Subject: Electronic CIPHER, Issue 26, February 9, 1998 _/_/_/_/ _/_/_/ _/_/_/_/ _/ _/ _/_/_/_/ _/_/_/_/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/_/_/_/ _/_/_/_/ _/_/ _/_/_/_/ _/ _/ _/ _/ _/ _/ _/ _/ _/_/_/_/ _/_/_/ _/ _/ _/ _/_/_/_/ _/ _/ ==================================================================== Newsletter of the IEEE Computer Society's TC on Security and Privacy Electronic Issue 26 February 9, 1998 Avi Rubin and Paul Syverson, Editors Bob Bruen, Book Review Editor Hilarie Orman, Assoc. Editor Mary Ellen Zurko, Assoc. Editor Anish Mathuria, Reader's Guide ==================================================================== http://www.itd.nrl.navy.mil/ITD/5540/ieee/cipher/ Contents: [3028 lines total] o Letter from the TC Chair o Letter from the Editor Preliminary Program and Registration Information for the 1998 Oakland IEEE Symposium on Security and Privacy Security and Privacy News Briefs: o LISTWATCH: Items from security-related lists, by Mary Ellen Zurko o Netscape to make source code freely available o Vendors of Web browser/server software switching to TLS o Abraham Sinkov, Cryptanalyst, dies at age 90 o Germany announces eavesdropping legislation Standards Activity: o A report by Jeff Schiller on IETF Standards activity o International update by Mats Ohlin Commentary and Opinion: Book Reviews o Privacy on the Line. The Politics of Wiretapping and Encryption. by Whitfield Diffie and Susan Landau, reviewed by Bob Bruen o Maximum Security. A Hacker's Guide to Protecting Your Internet Site and Network. by Anonymous, reviewed by Bob Bruen Conference Reports: o USENIX Internet Technologies and Systems (USITS) by Alain Mayer o Tutorials at 7th USENIX Security symposium by Nimisha Mehta o 7th USENIX Security symposium by Kevin Fu New reports available via FTP and WWW: a couple Who's Where: recent address changes Calls for Papers: ACISP, VLDB, ESORICS, WFMSP, WOMOS, DEXA-SIDIA, DEXA-WBPR, IIIS, ACM CCS, NSPW, ACSAC, IEEE Internet Computing Reader's guide to recent security and privacy literature o Conference Papers: FSE98 paper list o Journal and Newsletter articles: several o Books: several Calendar List of Computer Security Academic Positions, maintained by Cynthia Irvine Data Security Letter subscription offer Publications for sale -- CSFW proceedings available TC officers Information for Subscribers and Contributors ____________________________________________________________________ Letter from the TC Chair ____________________________________________________________________ One of the responsibilities of the Chair of the Technical Committee on Security and Privacy is to write an annual report on the activities of the committee. Because this is the first such report I have had to write, it has caused me to think about what this committee does, and so I want to share some of my thoughts with you, our members. You probably know us best for the "Oakland" conference. This year (May 3-6, 1998) will be the nineteenth annual Symposium on Security and Privacy, held in late spring in Oakland, California. We typically have 200-300 attendees from the U.S. and abroad. Every year seems to bring a fresh idea: poster sessions, five-minute brief presentations of a single topic, new panel topics, a debate, a room for impromptu discussion and debate. The value of the conference to the attendees is both the technical program and the opportunity for informal technical interactions with colleagues who may be from halfway across the globe (or just as likely from an office two miles away). New members of the field get to discuss ideas with more senior ones, and academics get to share their thoughts with government and commercial professionals. The quality of the "Oakland" conference is best evidenced by the staying power of its papers. You often find "Proceedings of the 19xx IEEE Computer Society Symposium on Security and Privacy" listed as source for one or more references in technical papers. These proceedings have become a very important collection of fundamental papers in our field, and most major research libraries have the complete set of the proceedings. We continue to experiment with this publication, too, and have seriously considered CD-ROM, the Internet, or some other electronic form. Expect this conference to experiment with new ways to bring you this valuable information. Our other conference, the "Franconia" or "Foundations" conference, serves a very different need. A group of professionals felt the need for a smaller workshop at which to discuss innovative research ideas. The number of attendees is intentionally kept quite small in order to promote interaction that builds on the ideas presented. Although the conference was held in Franconia, New Hampshire for its first few times, more recently it has moved to other locations, always in a retreat setting that is conducive to the intense exchange of ideas. Our third and probably most visible product is what you are reading now. Cipher, the newsletter of the committee, is well known as both a newsletter and a living hypertext document. The newsletter is delivered electronically to approximately 2000 people. Because we have always thought that the best way to attract new members to the technical committee was to show them good things that the committee does, we distribute the newsletter to anyone who requests, members and nonmembers alike. But distributing an issue is not the end: each issue contains a list (actually a link) of upcoming conferences and calls for papers for upcoming conferences in the field. It also contains a list (again, a link) to new addresses of well-known people in the field who have taken new positions or changed addresses. These lists are updated whenever there is new information, so that the version at the web site is usually the most current information to be found anywhere. Here I have highlighted three of our most visible activities. There is more in the areas of education, standards, and professional development about which I will expand in future issues. I cannot conclude this report without mentioning how it all happens. Very committed volunteers give their time and energy to make all of these happen. We have always been fortunate to have enthusiastic volunteers; I won't name them here, but I suggest that you pay attention as you read names in this issue of Cipher, the list of officers, or the other postings at our web site. And then I challenge you to consider what you can do to help the technical committee: write an article for Cipher, volunteer on the organization staff for a conference, write a paper, or tell us something else you think we should be doing (and tell us how you will help). Charles P. Pfleeger TCSP Chair ____________________________________________________________________ Letter from the Editor ____________________________________________________________________ Dear Readers, As you should have noticed, this is the first electronic issue of Cipher without Carl Landwehr's name at the top. Carl has brought forth 25 issues of Cipher since 1994, and in so doing, given the computer security community a great service. While