and Privacy ____________________________________________________________________ CALL FOR PAPERS 1998 IEEE Symposium on May 3-6, 1998 Security and Privacy Oakland, California sponsored by IEEE Computer Society Technical Committee on Security and Privacy in cooperation with The International Association for Cryptologic Research (IACR) The Symposium on Security and Privacy has, for 18 years, been the premier forum for the presentation of developments in computer security and for bringing together researchers and practitioners in the field. Last year, we began to re-emphasize work on engineering and applications while maintaining our interest in theoretical advances. We continue to seek to broaden the scope of the Symposium. We want to hear not only about new theoretical results, but also about the design and implementation of secure systems in specific application areas and about policies relating to system security. We are particularly interested in papers on policy and technical issues relating to privacy in the context of the information infrastructure, papers that relate software and system engineering technology to the design of secure systems and papers on hardware and architectural support for secure systems. Papers or Panels which discuss the application of theory to practice which describe not only the successes but the failures and the lessons learned are of special interest. Topics on which papers and panel sessions proposals are invited include, but are not limited to, the following: Commercial and Industrial Security, Security and other Critical System Properties, Secure Systems, Distributed Systems, Network Security, Database Security, Data Integrity, Access Controls, Information Flow, Security Verification, Viruses and Worms, Security Protocols, Authentication, Biometrics, Smartcards, Auditing, Intrusion Detection, Privacy Issues, Policy Modeling A continuing feature of the symposium will be a session of 5-minute talks. We want to hear from people who are advancing the field in the areas of system design and implementation, but may lack the resources needed to prepare a full paper. Abstracts of these talks will be distributed at the Symposium. INSTRUCTIONS FOR AUTHORS: Last year, we experimented with "electronic" submission of papers for the refereeing process. What we found was that the lack of real standards for PostScript resulted in a few submitted papers being totally lost and significantly increasing the workload of the volunteer program co-chairs. As a result, we shall return to the old-fashioned way of submitting papers in hard copy form, both for reviewing and for final publication. Papers should be submitted by mail or the various express carriers. Papers will NOT be accepted by fax. Papers should include an abstract, must not exceed 7500 words, and must report original work that has not been published previously and is not under consideration for publication elsewhere. The names and affiliations of authors should appear on a separate cover page only, as "blind" refereeing is used. If authors remove bibliographic citations for "blind" refereeing, those citations should also be included on the separate cover page only, so that the program co-chairs can verify the citations, without compromising the "blind" refereeing by the program committee members. Authors must certify prior to December 29, 1997 that all necessary clearances for publication have been obtained. The committee strongly encourages authors to include archival sources as references (books, journal articles, etc.) and to include references to "WEB" or other "NET" sources only if they can be backed up by some archival source. In this way, we can ensure that people who read the paper 5 years from now will have access to the information used as background and justification of the arguments presented. Panel proposals should include a title, an abstract which describes the topic(s) to be discussed, the names of all proposed participants and assurances that the participants agree to serve on the panel, a proposed length and format for the panel and any other information that the panel proposer thinks would support their proposal. We will publish the Panel Abstract in the Proceedings as well as any position papers submitted by the panelists in support of the panel proposal. Those submitting papers via "hard copy" should send six copies of their paper or panel proposal to: Paul A. Karger, Program Co-Chair IBM Corporation Thomas J. Watson Research Center 30 Saw Mill River Road Hawthorne, NY 10532 USA Please mark the envelope "IEEE Security and Privacy Symposium." The title, abstract, authors names, and any blinded citations should be on a separate cover page so that we can support the "blind refereeing process." We would also like to have an electronic, ascii text version of the abstract sent seperately to secprv98@watson.ibm.com. The electronic version of the abstract should include the title and the abstract as it appears in the paper. Papers and panel proposals must be received (however sent) by 6:00 P.M. (EST) on Monday, November 24, 1997. Authors will be notified by mid-January about the status of their papers. Authors who submit an abstract for a 5-minute talk should include a title, all authors names and their affiliations, where appropriate, and text. The whole should fit easily on one 8.5" by 11" page. Abstracts for 5-minute talks should be sent to Paul A. Karger at the above U.S. Postal address to be received no later than Friday, April 10, 1998 at 6:00 P.M (EST). We will review abstracts and accept as many as we can. Please mark the envelope "IEEE Security and Privacy Symposium - 5 minute Abstracts" If you have questions about the submission procedures, please contact Paul Karger by electronic mail at secprv98@watson.ibm.com or by telephone at +1 (914) 784-7294. Summary of Important Dates: Papers and panel proposals due: November 24, 1997 Certification of public release approval: December 29, 1997 Author notification: mid-January 1998 Final papers due: late-February 1998) 5-minute talks due: April 10, 1998 Symposium: May 3-6, 1998 General Chair: Mike Reiter, AT&T Labs - Research, USA Vice Chair: John McLean, Naval Research Laboratory, USA Program Co-Chairs: Paul A. Karger, IBM T. J. Watson Research Center, USA Li Gong, Javasoft, USA Treasurer: Brian Loe, Secure Computing Corporation, USA Program Committee: Martin Abadi, Digital Equipment Corporation, Systems Research