we have our own ambitions for Cipher, our main one will be simply to maintain the standard he has established. In fact Carl is not gone; he has provided us with much assitance in assembling and distributing this issue, as well as contributing to the current reader's guide. We thank him for all his help. The last several months have been very interesting from a computer security perspective. A major flaw in Internet Explorer that involved HTML parsing was discoverd and promptly patched. The IETF standards body seems to be converging on final versions of the IPSEC and PKCS protocols. Political wranglings over government access to keys and export issues regarding cryptography continue. In other words, business as usual. We'd like to ask that you keep the contributions coming; this newsletter cannot survive without a steady influx of conference reports, news items and other interesting tidbits from our readers. We note especially that few people have contacted us with new reports available on the Web or by FTP. If you would like your report(s) listed, or wish to otherwise contribute, simply contact us at cipher-editors@research.att.com. Our goal is to serve as editors of this newsletter, so please give us something to edit. Finally, we'd like to thank our associate editors, Bob Bruen, Hilarie Orman, and Mary Ellen Zurko and our reader's guide organizer, Anish Mathuria. Avi Rubin and Paul Syverson Editors, Cipher ____________________________________________________________________ Preliminary Program and Registration Information: 1998 IEEE Symposium on Security and Privacy ____________________________________________________________________ 1998 IEEE SYMPOSIUM ON SECURITY AND PRIVACY _/_/ _/ _/ _/ _/ May 3-6, 1998 _/_/ _/_/_/ The Claremont Resort _/ _/ Oakland, California _/ _/ _/_/ Sponsored by the _/_/_/ IEEE Technical Committee on Security and Privacy _/ _/ In cooperation with the _/ _/ International Association of Cryptologic Research _/_/_/ _/ Symposium Committee _/ Michael Reiter, General Chair _/_/_/ _/_/_/ John McLean, Vice Chair _/ _/ _/ _/ Paul Karger, Program Co-Chair _/ _/ _/ _/ Li Gong, Program Co-Chair _/_/_/ _/_/_/ _/ _/ _/ PRELIMINARY PROGRAM _/ _/ _/ Subject to Change _/ _/_/_/ Sunday May 3, 1998 4:00-7:00 Registration and Reception Monday May 4, 1998 8:00 Registration 8:45 Introductory Remarks 9:00 - 10:30 Access Control Access Control in an Open, Distributed Environment Jean Bacon (Cambridge University), Richard Hayton (APM Ltd.), and Ken Moody (Cambridge University) Ensuring Continuity During Dynamic Security Policy Reconfiguration in DTE Timothy Fraser and Lee Badger (Trusted Information Systems) Composing Partially-Specified Systems Heather M. Hinton (Ryerson Polytechnic University) 10:30-11:00 Break 11:00-12:00 Java Security Secure Execution of Java Applets using a Remote Playground Dahlia Malkhi, Michael K. Reiter, and Aviel D. Rubin (AT&T Labs - Research) Understanding Java Stack Inspection Dan S. Wallach and Edward W. Felten (Princeton University) 12:00-2:00 Lunch 2:00-3:30 Cryptography I Efficient Key Distribution for Slow Computing Devices: Achieving Fast Over the Air Activation for Wireless Systems Yair Frankel (CertCo), Chris Carroll and Yiannis Tsiounis (GTE Laboratories) Efficient and Practical Fair Exchange Protocols with Off-Line TTP Feng Bao, Robert Deng (National University of Singapore) and Wenbo Mao (HP Laboratories, Bristol) Asynchronous Protocols for Optimistic Fair Exchange N. Asokan, V. Shoup, and M. Waidner (IBM Research, Zurich) 3:30-4:00 Break 4:00-5:00 Panel: Trust Considerations in PKI Systems Moderator: Dale Johnson (MITRE) Panelists: TBA 6:00-7:30 Reception Tuesday May 5, 1998 9:00-10:30 Database Security and Biometrics Partial Security Policies to Support Timeliness in Secure Real-Time Databases Sang Son, Craig Chaney, and Norris Thomlinson (University of Virginia) Protecting Privacy when Disclosing Information: k-Anonymity and its Enforcement through Generalization Pierangela Samarati (SRI International) and Latanya Sweeney (MIT) On Enabling Secure Applications Through Off-Line Biometric Identification George I. Davida (Univ. of Wisconsin, Milwaukee), Yair Frankel (CertCo) and Brian J. Matt (Sandia National Laboratories) 10:30-11:00 Break 11:00-12:00 Architectures An Automated Approach for Identifying Potential Vulnerabilities in Software Anup K. Ghosh, Tom O'Connor, and Gary McGraw (Reliable Software Technologies) Detecting Disruptive Routers: A Distributed Network Monitoring Approach Kirk A. Bradley, Biswanath Mukherjee, Ronald A. Olsson, Nick Puketza (University of California at Davis) Timing Attacks Against Trusted Path Jonathon T. Trostle 12:00-2:00 Lunch 2:00-3:30 5-Minute Talks (see below for details) 3:30-4:00 Break 4:00-5:00 Formal Methods I Strand Spaces: Why is a Security Protocol Correct? F. Javier Thayer Fabrega, Jonathon C. Herzog, and Joshua D. Guttman (MITRE) On the Formal Definition of Separation-of-Duty Policies and their Composition Virgil D. Gligor (University of Maryland), Serban I. Gavrila (VDG, Inc.), and David Ferraiolo (NIST) 5:00-6:00 Meeting, Technical Committee on Security and Privacy Wednesday May 6, 1998 9:00-10:00 Formal Methods II Complete, Safe Information Flow with Decentralized Labels Andrew Myers and Barbara Liskov (MIT) Stack and Queue Integrity on Hostile Platforms Prem Devanbu (Univ. of Calif. at Davis) and Stuart Stubblebine (AT&T Labs - Research) 10:00-10:30 Break 10:30-11:30 Cryptography II Necessity and Realization of Universally Verifiable Secret Sharing Wenbo Mao (HP Laboratories, Bristol) Towards Mobile Cryptography Tomas Sander and Christian F. Tschudin (Intl. Computer Science Inst., Berkeley, CA) 11:30-12:00 Presentation of Awards and Announcement of New TC Officers 1998 IEEE SYMPOSIUM ON SECURITY AND PRIVACY _/_/ _/ _/ REGISTRATION FORM _/ _/ _/_/ _/_/_/ Name:_____________________________________________ _/ _/ _/ _/ Affiliation:_____________________________________________ _/_/ _/_/_/ Postal Address:_____________________________________________ _/ _/ _/ _/ _____________________________________________ _/_/_/ _/ _____________________________________________ _/ _/_/_/ _/_/_/ Phone:_____________________________________________ _/ _/ _/ _/ _/ _/ _/ _/ Fax:_____________________________________________ _/_/_/ _/_/_/ _/ _/ _/ Email:_____________________________________________ _/ _/ _/ _/ _/_/_/ Note: Address information will be distributed to attendees. Please enter the appropriate registration category. Payment must be included and must be either by check in U.S. dollars, drawn on a U.S. bank and made payable to "IEEE Symposium on Security and Privacy", or by credit card. Dates are strictly enforced by postmark. Advance registration (up to 28 March 1998) ___ Member, IEEE or Computer Society (Member #__________, required).$310.00 ___ Non-Member......................................................$385.00 ___ Full-time Student...............................................$100.00 Late registration (from 29 March 1998) ___ Member, IEEE or Computer Society (Member #__________, required).$370.00 ___ Non-Member......................................................$460.00 ___ Full-time Student...............................................$100.00 Do you wish to present at a poster session or lead an evening discussion? [ ] Yes [ ] No Do you have any special requirements?_________________________________________ Please indicate your method of payment by checking the appropriate box: [ ] Check in U.S. funds drawn on a U.S. bank (PLEASE ENCLOSE WITH THIS FORM) Credit card authorization: (Charges will appear on your statement as made by IEEE COMPUTER SOCIETY. Note: your credit card number will be transmitted to the IEEE over the Internet, using an SSL-protected link.) Visa MasterCard American Express Diners Club [ ] [ ] [ ] [ ] Credit Card Number:_________________________________________________________ Card Holder Name:______________________________Expiration Date:_____________ Signature (required for credit card payments):______________________________ Mail registration to: Or FAX this form (CREDIT CARD John McLean REGISTRATIONS ONLY) to: Naval Research Laboratory FAX: +1 202 404-7942 Code 5540 VOICE: +1 202 404-8888 4555 Overlook Avenue, SW Washington, DC 20375-5337 >>>>SORRY, NO REGISTRATIONS BY EMAIL. NO REFUNDS.<<<< Five-Minute Research Talks Session ================================== A continuing feature of the symposium will be a session of 5-minute talks. We want to hear from people who are advancing the field in the areas of system design and implementation, but may lack the resources needed to prepare a full paper. Abstracts of these talks will be distributed at the Symposium. Authors who submit an abstract for a 5-minute talk should include a title, all authors names and their affiliations, where appropriate, and text. The whole thing should fit easily on one 8.5" by 11" or A4 page. Abstracts for 5-minute talks should be sent to Paul A. Karger to be received no later than April 19, 1998 at 6:00 P.M (EST) at the following address: Paul A. Karger, Program Co-Chair IBM Corporation Thomas J. Watson Research Center 30 Saw Mill River Road Hawthorne, NY 10532 USA We will review abstracts and accept as many as we can. Please mark the envelope "IEEE Security and Privacy Symposium - 5 minute Abstracts" If you have questions about the submission procedures, please contact Paul Karger by electronic mail at secprv98@watson.ibm.com or by telephone at +1 (914) 784-7294. Evening Sessions ================ The 1998 IEEE Symposium on Security and Privacy will accommodate poster sessions and evening discussions. There will be rooms for interested parties to post presentations on work in progress, recent research results, and innovative proposals, or to lead discussions on topics of current interest. These rooms will be available Monday and Tuesday, May 4 and 5. If you are interested in posting a presentation or organizing a discussion on a particular topic, please indicate so on the registration form. Hotel Reservations - The Claremont Resort ========================================= The Claremont Resort in Oakland, California is situated in the Oakland-Berkeley hills overlooking the San Francisco Bay on 22 acres of beautifully landscaped lawns and gardens. Facilities include the Claremont Pool and Tennis Club and The Spa at the Claremont. To reach the hotel, allow 35 minutes from the Oakland Airport and 45 minutes from the San Francisco Airport. Bayporter Express (+1 415 467-1800) provides shuttle service from either airport to the Claremont Resort. The charge is $12 from the Oakland Airport and $13 from the San Francisco Airport, per person one way. Parking is available at the hotel at a cost of $8 per day for guests and a maximum of $9 per day for non-guests. Hotel reservations must be made under the group name IEEE Symposium on Security and Privacy. The group rate is $121 single, $133 double occupancy, plus 11% tax. These rates are available for the period May 1-8, 1998. The cut-off date for reservations is Wednesday, April 1, 1998. Reservations made after this date will be accepted on a space available basis. Reservations must be accompanied by an advance deposit or credit card guarantee. Individual cancellations will be accepted 24 hours prior to the check-in date. Please be advised the check-in time is after 3:00 p.m.; check-out is 12 noon. For reservations and information, contact: The Claremont Resort, Ashby and Domingo Avenues, Oakland, CA 94623-0363; Phone: +1 800 551-7266 (7 a.m. to 8:30 p.m., PST) or +1 510 843-3000; Fax: +1 510 549-8582. ==================================================================== ____________________________________________________________________ SECURITY AND PRIVACY NEWS BRIEFS ____________________________________________________________________ ______________________________________________________________________ LISTWATCH: items from security-related mailing lists (1/30/98) by Mary Ellen Zurko, The Open Group Research Institute (m.zurko@opengroup.org) ______________________________________________________________________ This issue's highlights are from cat-ietf, tbtf, risks, privacy, http-wg, and ietf-tls. TBTF had a good writeup on a mailing that claimed that Microsoft does not sufficiently protect encryption keys. Here's the whole article: " ..A warning on Microsoft (in)security Basic crypto weakness undermines all claims to security, expert says Longtime readers know that TBTF has been reporting on security weak- nesses in Microsoft's products, particularly Internet Explorer, for more than a year [25]. Now a security expert from New Zealand, Peter Gutmann, has posted a paper [26] claiming that the flaws are so ser- ious that Windows 95 users should entirely refrain from using the Web. Among the problems Gutmann points out is a critical weakness in the way Microsoft software protects (or does not protect) users' master encryption key; this weakness undermines all other encryp- tion components in Web servers and browsers. Gutmann outlines how a cracker could quietly retrieve the private key from a victim's ma- chine and break the encryption that "protects" it in a matter of seconds. The attacker has, Gutmann says, then "effectively stolen [the user's] digital identity, and can use it to digitally sign contracts and agreements, to recover every encryption session key it has ever protected in the past and will ever protect in the future, to access private and confidential email, and so on." TechWeb coverage is here [27]. [25] http://www.tbtf.com/resource/ms-sec-exploits.html [26] http://www.cs.auckland.ac.nz/~pgut001/pubs/breakms.txt [27] http://www.techweb.com/wire/story/TWB19980123S0007 " The author didn't give sufficient detail for me to understand the attack, but it seems to be based in part on the retention of old, flawed mechanisms protecting private keys that were retained for backward compatibility reasons, and in part on the ability to acquire the encrypted form of a user's password and run password guessing on it. I'm expecting most readers have heard about the sailor accused of being gay based on information that an AOL technician gave a Navy investigator. Declan McCullagh reporteed in Risks that AOL admitted that