Center Steve Bellovin, AT&T Labs -- Research Bob Blakley, IBM Ed Felten, Princeton University Simon Foley, Cambridge University, UK Heather Hinton, Ryerson Poly. Uni., Canada Cynthia Irvine, Naval Postgraduate School Stewart Lee, CCSR Cambridge, UK John McLean, Naval Research Laboratory David Presotto, Bell Labs Stuart Stubblebine, AT&T Labs-Research Paul Syverson, Naval Research Laboratory Mary Ellen Zurko, The Open Group Research Institute ____________________________________________________________________ Letter from the Editor ____________________________________________________________________ Dear Readers, Please notice especially in this issue: - the call for papers for Oakland (immediately above) - the sad news of Harold Highland's death and Gene Spafford's tribute - the new listing of academic jobs availalble in computer security, thanks to Cynthia Irvine Much of the contents of this issue is not yet on the website and it will take me a few days to get to posting it; please bear with me (and read the ascii version). Thanks again to our contributors. If you are attending the NISSC in Baltimore this week, say hello (I hope to be there at least Wednesday morning for two panels) and be on the lookout for signs announcing a meeting of the TC. The dogwoods are just beginning to turn in Washington and the beautiful fall weather is upon us. Best regards, Carl Landwehr Editor, Cipher Landwehr@itd.nrl.navy.mil ____________________________________________________________________ Tribute to Harold Highland by Gene Spafford ____________________________________________________________________ We sometimes take for granted that the people we communicate with electronically will answer when we send mail. Sometimes they are busy and don't respond right away, and other times the mail fails and we need to resend. However, we often don't give it a second thought when we send off the message. Thus, after I sent mail to friend Harold Highland, I received with shock and considerable sadness an auto-reply indicating that he had died in mid-September. Apparently, Harold passed away suddenly, but peacefully, in his sleep during a family trip. Harold was known to many of us as someone with a tremendous and eclectic range of interests, a love of learning and education, and a critical insight into many issues -- especially in information security. My own personal image of Harold was strongly shaped by his continuing encouragement as I started out in the field of infosec research. There are many other people in information security today who also owe Harold a "thank you" for encouraging their work, providing advice, introducing them to others in the field, and publishing some of their initial papers. It's almost impossible to summarize Harold Joseph Highland's career in a few short sentences. He worked in government, commerce, and academia. In a 60-year career, he pursued interests in (to name a few), publishing, medicine, sociology, management, philosophy, materials development, broadcasting, education, and of course, computer science and information security. Harold wrote 26 books, and over 150 technical papers on his interests. He served in many ACM and IFIP positions, was active in computer anti-virus efforts, and served on several editorial boards. In a relatively recent biography, Harold also listed membership in the New York Academy of Science [NYAS], the Institute for Electrical and Electronic Engineer's Computer Society [IEEE/CS], the Information Systems Security Association [ISSA], the international Computer Anti-Virus Research Organization [CARO], the American Association for the Advancement of Science [AAAS], Computer Professionals for Social Responsibility [CPSR], and the Society for Basic Irreproducible Research -- the last of which attests to how serious he was about good humor. Harold's had a long-standing interest in matters international. This included extensive lecturing, serving as a Fulbright professor in Finland, and occupying various consulting and advising roles in computing organizations around the world. His involvement in IFIP was especially noteworthy. Besides activity in several IFIP committees (including chairmanship of the infosec education working group 11.8), Harold conceived and created the journal "Computers & Security" in 1981. C&S became the official journal of IFIP TC 11 in 1983; Harold served as its editor-in-chief until a few years ago, when he became the editor-in-chief emeritus. In 1993, he was named as the first recipient of the prestigous IFIP Kristian Beckman Award, presented by IFIP TC 11 in recognition of outstanding contributions to information security. As an educator, Professor Highland served as both a professor and as a dean. At various times, he held positions teaching business, medicine, operations research, and computer science. He was awarded the SUNY State Chancellor's Award for Excellence in Teaching in 1976. Two years later, he was promoted to the rank of Distinguished Professor. In 1981, he "retired" to his many other interests. Harold earned many other honors during his lifetime. He was especially proud to be named, in 1985, as a Fellow of the Irish Computer Society (the FICS after his name in print). He was also named as a Fellow of the ACM a few years ago. According to Jon David, a close friend and associate of Harold, there will be some memorial posters at the NISSC next week, and probably a memorial issue of the journal Harold founded and edited for so long, "Computers & Security." Other tributes may be planned as well, including (perhaps) the establishment of a scholarship fund in Harold's name. Someone will follow-up with details once details are known. --Gene Spafford ____________________________________________________________________ SECURITY AND PRIVACY NEWS BRIEFS ____________________________________________________________________ ____________________________________________________________________ Privacy Topics: Internet Explorer 4.0 Privacy Issue? Census Survey of Privacy Attitudes HHS Recommendations Under HIPA ____________________________________________________________________ Microsoft's Internet Explorer Version 4.0, released the last week of September, apparently includes a feature that permits a web page downloaded by a user running the browser to cause a log of the user's activities to be sent back to the site. The channel definition format (.CDF) documented at http://www.microsoft.com/standards/cdf-f.htm