it handed over the sailor's personal information to the Navy without a court order, saying in a statement "This clearly should not have happened and we regret it." Given the heightened interest in privacy repurcussions in all sorts of companies (and all the press that the US military's "don't ask, don't tell" policy on gays got a while back), I was quite surprised that the AOL employee made such a mistake. Lauren Weinstein, PRIVACY Forum moderator, reported on a business service that AT&T offers that allows the business to do a reverse translation of phone number to subscriber name, even for unpublished numbers, even when that number never appeared on the business's bills. Unpublished numbers are usually excluded from other forms of this "upside-down" listing. Another URL buffer overflow problem that may allow for the execution of arbitrary machine code (http://l0pht.com/advisories.html) was identified in Microsoft's IE, this time for mk:// URLs (earlier, a similar problem was found for res:// URLs). Anyone who's coded secure systems can imagine the problem. For every new URL scheme there's a bunch of new processing code, and a bunch of new programmers who don't know that they shouldn't rely on any stated "legal" limits for URL length. Someone on the TLS working group list mentioned that Fortify (a program? a company?) modifies the shipping, export approved Netscape Navigator/Communicator with "an easily applied patch" to enable users to use 128-bit encryption with SSL when the server supports it. This gets around the "supercert" restriction imposed by the U.S. government. Quite a while back (late last summer?), members of the Kerberos community announced that they had been involved with fruitless negotiations with Microsoft directed at assuring that the Kerberos supported in future versions of Microsoft OSes would be "true" standard Kerberos. Just recently, employees at Microsoft have begun to participate in the Kerberos standards process in the Common Authentication Technology (CAT) working group of the IETF. One of the first issues raised was defining a Kerberos with "exportable" (weak) encryption, which not surprisingly raised a few hackles. One suggestion was that any Kerberos standard supporting weak encryption include the necessity of explicitly warning the user of its weakness. You can now order a 3-meter resolution photograph of anywhere on earth for a few hundred dollars, from EarthWatch, of Longmont, Colorado. In 1999 they plan on launching satellites with a minimum resolution below 1 meter, which is close to being able to spot people from space. Risks reported that the airforce thinks "push-pull" technology is too risky. "Push-pull" technology allows Web users to subscribe to particular kinds of information and get it sent to them in a timely manner. The Risks article gives no technical details on the risk, but includes the quote "Currently, these technologies introduce security risks and impact data throughput on our networks than cannot be tolerated." The latter is certainly true; I've heard places like HP are beginning to warn users about the performance degradation in the morning when everyone logs on. I suppose there's also concern about sending active code this way, which might be part of the security concern. Discussions on just what Digest Authentication is supposed to be heated up again on the IETF's HTTP working group list. Digest was initially proposed as a replacement for Basic authentication that does not expose passwords on the net. Of course, there are many other risks that an authentication protocol can address (Man In The Middle being the one that comes up the most in this context), and Digest has been pulled in a variety of directions which have slowed down its definition (and perhaps its use). After much discussion, the working group again affirmed Digest's original charter, and maybe someday all our Web passwords will be cryptographically protected in transit. ____________________________________________________________________ Netscape to make source code freely available ____________________________________________________________________ On Jan. 23, Netscape announced that by the end of March, it would begin giving away the source code of its popular Communicator suite of Internet software products, including its Navigator World Wide Web browser. The company also announced that it would give away the retail version of its Communicator products and would allow other companies to customize and distribute them free as well. This has the potential to radically shake up the web as we know it. Developers will be able to customize their web applications by altering the client environment. There are also many security concerns. For example, it will be easy to create and distribute trojan horse versions of the Netscape browser. ____________________________________________________________________ Web browser and server vendors shifting to TLS ____________________________________________________________________ C2Net Software announced the first implementation of the IETF standard TLS 1.0 (Transport Layer Security) at the RSA Data Security Conference on January 12. According to an article in Network World on 1/19/98 both Netscape and Microsoft are planning on transitioning to TLS 1.0 from the currently used SSL 3.0 (Secure Sockets Layer) in their next generation of Web products. TLS itself is not backwardly compatible with SSL, although products are expected to remain so. Among other things TLS requires the use of strong crypto, stronger than exportable under current US export laws. US vendors will thus need to produce domestic and exportable versions of their products unless the law changes. C2Net's implementation was not produced in the US, hence is not subject to export restrictions. ____________________________________________________________________ Cryptanalyst Abraham Sinkov dies at age 90 ____________________________________________________________________ Abraham Sinkov, one of the legendary cryptanalysts of WWII, died January 19 in Mesa, Arizona. He was one of the four original "codebreakers" of Friedman's US Army Signal's Intelligence Service in the 1930s. He was intstrumentally involved in breaking many of the Japanese codes during WWII and went to Bletchley Park in England to exchange US expertise on the Japanese PURPLE Code for British expertise on the German Enigma. He served at high levels of the NSA until his retirement in 1963, after which he taught mathematics at Arizona State University. He was author of the classic Elementary Cryptanalysis, which is still in print more than thirty years after its publication. ____________________________________________________________________ Germany announces eavesdropping legislation ____________________________________________________________________ On January 8, the German government announced legislation that would permit electronic surveillance of individual homes. The law permits eavesdropping by police after obtaining permission from the courts. Since WWII, Germany has had very strict regulations on invasion of personal privacy by the government. Personal data protection laws have been in place since 1970. Since 1994 telephone wiretaps have been legal. The current law would allow the placement of listening devices under much broader circumstances than previously. Journalists are concerned about implications for freedom of the press, while law enforcement officials are encouraged about an increased ability to combat organized crime. ____________________________________________________________________ STANDARDS ACTIVITY ____________________________________________________________________ ____________________________________________________________________ IETF Update by Jeff Schiller ____________________________________________________________________ State of the IETF Security Area (Highlights) The Security Area of the IETF works on security related protocols. The Area also works with other protocol development areas to ensure that Internet Protocols contain appropriate security features. The Security Area contains several working groups. Information on these groups and their charters can be found at the IETF Web Page at http://www.ietf.org. Here are some of the highlights in the security area: PGP/MIME and S/MIME With the recent creation of the S/MIME working group, there now appear to be two different groups taking two different approaches to providing secure e-mail. Both PGP/MIME and S/MIME purport to offer security services for MIME based e-mail messages. As its name implies, PGP/MIME is technology based on the popular Pretty Good Privacy (PGP) program created by Phil Zimmermann. PGP uses its own key formats and implements the notion of a "Web of Trust" model of key certification. S/MIME is an extension of the work sponsored by RSA Data Security. It makes use of PKCS format messages and X.509 Certificates (as profiled by the IETF X.509 Public Key Infrastructure Working Group). Why two directions? One of the lessons that the IETF has learned in its attempts to standardize some form of secure e-mail is that it is very hard to meet everyone's requirements for secure e-mail. One important set of requirements revolves around the need for authenticated e-mail, complete with non-repudiation. However the machinery and mechanism required to provide these services makes it difficult to design a "bottom up" system. Authentication in this realm leads to Certification which in turn means Certifying Authorities with all of the appropriate mechanism (both technical and legal) that is required. This is the path that is implied by the S/MIME cultural community. However another important set of requirements revolves around privacy and bottom up deployability. Put simply, if two people wish to communicate in private e-mail, why do they need to have an installed CA Infrastructure in common? This area has been where PGP has found significant success. Both paradigms are correct, in their domain of application. History has taught us that attempting to come up with one solution for both domains is very hard. This has led to the situation we have today. A reasonable question to ask is "Why can we not have one message format for both requirement sets, do we really need totally separate protocol development?" The answer is "Yes... but." Indeed I can envision a single message protocol that would suit the needs of both groups and perhaps we will evolve to that point (although both groups are relatively new to the IETF, we hope that cross-fertilization may result). However as Security Area Director, it was my call that attempting to get the one-true-format would result in yet additional delay in the development of standards in this general area. One of my thrusts has been "get it done." The Internet badly needs security technology and we desperately need to deliver it, even if we have to make some tough choices along the way. IPSEC The IP Security Working Group continues to make progress toward standardizing ISAKMP. This is an important milestone for it permits vendors to build standards compliant IP Security Products without having to resort to manual key management. Encumbered Technology and the "Munich Doctrine" The IETF has traditionally always favored unencumbered technology over encumbered (patents, trade-marks, etc.) technology. However we have on occasion standardized protocols that required the use of encumbered technology. The theory being that it is OK to use encumbered technology when the alternative is significantly less useful (or doesn't exist). Public Key Encryption technology fell into this class. Until the Diffie-Hellman patent expired, all public key technology was encumbered within the United States. However the Diffie-Hellman has now expired. This means that there is a public key technology (including variants of Diffie-Hellman such as the Elgamal cipher system) available world-wide without intellectual property encumbrances. RSA remains patents in the United States (but not elsewhere). So the question comes up, should we continue to make standards which require the use of RSA given an unencumbered alternative? The consensus of the IESG was that indeed we should encourage the use of unencumbered public key technology. However to ensure that we were not out in left field, I asked the plenary meeting of the IETF at the Munich meeting in August whether or not this was a viable direction (the question was asked in a more neutral fashion, specifically the group was asked whether or not the IETF should insist on unencumbered public key technology). A clear majority agreed that we should build standards on unencumbered technology. This has since been referred to informally as the "Munich Doctrine." Upcoming Challenges One of the critical challenges facing the Security Area, and indeed the rest of the IETF, is how we integrate security technology into protocols. The most recent issue on this front has been how to perform authentication in applications. One of the outcomes of the most recent IAB Security Workshop has been a call to remove plaintext passwords from IETF protocols. Yet, the providing of a name and password (often in the clear) has been the traditional means for protocol authentication. The Applications area is in a bind because most systems that make use of strong authentication either require an infrastructure that doesn't exist or is difficult for customers to install (technology that isn't usable isn't helpful!). Over the next several months I expect to be spending significant effort in this area along with others as we grapple for a solution. ____________________________________________________________________ International update by Mats Ohlin: ____________________________________________________________________ o A lot of activities goes on in ISO/IEC JTC 1/SC 27 IT Security. SC27 issues regularily an overview of ongoing projects within the SC in its Standing Document SD7: http://www.iso.ch:8080/jtc1/sc27/27sd797b.htm See also the parent SC27 home page: http://www.iso.ch:8080/jtc1/sc27/ o The Gamma Inc web page contains info on British activities which includes pointers to the SC27 pages as well as a number of WG3 (Security Evaluation) documents: http://www.gammassl.co.uk/ist33/index.html o An excellent overview is the EU/DGXIII/OII page: http://www2.echo.lu/oii/en/secure.html o See also info on ECMA TC36-TG1 activities: http://www.r3.ch/ecma/index.html ____________________________________________________________________ COMMENTARY AND OPINION ____________________________________________________________________ ____________________________________________________________________ Privacy on the Line. The Politics of Wiretapping and Encryption, reviewed by Bob Bruen, Cipher Book Review Editor ____________________________________________________________________ Whitfield Diffie and Susan Landau. Privacy on the Line. The Politics of Wiretapping and Encryption. MIT Press 1998. 