includes a LOGTARGET feature that apparently allows a web site provider to make your browser deliver logs of your usage via an http post or put, including hits from cache. In an unrelated item, the Census Bureau announced its intention to carry out a Study of Privacy Attitudes (SPA). From the Abstract, published in the Federal Register on 3 October: The Census Bureau is interested in privacy issues for several reasons. Most notable is the steady decline in response rates to the Census Bureau's mailed questionnaire in recent decennial censuses, which may reflect the growing apathy toward and mistrust of the Federal government. With the recent growth and popularity of the Internet and world wide web, the issues of access to individual data and lack of data security have come to the forefront, adding to the notion that individual privacy is eroding away. A clear understanding of the public's beliefs regarding the Census Bureau and its practices may help decennial census planners offset the trend in declining responses rates, address new methods to acquire data, improve our ability to communicate privacy and confidentiality messages, and improve our ability to predict and effectively respond to negative publicity. Finally, US Secretary of Health and Human Services Donna Shalala delivered the privacy recommendations required of her by the Health Insurance Portability and Accountability Act (Kennedy Kassebaum bill) passed a year ago. The recommendations can be found at: http://aspe.os.hhs.gov/admnsimp/pvcrec0.htm The recommendations provide strong arguments for establishing Federal standards regulating the flow of individually-identifiable health information, but leave considerable latitude to law enforcement organizations, who desire access to such data to detect fraud. ____________________________________________________________________ U.S. Crypto Legislation Makes Headlines ____________________________________________________________________ U.S. policy on cryptography both in relation to export but more significantly in relation to domestic use generated considerable media interest in the past month. In testimony on September 3 before the Senate Judiciary's subcommittee on technology, terrorism, and government information, FBI director Louis Freeh asked for the ability to decrypt intercepted telephone conversations, with proper authority, as they occur. Shortly thereafter, amendments were offered to the Security and Freedom through Encryption (SAFE) act, H.R. 695, in the House Commerce Committee, that seemed to be intended to provide the desired access to the FBI. These amendments provoked a storm of protest, including a joint letter from relevant committees within the AAAS, AMS, ACM, AAAI, IEEE, FAS, CRA, Sigma Xi, and serveral other professional societies, and a joint letter from more than two dozen law professors. On September 24, the committee rejected the proposed amendments and instead passed a version of the bill doubling the penalties for using encryption in the commission of a crime and establishing a new FBI technical center for surveillance. Those interested in more details on the SAFE bill may wish to visit: http://www.jya.com/hr105-108-pt5.htm -- for the House Commerce Committee's report on SAFE (as passed) http://www.jya.com/safe-news.htm -- for news stories on the vote http://Info.acm.org/usacm/crypto/societies_crypto_letter_1997.html -- For the letter from the scientific societies http://www.jya.com/frese-s909.htm -- for arguments by Ron Rivest and Michael Freese on the potential that the proposed amendments might http://www.cdt.org/crypto/legis_105/SAFE/Oxley_Manton.html for the bill with the controversial amendments have effectively barred public key encryption http://www.jya.com/hr105-108-pt4.htm for the House Permanent Select Committee on Intelligence's report on the SAFE bill ____________________________________________________________________ Experian Experiences Privacy Problem ____________________________________________________________________ According to front page Washington Post story by Robert O'Harrow, Jr., on August 16, 1997, Experian, Inc. withdrew a service that was intended to provide (for a fee of $8.66) customers with their credit histories via the WWW only two days after its introduction. The cause was the misdelivery of a number of credit histories, including the delivery of Post reporter Blaine Harden's information to an individual in Columbia. According to the published account, when he learned of the delivery of his record to someone else, Harden tried the service again. After identifying himself with a variety of pieces of information, Harden was then erroneously delivered the record of yet another individual. Although technical details are lacking in the account, it appears that Experian (formerly known as TRW Information Systems & Services) was using SSL and that only records of individuals who had actually attempted to retrieve their records were misdelivered. Experian's URL is http://www.experian.com/product/consumer/index.html. ________________________________________________________________________ BSI Offers Free IT Baseline Protection Manual, Solicits Comments by Carsten Schulz, BSI ________________________________________________________________________ The BSI (German Information Security Agency) was founded in 1990. One of its tasks is the counseling and support of governmental agencies, companies etc in all IT security relevant questions, especially how to write IT security concepts (which in our terminology means documents describing how to select safeguards and implement IT security for the IT systems considered). These activities also include the task of performing and improving the methods to develop such IT security concepts. Up to now, risk analysis was used for this purpose mainly. As one can imagine, performing a risk analysis is a very time-consuming task, but yields appropriate results being suitable for the IT systems considered. These detailed results are only necessary in case of high protection requirements. The idea, that the realisation of standard security safeguards is sufficient for 'normal', medium protection requirements, seems obvious. You may have come across this idea under the term 'baseline security safeguards'. The combination of risk analysis (for high protection requirements) and baseline security safeguards (for low up to medium protection requirements) allows to minimize efforts and to optimize results. This combined method has been continuously developed in Germany throughout the last years and is considered to be a de facto standard by now. It is also recommended by various Technical Reports developed in ISO/IEC JTC1/SC27/WG1. BSI published the first version of the IT Baseline Protection Manual in 1994. This manual recommends IT security safeguards for typical IT systems which are adequate and sufficient for medium-level protection requirements. For the identification of these safeguards, BSI assumed typical threats applicable for the IT systems; their decription can be found in a threat catalogue attached. A detailed description of the safeguard recommended can also be found in the Manual. Each year, the Manual is updated and extended by components dealing with most recent technical developments. Threats and recommended security safeguards are listed in superordinate components, like organisation, personell, contingency planning, data protection, infrastructure, cabling as well as in IT specific components, like: DOS personal computer UNIX system Laptop PC Windows 95 Server-based PC network UNIX Network Windows NT (3.5, 4.0) Novell Netware 3.x Data transmission systems Telecommunications systems Firewall etc..... . The selected safeguards are economical and easy to implement. Furthermore, the descriptions of safeguards contain advice concerning responsibilities, implementation and audit. When applying the IT Baseline Protection Manual, real IT systems can be modulated by a combination of appropriate components to select recommended safeguards. As in the last year, the IT Baseline Protection Manual is also published on CD-ROM (German/English: html format, German/English: Winword2 format). In case you are interested in this manual, please contact us (E-mail contact address as below). We are looking forward to hearing from you. In order to send the manual to you successfully, we need at least the following information: name, first name, company and your position in the company, E-mail address, postal address. Please tell us your opinion, criticisms, corrections, and suggestions for improvements. The manual only can be improved by your suggestions. In case you want to use the Manual on a Unix platform, please mention this explicitly in your mail, since you then need an additional Unix-compatible version! Please contact: schulz@bsi.de ________________________________________________________________________ Cipher Registry of Security and Privacy Research Projects ________________________________________________________________________ Submitted 27 August 1997: a) name: Alfarez Abdul-Rahman b) e-mail address: F.AbdulRahman@cs.ucl.ac.uk c) project title: Trust in Distributed Systems (funded PhD work) d) affiliation: University College London e) The aim of this work is to understand the semantics of trust for distributed systems, and propose a practical model of trust - work combines areas of distributed systems security and trust with sociology and psychology. f) URL for further information http://www.cs.ucl.ac.uk/staff/F.AbdulRahman/docs ________________________________________________________________________ New Reports available via FTP and WWW ________________________________________________________________________ o http://dimacs.rutgers.edu/Workshops/Security/program2/program.html Online proceedings of the DIMACS Workshop on Design and Formal Verification of Security Protocols, held September 3-6, 1997. Medical security/privacy item: o http://aspe.os.hhs.gov/admnsimp/pvcrec0.htm US HHS Secretary Shalala's Privacy Recommendations delivered to Congress 11 Sept. 1997. Cryptography policy items (see news items agove) o http://www.cdt.org/crypto/legis_105/SAFE/ Center for Democracy and Technology's report on the defeat of the amendments to the SAFE bill in House committee. Interesting papers about networks (but not really security) o http://www.manymedia.com/david/stupid.html Rise of the Stupid Network, by David Isenberg Why the Intelligent Network was once a good idea, but isn't anymore. One telephone company nerd's odd perspective on the changing value proposition. o http://www-eecs.mit.edu/people/ferguson/telecom/ The Internet, Economic Growth, and Telecommunications Policy, by Charles H. Ferguson. Interesting analysis of Local Exchange Carriers. ________________________________________________________________________ Interesting Links [new entries only] ________________________________________________________________________ o http://www.cs.nyu.edu/~rubin/courses.html Avi Rubin's extensive list of cryptography and computer security courses being offered at the graduate level around the world, with URLs for many of them. o http://www.csci.ca/ Computer Security Canada has opened an online library of computer security breaches that have occurred on the World Wide Web. The site is said to contain examples of some of the most embarrassing Web security breaches that have occurred in government, the military, academia and industry... but I didn't get through when I tried it. o http://www.cs.tcd.ie/FME The web site of FMEInfRes, the Formal Methods Europe Information Resources project ________________________________________________________________________ Who's Where: recent address changes ________________________________________________________________________ Entered 5 October 1997 David Goldschlag Divx 570 Herndon Parkway Herndon, VA 20170 e-mail: David.Goldschlag@divx.com voice: 703-708-4028 (direct line) fax: 703-708-4088 web site: www.divx.com Dr. Yongfei Han Chief Scientist Gemplus Technology Asia PTE LTD 89, Science Park Drive #04-01/05 The Rutherford, Singapore Science Park Singapore 118261 Tel: (65)776 1989 Fax: (65) 773 0648 E-mail: yongfei.han@ccmail.edt.fr Donald Marks NIST/CSD Bldg. 820, Rm 622 Gaithersburg, Md. 20899 voice: (301) 975-5342 e-mail: marks@csmes.ncsl.nist.gov Jonathan K. Millen SRI International 333 Ravenswood Ave. Menlo Park, CA 94025 Tel: 650-859-2358 e-mail: millen@csl.sri.com _______________________________________________________________________ Calls for Papers (new listings since last issue only -- full list on Web) ________________________________________________________________________ CONFERENCES Listed earliest deadline first. See also Cipher Calendar. Abbreviated listings this issue; web will be updated as soon as possible. WWCA http://ci.etl.go.jp/wwca98/ International Conference on Worldwide Computing & Its Applications '98, March 4-5, 1998 Tsukuba, JAPAN. Submissions due by 31 October 1997 to WWCA Scretariat. See conference or Cipher Web pages for details. ISCC http://www.cs.bu.edu/ftp/amass/ISCC/ The Third IEEE Symposium on Computers and Communications (ISCC'98) Athens, Greece, June 30--July 2, 1998. Submissions due 1 November 1997 to Tech program Co-chairs Houssan Mouftah, mouftah@eleceng.ee.queensu.ca or J. Wieselthier, wieselthier@itd.nrl.navy.mil. For details see conference or Cipher web site. PKC '98 http://hideki.iis.u-tokyo.ac.jp/pkc98/ 1998 International Workshop on Practice and Theory in Public Key Cryptography (PKC'98), Yokohama, Kanagawa, Japan, 5-6 February, 1998. Submissions due 28 Nov. 1997. All correspondence, including submissions, will be made through e-mail to pkc98@imailab.iis.u-tokyo.ac.jp See conference or Cipher web page for details. IH '98 Second Workshop on Information Hiding, 15-17 April, 1998, Portland, Oregon. Submissions due 31 December 1997 to David Aucsmith, Intel Architecture Labs, 5200 N. E. Elam Young Parkway, Hillsboro, OR 97124-6497, USA. (e-mail: awk@ibeam.intel.com). For further information see Cipher web site. ESORICS '98 http://www.dice.ucl.ac.be/esorics98 5th European Symposium on Research in Computer Security Louvain-la-Neuve, Belgium, September 16-18, 1998. Submissions (in English) due to Prog. Chair Yves Deswarte, LAAS-CNRS, Toulouse, by 28 February 1998. For details, see conference or Cipher web site. JOURNALS Special Issues of Journals and Handbooks: listed earliest deadline first. o Special Issue of IEEE Personal Communications Magazine on Mobile Systems and the Web; Guest Editors: Arvind Krishna, IBM T.J. Watson Labs Anupam Joshi, CECS Department, University of Missouri. Six copies of submission due to either editor by 1 November. See Cipher web pages for details. o http://www.acm.org/sigmobile/MC2R/ Papers for 6th issue of ACM SIGMOBILE Mobile Computing and Communications Review, submissions due 15 November. See web site for details. ________________________________________________________________________ Reader's Guide to Current Technical Literature in Security and Privacy Part 1: Conference Papers ________________________________________________________________________ o Papers to be presented at Second ACM Workshop on Role-Based Access Control, Nov. 6-7, 1997, - E. Bertino, E. Ferrari, and V. Atluri, "A Flexible Model for the Specification and Enforcement of Role-Based Authorizations in Workflow Management Systems" - Roshan Thomas, "Team-based Access Control (TMAC)" - D. Richard Kuhn, "Mutual Exclusion of Roles as a Means of Implementing Separation of Duty in Role Based Access Control Systems" - Sylvia Osborn, "Mandatory Access Control and Role-Based Access Control Revisited" - Ravi Sandhu, et al "The ARBAC97 Model for Role-Based Administration of Roles: Preliminary Description and Outline" - William J. Meyers, "RBAC Emulation on Trusted DG/UX" - Roland Awischus, "Role Based Access Control with the Security Administration Manager (SAM)" - Larry S. Bartz, "hyperDrive: Leveraging LDAP to Implement RBAC on the Web" - David F. Ferraiolo, "Specifying and Managing Role-Based Access Control within a Corporate Intranet" - Christian Friberg and Achim Held, "Support for Discretionary Role Based Access Control in ACL-oriented Operating Systems" - Trent Jaeger, "A Role-based Access Control Model for Protection Domain Derivation and Management" - Raymond Wong, "RBAC Support in Object-Oriented Role Databases" - E.B. Fernandez and J.C. Hawkins, "Determining Role Rights from Use Cases" - John Barkley, "Comparing Simple Role Based Access Control Models and Access Control Lists" - Emil C. Lupu and Morris Sloman, "Reconciling Role Based Management and Role Based Access Control" - Tor Didriksen, "Rule Based Access Control" - Luigi Giuri and Pietro Iglio, "Role Templates for Content-Based Access Control" o 6th International Conference on Computer Communications and Networks, September 22-25, 1997, Las Vegas, Nevada, security-related papers: - T.R.N. Rao, "Encryption, Electronic Signatures and Security in Computer Communications" (keynote) - Hatefi and Golshani, A New Frameowrk for Secure Network Management o International Symposium on Information Systems and Technologies for Network Society, Fukuoka, Japan, 24 Sept. 1997. Security related paper: Kou Nakayoshi, Nariyoshi Yamai, Toshio Matsuura, Kota Abe, and Koso Murakami. A Secure Distributed File System for Arbitrary Users _______________________________________________________________________ Reader's Guide to Current Technical Literature in Security and Privacy Part 2: Journal and Newsletter Articles, Book Chapters _______________________________________________________________________ o IEEE Software Vol.14, No. 5 (Sept/Oct 1997). - Charles P. Pfleeger and Deborah M. Cooper. Security and privacy: promising advances. pp. 27-34. - Andrew P. Kosoresow and Steven A. Hofmeyr. Intrusion detection via system call traces. pp. 35-42. - Nicholas Puketza, Mandy Chung, Ronald A. Olsson, and Biswanath Mukherjee. A software platform for testing intrusion detection systems. pp. 43-51. - Nayeem Islam, Rangachari Anand, Trent Jaeger, and Josyula R. Rao. A flexible security system for using Internet content. pp. 52-59. - Firewalls: an expert roundtable. pp. 60-66. - Unlocking key issues in security: interview with Dorothy Denning. pp. 108-109. - Cynthia E. Irvine. Challenges in computer security education. pp. 110-111. o IEEE COMPUTER, Vol. 30, No. 9 (Sept 1997). N. Asokan, Phillipe A. Janson, Michael Steiner, and Micahael Waidner. The state of the art in electronic payment systems. pp. 28-36. o IEEE Trans. on Knowledge and Data Engineering Vol. 9 No. 4 (July/August 1997). - P.C. Chu. Cell suppression methodology: the importance of suppressing marginal totals. pp. 513-523. - P. Samarati, E. Bertino, A. Ciampichetti, and S. Jajodia. Information flow control in object-oriented systems. pp. 524-538. - S.