342 pages. Bibliography, index and endnotes. $25.00 ISBN 0-262-04167-7. LoC KF9670.D54 The issue of encryption use by private citizens was pushed into the public eye after Phil Zimmerman was placed under threat of indictment resulting from the release of Pretty Good Privacy(PGP). The indictment threat was withdrawn and the public stopped paying much attention to it. It was replaced by the threat of the Computer Decency Act (CDA) as the focus of attention. Now that threat has been pushed back, so the focus seems to be somewhat diffused. The underlying problem has not received the attention it deserves. These two events (and a few others) are merely instances of the most serious threat to the American way of life since the Civil War. The threat is to our right to privacy in our communications with one another. The right to privacy is not mentioned explicitly in the Constitution, but it falls within the penumbra (shadow) of the rights that are explicit. There has been a constant and continuing effort by various agencies of the Federal Government, law enforcement and state governments to chip away at this right. These efforts have been resisted by a number of groups through legal challenges and media publicity. The battle is raging, but it does not appear that most of the citizens in America realize the extent of the consequences of this war. It is the difference between a police state such as George Orwell envisioned in his novel 1984 (perhaps as demonstrated in East Germany and the former Soviet Union without quite the high tech capability) and a free society as envisioned by the framers of our Constitution. The very future of our society is at stake, but in order to understand just how serious the threat is, one must understand technical ideas such as encryption, computing and networks. There are many good books available on these topics, but they are not truly accessible to the average citizen because the technical information is difficult and there is not a connection to their everyday lives. Moreover the issues are clouded by struggles over pornography and free speech. The vacuum has been filled by Mr. Diffie and Professor Landau. He is known as the inventor of public-key cryptography and she was primary author of the 1994 Association of Computing Machinery report, "Codes, Keys, and Conflicts: Issues in US Crypto Policy.'" There is no question on their qualifications to speak on this issue. This book is well researched with an extensive bibliography that includes not only the expected books and articles, but also government reports, FBI memos and Congressional testimony. This is straight-forward presentation of just how much of a problem we all have. FBI director Louis Freeh will not like this book, nor will the NSA, but anyone who is concerned about their privacy and freedom will be grateful for the clear detailing of the threat. This loss of our ability to have encrypted communication will be an unrecoverable one. It would be the same as if the South had won the Civil War and slavery was legal today. The major difference would be that all of our citizens will be enslaved instead of just a particular group. There is no other issue today that will have as much of an impact on our future freedom as this one. Using FBI memos, documents and testimony, the authors bring out the fact that the FBI is willing to say just about anything to get a law passed that makes the use of encryption by private citizens illegal. The history of the NSA's dealings with other government agencies shows how they have tried to control the debate and the rules concerning encryption. These agencies have determined that encryption is of major importance and I believe they are correct. Diffie and Landau make this case in such a masterful manner, that you can not read the book and not walk away with this conclusion. I think this is one of the most important books published on privacy because it pulls together all the relevant information in one very readable place. The issues of cryptography, privacy, law enforcement, national security and wiretapping are all brought together in an orderly, coherent work, that is well written enough to be an enjoyable read that shows no signs over-dramatization. But when you are done, the overall effect is powerful. As an example, the value of wiretapping is often used a justification to control the use of encryption. The authors use government reports to demonstrate that the actual value is quite low, limited to a few well publicized cases. In many cases the real tool was the use of bugs, not wiretaps, which of course has little to do with encryption. Wiretaps, new technology and the legal approach to encryption use control are just the building blocks for the surveillance society of tomorrow. One of the most important features of the book is the step by step history of the attempts to pass laws by the NSA and the FBI. Quotes are given by people like National Security Advisor Brent Scowcroft in 1991 where he refers to an attempt "...to seek a legislative fix to the digital telephony problem" and " Success with digital telephony will lock in one major objective; we will have established a beachhead we can exploit for the encryption fix..." This is a clear indication that there is plan to eliminate our rights to private communication. I suggest that this book should be considered urgent reading and should be widely circulated. It could be the one that wakes everybody up. ____________________________________________________________________ Technology and Privacy: The New Landscape Reviewed by Bob Bruen, Cipher Book Review Editor ____________________________________________________________________ Philip E. Agre and Marc Rotenberg (eds) Technology and Privacy: The New Landscape. Cambridge MIT Press 1997. 325 pages. Name index and subject index. Composed of 10 papers and introduction. ISBN 0262-01162-x LoC QA76.9.A25T43 $25.00 Table of Contents: 0. Philip Agre. Introduction 1. Philip Agre. Beyond the Mirror World: Privacy and the Representational Practices of Computing. 2. Victoria Bellotti. Design for Privacy in Multimedia Computing and Communications Environments. 3. Colin J. Bennett. Convergence Revisited: Towards a Global Policy for the Protection of Personal Data? 4. Herbert Burkert. Privacy-Enhancing Technologies: Typology, Critique, Vision. 