-P. Shieh and V. D. Gligor. On a pattern-oriented model for intrusion detection. pp. 661-667. - I. Majetic and E. L. Leiss. Authorization and revocation in object- oriented databases. pp. 668-672. o Computers & Security Volume 16, Number 3 (1997). (Elsevier) Refereed Articles: - Zbigniew Ciechanowicz. Risk analysis: requirements, conflicts and problems. pp. 223-232. - Ivan Krsul and Eugene H. Spafford. Authorship analysis: identifying the author of a programs. pp. 233-256. o IEEE Journal on Selected Areas in Communications, Vol. 15, No. 3. (April 1997). Li Gong. Enclaves: enabling secure collaboration over the Internet. pp. 567-575. Also available at http://java.sun.com/people/gong/papers/pubs97.html _______________________________________________________________________ Reader's Guide to Current Technical Literature in Security and Privacy Part 3: Books ________________________________________________________________________ * Schneier, Bruce and David Banisar. The Electronic Privacy Papers: Documents on the Battle for Privacy in the Age of Surveillance. John Wiley, 1997, ISBN 0-471-12297-1, 747 pp. $60. * Smith, Richard E. Internet Cryptography. ISBN 0-201-92480-3. Addison-Wesley, 1997. 384pp. $27.92. * Denning, Dorothy E. and Peter J. Denning. Internet Besieged: Countering Cyberspace Scofflaws. ACM Press, 1998, ISBN 0-201-30820-7, 592 pp., $34.38. ________________________________________________________________________ Calendar ________________________________________________________________________ ==================================================================== See Calls for Papers section for details on many of these listings. ==================================================================== "Conf Web Page" indicates there is a hyperlink on the Cipher Web pages to conference information. (In many cases there is such a link even though mention is not made of it here, to save space.) Dates Event, Location Point of Contact/ more information ----- --------------- ---------------------------------- 10/ 5/97-10/ 8/97: SOSP '97, Malo, France; Conf Web page 10/ 6/97-10/10/97: NISS '97, Baltimore, MD, Conf web page 10/ 6/97: ETAPS '98, Lisbon, Portugal, Conf Web page; Submissions to Nivat@litp.ibp.fr; 10/24/97-10/26/97: EDOC '97; Gold Coast, Australia. Conf Web page 10/25/97: IEEE Net Mag Special Issue; submissions to liny@csie.nctu.edu.tw 10/27/97: SIGMOD/PODS '98, Seattle, Washington, SIGMOD abstracts due 10/28/97-10/31/97: ICNP '97, Atlanta, Georgia; Conf Web page 10/31/97: WWCA '98, Tsukuba, JAPAN; Conf Web page. Submissions due to wwca98-sec@etl.go.jp 10/31/97-11/ 5/97: WebNet97. Toronto, Canada; Conf Web page 11/ 1/97: IEEE Personal Communications Spec. Iss. on Mobile Computing Systems and the Web, submissions due 11/ 1/97: ISCC '98. Athens, GreeceConf Web page Submissions to mouftah@eleceng.ee.queensu.ca 11/ 1/97: IEEE Personal Communications Special Issue on Mobile Computing Systems and the Web, submissions due 11/ 3/97: SIGMOD/PODS '98, Seattle, Washington, SIGMOD submissions due 11/ 6/97-11/ 7/97: RBAC97. McLean, Virginia Conf Web page 11/10/97: IEEE Network Magazine Special Issue on Active and Programmable Networks; Conf Web page; submissions due to tchen@gte.com 11/11/97-11/13/97: ICICS '97, Beijing, P.R. China 11/12/97-11/14/97: Chilean CompSci Soc, Valparaiso, Chile; 11/15/97: SIGMOBILE-REVIEW; Conf Web page; Submission deadline for publication 11/17/97: SIGMOD/PODS '98, Seattle, Washington, PODS submissions due 11/19/97-11/21/97: ICCC '97. Cannes, France Conf Web page 11/28/97: PKC '98, Yokohama, Japan; Conf Web page. Submissions due to pkc98@imailab.iis.u-tokyo.ac.jp 12/ 4/97-12/ 5/97: IFIP-IICIS. Zurich, Switzerland Conf Web page 12/ 8/97-12/12/97: ACSAC '97, San Diego, CA 12/19/97: SICON '98, Singapore, submissions due 12/17/97-12/19/97: ISCOM '97. Hsinchu, Taiwan Conf Web page 12/29/97: IEEE-S&P. Oakland, California; Submissions due by mail; 12/31/97: IH Workshop; Portland, Oregon; Submissions due, awk@ibeam.intel.com 1/ 6/98- 1/ 9/98: ENCXCS. Hawaii, HI Conf Web page 1/16/98: IFIP/SEC '98, Vienna and Budapest, Austria and Hungary; Conf Web page Submissions due to rposch@iaik.tu; 1/26/98- 1/29/98: USENIX Sec Symp. San Antonio, Texas Conf Web page 2/ 2/98- 2/ 3/98: ADC '98. The Levels, South Australia 2/23/98- 2/27/98: ICDE '98. Orlando, Florida Conf Web page 2/28/98: ESORICS '98, Neuve, Belgium; Submissions due to Deswarte@laas.fr 3/ 4/98- 3/ 5/98: WWCA '98, Tsukuba, JAPAN 3/10/98: IFIP WG11.3 Chalkidiki, Greece; Conf Web page Submissions due to jajodia@gmu.edu; 3/11/98- 3/13/98: SNDSS '98, San Diego, California Conf Web page 3/20/98- 3/23/98: ICTSMA '98, Nashville, Tennessee 3/30/98- 4/ 3/98: ETAPS '98. Lisbon, Portugal, Conf Web page 4/ 3/98: CCS '98, San Francisco, CA, submissions due 4/15/98- 4/17/98: IH Workshop; Portland, Oregon 5/ 3/98- 5/ 6/98: IEEE S&P 98; Oakland no e-mail address available 5/12/98- 5/15/98: 10th CITSS, Ottawa; no e-mail address available 5/26/98- 5/29/98: ICDCS '98, Amsterdam 6/ 1/98- 6/ 4/98: SIGMODS/PODS '98, Seattle, Washington 6/30/98- 7/ 2/98: ISCC '98. Athens, Greece 7/ 1/98- 7/ 4/98: SICON '98, Singapore 7/15/98- 7/17/98: IFIP WG11.3, Chalkidiki, Greece Conf Web page 8/31/98- 9/ 4/98: IFIP/SEC '98, Vienna and Budapest, Austria and Hungary; Conf Web page 9/16/98- 9/18/98: ESORICS '98, Neuve, Belgium; 11/ 3/98-11/ 5/98: CCS '98, San Francisco, CA 5/ 2/99- 5/ 5/99: IEEE S&P 99; Oakland no e-mail address available 5/11/99- 5/14/99: 11th CITSS, Ottawa; no e-mail address available 4/30/00- 5/ 3/00: IEEE S&P 00; Oakland no e-mail address available 5/16/00- 5/19/00: 12th CITSS, Ottawa; no e-mail address available Key: * ACISP = Australasian Conference on Information Security and Privacy, * ACSAC = Annual Computer Security Applications Conference 13th Annual * ADC = Australasian Database Conference, ADC '98 * CCS = ACM Conference on Computer and Communications Security * CITSS = Canadian Information Technology Security Symposium * COMPASS = Conference on Computer Assurance COMPASS '97 * CORBA SW = Workshop on Building and Using CORBASEC ORBS CORBA SW * CRYPTO = IACR Annual CRYPTO Conference CRYPTO97 * CSFW = Computer Security Foundations Workshop CSFW10 , Wrkshp Page * DASFAA = Database Systems For Advanced Applications DASFAA '97 * DIMACS Security Ver = DIMACS Workshop on Formal Verification of Security Protocols '97 workshop * EDOC = Enterprise Distributed Object Computing Workshop EDOC '97 * Electronic Commerce for Content II = Forum on Technology-Based Intellectual Property Management URL * ENCXCS = Engineering Complex Computer Systems Minitrack of HICSS ENCXCS * ENM = Enterprise Networking ENM '97 * ENTRSEC = International Workshop on Enterprise Security ENTRSEC '97 * ESORICS - European Symposium on Research In Computer Security * ETAPS = European Joint Conferences on Theory and Practice of Software * FMP = Formal Methods Pacific