5. Simon Davies. Re-Engineering the Right to Privacy: How Privacy Has Been Transformed from a Right to a Commodity. 6. David H. Flaherty. Controlling Surveillance: Can Privacy Protection Be Made Effective? 7. Robert Gelman. Does Privacy Law Work? 8. Viktor Mayer-Schonberger. Generational Development of Data Protection in Europe. 9. David J. Phillips. Cryptography, Secrets, and the Structuring of Trust. 10. Rohan Samarajiva. Interactivity As Though Privacy Mattered. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - "Privacy is the capacity to negotiate social relationships by controlling access to information about oneself" (from the dust jacket) is a far cry from privacy as the "right to be let alone" as described by Louis Brandeis and Samuel Warren in their 1890 landmark paper "The Right to Privacy." But 107 years later the issue of privacy has moved just as far or even farther. In fact, in the past decade the issue has moved as far as in the last 100 years, mainly as a consequence of technology. As with the usual advances in technology, information moves faster, gets collected in larger quantities and is analyzed in more detail. This excellent collection of papers is right on the mark presenting the policy problem from various vantage points. Almost all the papers have useful references in the form of endnotes or bibliographies. Agre's introduction starts off listing all the things the book is not, such as a source for genetic, medical, international, etc. privacy issues. Privacy is a big area for which there are other books that cover these issues. The New Landscape attempts to help "frame the new policy debate," which I think it does. The introduction not only summarizes the papers in the book, but also provides good insight into each topic. What I took away from the book was a sense that the issues are international with important differences in approaches from the US. One can not ignore the potential difficulties inherent in fundamental approaches to privacy between our closet world partners in Canada and Europe. Nor can one ignore the potential threats in the Internet's lack of respect for international boundaries. The death of privacy was declared by Time Magazine on August 25 of this year, but since it was at the personal level we need to also look at the larger consequences at the international policy level. There are no end to the sources of problems as technology not only gets better, but more of it gets into the hands of more people. For what it is worth, people are pretty much the same. Technology just gives them better tools to do whatever it is that they do. A quick look at history shows a mixed bag of good, bad and indifferent. While the range of the New Landscape is intended to be somewhat narrow, there is a still a broad enough range in the papers to be interesting and balanced. The best chapter is Cryptography, Secrets and Trust by David Phillips. The crypto summary was well done and interesting, but I especially liked his discussion of the structure of trust. He sets up a good baseline that makes the jump from technology to policy. His references contain the right choices for such a paper. He did not say it, be he gives cause for concern that not only will privacy disappear, but so will trust as we understand it. Burkert's paper on privacy enhancing technologies (PET) provides another dimension in which personal identity is protected. He first lays out a starting point for a typology of interactions that could be subject to protections by technology, then critiques PET design as it exists today. The problems raised by him are well worth thinking about: anonymity, trust and identity. The papers by Bennett, Davies and Mayer-Schonberg cover Europe in a helpful way. Europe's approach overall is to provide better individual privacy protection than the US where private information is a commodity to be bought and sold, which gives rise to strange notion that the right to privacy can be a commodity as well. Even though Europe is working towards a coherent privacy approach, the usual local differences are still making it a rocky road for them. The Canadian contributions are from Flaherty and Samarajiva, both of which emphasize surveillance. Flaherty is an academic who became the first Information and Privacy Commissioner for British Columbia. He offers a unique perspective on the rules are being written today. He is critical of the US approach because the federal government seems to prefer being sued to making any real progress over taking the initiative to protect its citizens. Samarajiva's paper discusses a project in Quebec called UBI (Universal, Bidirectional, Interactivity) which intends to create an electronic mall providing commercial services to the homes of subscribers. The service will be free to subscribers, but information will be easily collected about buying habits. The fears of private industry's surveillance should surpass those of government surveillance. Bellotti's paper is also about surveillance in private industry at Apple. The work was done as research about how visual media affects people. Some of the first attempts seem clumsy, as in the public coffee stand and some of the attempts seem successful as in offices where users have some control. Surveillance generally brings about thoughts of illegal activity, but as shown by this book, there is a fair amount of surveillance of legal and sometimes uninteresting activity. The law has its due in Gellman's paper which asks if it works. Privacy law does exist in the US, but it is a patchwork that is constantly under attack. How many people realize that the infamous "Deadbeat Dads" law passed in 1996 gave the FBI permission to gather up data on every person who gets a new job after October 1, 1997? Remember the CDA? Gellman does a good presenting some history as he tries to answer his question. Lastly, Agre's chapter on the Mirror World is an historical look at privacy and PETs going back to the 1910 then progressing to today. He demonstrates effectively how the thinking of pre-computing days has been passed down to our current thinking and why it is important to understand it. This is a well constructed, interesting and useful book. It helps to expand the notion the all that matters is the technical side of things to a more properly balanced approach that includes policy making and social change. Definitely recommended. ____________________________________________________________________ Maximum Security. A Hacker's Guide to Protecting Your Internet Site and Network Reviewed by Bob Bruen, Cipher Book Review Editor ____________________________________________________________________ Anonymous. Maximum Security. A Hacker's Guide to Protecting Your Internet Site and Network. Indianapolis. Sams.net Publishing. 1997. ISBN 1-57521-268-4. $49.99. 