FMP '97 * GBN = Gigabit Networking Workshop GBN'97 * HASE = High-Assurance Systems Engineering Workshop HASE '97 * HICSS = Hawaii International Conference on Systems Sciences * HPTS = Workshop on High Performance Transaction Systems * ICAST = Conference on Advanced Science and Technology, 13th ICAST * ICCC = International Conference for Computer Communications ICCC '97 * IC3N = Int'l Conf. on Computer Communications aand Networks * ICDCS = Int'l Conf. in Distributed Computing Systems * ICDE = Int. Conf. on Data Engineering ICDE '98 * ICI = International Cryptography Institute * ICICS = International Conference on Information and Communications Security ICICS '97 * ICNP = IEEE International Conf. on Network Protocols * ICTSMA = Int'l Conf on Telecomm. Sys. Modelling and Analysis * IDEAS = Int'l Database Engineering and Applications Symposium IDEAS '97 * IEEE S&P = IEEE Symposium on Security and Privacy - IEEE S&P '97 * IESS = Int'al Symposium on Software Engineering Standards IESS '97 * IFIP/SEC = International Conference on Information Security (IFIP TC11) * IFIP WG11.3 = IFIP WG11.3 11th Working Conference on Database Security * IFIP-IICIS = First Working Conference on Integrity and Internal Control in Information Systems * IH Workshop = Workshop on Information Hiding * INET = Internet Society Annual Conference * INETCOMP = IEEE Internet Computing (magazine) * INTRA-FORA = International Conference on INTRANET: Foundation, Research, and Applications INTRA-FORA * IRISH = Irish Workshop on Formal Methods IRISH97 * ISADS = Symposium on Autonomous Decentralized Systems ISADS '97 * ISCC = Third IEEE Symp. on Computer and Communications. * ISCOM - International Symp. on Communications * JCS = Journal of Computer Security WWW issue * JTS = Journal of Telecommunications Systems, special multimedia issue * MOBICOM = Mobile Computing and Networking MOBICOM '97 * NGITS = World Conference of the WWW, Internet, and Intranet NGITS '97 * NISS = National Information Systems Security Conference NISS * NSPW = New Security Paradigms Workshop NSPW '96 * OSDI = Operating Systems Design and Implementation OSDI '96 * PKC = Practice and Theory in Public Key Cryptography (PKC'98) * PKS = Public Key Solutions PKS '97 * PTP = Workshop on Proof Transformation and Presentation PTP '97 * RBAC = ACM Workshop on Role-Based Access Control RBAC '97 * RIDE = High Performance Database Management for Large Scale Applications RIDE97 * SAFECOMP = Computer Safety, Reliability and Security SAFECOMP '97 * SICON = IEEE Singapore International Conference on Networks * SIGMOBILE/REVIEW = ACM SIGMOBILE Mobile Comp. and Comm. Review * SIGMOD/PODS = ACM SIGMOD Confs on Mgmt of Data / Prin. of DB Systems * SNDSS = Symposium on Network and Distributed System Security (ISOC) * SOSP = 16th ACM Symposium on Operating Systems Principles SOSP '97 * TAPOS = Theory and Applications of Object Systems, special issue Objects, Databases, and the WWW TAPOS * USENIX Sec Symp = USENIX UNIX Security Symposium, 8th Annual * WebNet = World Conference of the Web Society, WebNet 97 * WOBIS = Workshop on Satellite-based Information Services * WWCA = Int'l Conf. on Worldwide Computing & Its Applications '98 ________________________________________________________________________ Listing of Academic (Teaching and Research) Positions in Computer Security maintained by Cynthia Irvine ________________________________________________________________________ * Naval Postgraduate School Center for INFOSEC Studies and Research, Monterey, CA, Visiting Professor, (9/98) http://www.cs.nps.navy.mil/research/cisr/jobs/npscisr_prof_ad.html * Naval Postgraduate School Center for INFOSEC Studies and Research, Monterey, CA, Computer Scientist, (9/21/97) http://www.cs.nps.navy.mil/research/cisr/jobs/npscisr_97de055.html * US Air Force Academy Department of Computer Science, Colorado Springs, CO, Professor, (7/98) http://www.usafa.af.mil/dfcs/ * Purdue University, Computer Science Department, West Lafayette, IN Assistant Professor, tenure track, also Assoc. and Full Prof., (2/98) http://www.cs.purdue.edu/facAnnounce This job listing is maintained as a service to the academic community. If you have an academic position in computer security and would like to have in it included on the Cipher web page and e-mail issues, send the following information : Institution, City, State, Position title, date position announcement closes, and URL of position description to: irvine@cs.nps.navy.mil ________________________________________________________________________ Data Security Letter Subscription Offer ________________________________________________________________________ A special subscription rate of $25/year for the Data Security Letter is now available to IEEE TC members. The DSL is an external, nonpartisan newsletter published by Trusted Information Systems, Inc. Eleven issues (usually 16 pages each) per year are published. The DSL welcomes reader suggestions and contributions and accepts short research abstracts (about 130 words) for publication on an ongoing basis. On occasion, the DSL will be republishing Cipher articles (with authors' approval), but such articles will constitute a small portion of DSL content (thus there will be very little duplication of Cipher material). IEEE TC members wishing to take advantage of the special subscription rate should send the following to sharon@tis.com. The information can also be faxed to 301-854-5363 (attention: DSL) phoned to 301-854-5338, or mailed to Trusted Information Systems, Inc., 3060 Washington Rd., Glenwood, MD 21738 USA. NAME: POSTAL ADDRESS: (Please indicate company name, if a business address) PHONE: (Please indicate if home or business) FAX: E-MAIL: IEEE Membership No. (if applicable): NOTE: If you are already a paying subscriber to the DSL, for the $25 you will receive a 2-year renewal; refunds, rebates, etc., on your current subscription are not available. If you have any questions about the offer or anything else pertaining to the DSL, you may contact the editor, Sharon Osuna, via E-Mail to sharon@tis.com or call her at 301-854-5338. ________________________________________________________________________ How to become <> a member of the IEEE Computer Society's TC on Security and Privacy ________________________________________________________________________ You do NOT have to join either IEEE or the IEEE Computer Society to join the TC, and there is no cost to join the TC. All you need to do is fill out an application form and mail or fax it to the IEEE Computer Society. A copy of the form is included below (to simplify things, only the TC on Security and Privacy is included, and is marked for you) The full and complete form is available on the IEEE Computer Society's Web Server at URL: http://www.computer.org:80/tab/tcapplic.htm (print & mail form) or http://www.computer.org:80/tab/Tcappli1.htm (HTML form for form-enabled browsers) IF YOU USE THE FORM BELOW, PLEASE NOTE THAT THE IT IS TO BE RETURNED (BY MAIL OR FAX) TO THE IEEE COMPUTER SOCIETY, >>NOT<< TO CIPHER. --------- IEEE Computer Society Technical Committee Membership Application ----------------------------------------------------------- Please print clearly or type. ----------------------------------------------------------- Last Name First Name Middle Initial ___________________________________________________________ Company/Organization ___________________________________________________________ Office Street Address (Please use street addresses over P.O.) ___________________________________________________________ City State ___________________________________________________________ Country Postal Code ___________________________________________________________ Office Phone Fax ___________________________________________________________ Email Address (Internet accessible) ___________________________________________________________ Home Address (optional) ___________________________________________________________ Home Phone ___________________________________________________________ [ ] I am a member of the Computer Society IMPORTANT: IEEE Member/Affiliate/Computer Society Number: ____________________ [ ] I am not a member of the Computer Society* Please Note: In some TCs only current Computer Society members are eligible to receive Technical Committee newsletters. Please select up to four Technical Committees/Technical Councils of interest. TECHNICAL COMMITTEES [ X ] T27 Security and Privacy Please Return Form To: IEEE Computer Society 1730 Massachusetts Ave, NW Washington, DC 20036-1992 Phone: (202) 371-0101 FAX: (202) 728-9614 ________________________________________________________________________ TC Publications for Sale (NOT!) ________________________________________________________________________ Proceedings of the IEEE CS Symposium on Security and Privacy Sorry! Strong response has reduced our stocks of old proceedings, and we have closed this year's conference books, so we will not be accepting any more orders until spring 1998. You may still order current (1997) and some back issues from IEEE CS Press at http://www.computer.org/cspress/catalog/proc9.htm. But, if you are interested in a copy of the current or past proceedings of the Computer Security Foundations Workshop, send a note to Josh Guttman at guttman@mitre.org. Pricing is $25 for this year's proceedings, $10 for those from prior years. Charles N. Payne Treasurer, IEEE TC on Security and Privacy Secure Computing Corp. 2675 Long Lake Rd. Roseville, MN 55113 U S A e-mail: cpayne@securecomputing.com ________________________________________________________________________ TC Officer Roster ________________________________________________________________________ Chair: Past Chair: Charles P. Pfleeger Deborah Cooper Arca Systems, Inc. P.O. Box 17753 6889 Boone Blvd Suite 750 Arlington, VA 22216 Vienna VA 22182-2623 (703) 908-9312 (voice and fax) (703) 734-5611 (voice) d.cooper@computer.org (703) 790-0385 (fax) c.pfleeger@computer.org Vice-Chair: Newsletter Editor: Thomas A. Berson Carl Landwehr Anagram Laboratories Code 5542 P.O. Box 791 Naval Research Laboratory Palo Alto, CA 94301 Washington, DC 20375-5337 berson@anagram.com (202) 767-3381 (650)324-0100 landwehr@itd.nrl.navy.mil Chair, Academic Affairs Subcommittee: Chair, Security Conferences Subcommittee: Prof. Cynthia Irvine Michael Reiter U.S. Naval Postgraduate School AT&T Labs Computer Science Department Room A269 Code CS/IC 180 Park Ave Monterey CA 93943-5118 Florham Park NJ 07932-0971 (408) 656-2461 (voice) (973) 360-8349 (voice) irvine@cs.nps.navy.mil (973) 360-8809 (fax) reiter@research.att.com Chair, Standards Subcommittee: * watch this space * ________________________________________________________________________ Information for Subscribers and Contributors ________________________________________________________________________ SUBSCRIPTIONS: Two options: 1. To receive the full ascii CIPHER issues as e-mail, send e-mail to (which is NOT automated) with subject line "subscribe". 2. To receive a short e-mail note announcing when a new issue of CIPHER is available for Web browsing or downloading from our ftp server send e-mail to (which is NOT automated) with subject line "subscribe postcard". To remove yourself from the subscription list, send e-mail to cipher-request@itd.nrl.navy.mil with subject line "unsubscribe". Those with access to hypertext browsers may prefer to read Cipher that way. It can be found at URL http://www.itd.nrl.navy.mil/ITD/5540/ieee/cipher CONTRIBUTIONS: to are invited. Cipher is a NEWSletter, not a bulletin board or forum. It has a fixed set of departments, defined by the Table of Contents. Please indicate in the subject line for which department your contribution is intended. For Calendar entries, please include an e-mail address for the point-of-contact. ALL CONTRIBUTIONS CONSIDERED AS PERSONAL COMMENTS; USUAL DISCLAIMERS APPLY. All reuses of Cipher material should respect stated copyright notices, and should cite the sources explicitly; as a courtesy, publications using Cipher material should obtain permission from the contributors. BACK ISSUES: There is an archive that includes each copy distributed so far, in ascii, in files you can download at URL http://www.itd.nrl.navy.mil/ITD/5540/ieee/cipher/cipher-archive.html There is also an anonymous FTP server that contains the same files. To access the archive via anonymous FTP: 1. ftp www.itd.nrl.navy.mil 2. At prompt for ID, enter "anonymous" 3. At prompt for password, enter your actual, full e-mail address 4. Once you are logged in, change to the Cipher Directory: cd pub/cipher 5. Now you can request any of the files containing Cipher issues in ascii. Issues are named in the form: EI#N.9708 where N is the number of the issue desired and 9703 captures the year and month it appeared. ========end of Electronic Cipher Issue #24, 5 October 1997=============