885 pages. CDROM included. Index. Appendices. Seven major sections, 31 chapters. The author of this book prefers to remain anonymous because, he says, he was convicted in the late 1980s for financial crimes after developing a method to circumvent automatic teller machines. He nows works in the security field specializes in breaking into systems and providing reports to the owners. This sounds like a good background for such a book as this. Since I have no way to verify if this true or just a good marketing technique, I will take him at his word and concentrate on the book. The book is long, but it is not unusual for security related books to be this long. Moreover, the appendices and index are about 120 pages, the first 160 pages are background for the true novice (hacker vs. cracker and what is TCP/IP? topics), and there is a 25 page on the law at the end, all of which puts the useful text at a readable level. The remaining four sections are Tools, Platforms and Security, Beginning at Ground Zero, and The Remote Attack. All are filled with good straight-forward, explanations and pointers to code, papers and other information. In fact, there is probably an average of a web site per page, although I did not actually count them, but it represents a fair amount research. I checked out several of the references including the C source for a good sniffer program. If you are new systems administrator you may find yourself a bit depressed by the overwhelming problems coupled with freely available code to take advantage of these problems. At least the book offers methods to cope with the problems. The Tools section has six chapters: Scanners, Password Crackers, Trojans, Sniffers, Techniques to Hide One's Identity and Destructive Devices. There is almost 200 pages of hacker tool information - reason enough to buy the book, unless you want to do the research yourself, and all but one chapter has additional resources listed at the end. The Platforms and Security section is more comprehensive than most security books. The first chapter is all about holes, then a chapter each on Microsoft, Unix, Novell, VAX/VMS, Macintosh and Plan 9. The VMS chapter is a bit dated (the author explicitly states this), but it is good history and most books ignore it completely to focus on Unix. NT is brought up in the Microsoft section in anticipation of the expected penetration into the desktop market. Macintosh was a bit of a surprise to see, but some people still need to protect them from attack. Plan 9 from Bell Labs was unexpected for such a book since it is not all that commonplace. The author makes a good case for including it. It has no root that can be compromised. If you are interested in examining one approach to stopping hackers & crackers then Plan 9 is worth looking into, although since it is the property of AT&T is not free. A short section is next discussing the importance of root, breaching a server internally and a little about security consultants. The last of the core sections discusses various aspects of the remote attacks. The problem is spelled out with definitions which break out the different levels that are possible. Other chapters cover firewalls, spoofing, telnet-based attacks and a handy chapter on languages. This last chapter brings to light the good and the bad about C, Perl, Java and others, even ActiveX, in an even-handed manner although it is clear where the author's biases are. If you need to worry about securing your site (and who doesn't?), this is a worthwhile purchase and a worthwhile read. If you are experienced in security a certain amount may be redundant, but there are lots of pointers that should provide something new. The CD has some useful stuff on it as well to save you the trouble of tracking it all down. If you already have a sniffer, you might want to compare several others that are mentioned. If you have not given too much thought to just what is out there, this book will fix that problem. ______________________________________________________________________ CONFERENCE REPORTS ______________________________________________________________________ ______________________________________________________________________ USENIX Symposium on Internet Technologies and Systems (USITS) Monterey, California, Dec. 8-11, 1997. by Alain Mayer. ______________________________________________________________________ The first USITS was held in Monterey, CA from December 8-11, 1997. It was the brainchild of Carl Staelin (HP Labs) and Fred Douglis (AT&T Labs). It was attended by about 200 people from academia, industrial research laboratories, ISP, and Internet companies. Given the success of this first meeting, USITS is likely to become a regular event, probably every 18 months, or so. The keynote was given by Heide Heiden, senior Vice-President of UUNET Technologies. He started with a brief history of the Internet, from the prehistoric five nodes forming the early ARPANET to the World Wide Web of today. He then focused on the bandwidth problem of today. The capacity of UUNET's backbones will increase by a factor of 1000 for the period of 1996 - 2000. This unparalleled growth makes it impossible to plan ahead more than a year. For example, UUNET does not know for sure how exactly their main hubs will look like in 18 months from now! Their chief scientist, O'Dell, said "if you are not scared by this, you do not understand what is going on"! The refeered paper session spanned a wide range of interesting topics, such a Web caching, server architectures, and searching. We will focus in this note on the session on security. The paper by Gong, Mueller, Prafullchandra, and Schemers (all of JavaSoft) introduced the security architecture of JDK (Java Development Kit) 1.2, which will be released in early 1998. JDK 1.0.2 introduced the (by know well known) sandbox model, where downloaded code (applets) can access only very limited resources on the client's machine. JDK 1.1 had an all or nothing approach, where signed applets were treated as (a client's) local code, while unsigned applets were restricted to the sandbox. JDK 1.2 now introduces fine-grained access control, configurable security policies, and extensible access control structures. In a nutshell, a security policy defines the set of permissions of each downloaded applet depending on the set of principals which signed the applet. A permission, for example, is access to a particular file on the client machine. The authors expect that there will be a software layer between the JDK and the end user, which provides the user with a choice of pre-defined, sensible security policies. The paper by Poger and Baker (both of Stanford University) described SPINACH (Secure Public Internet ACcess Handler), a system that controls access to computer networks via publicy accessible LANs. The new Stanford Computer Science building has a number of public ports, from which only authorized users should be able to tap into the department and university networks. SPINACH provides access control to these networks via a self configuring router, controlling per-user accesses from the public subnet to a private one. It also provides a mechanism for users to prove themselves as authorized so that they can have full network access. The design of SPINACH took care so that only standard protocols and software is used and only requires minimal software on users' machines. The paper by Matias, Mayer, and Silberschatz (all of Bell Labs / Lucent) considers a new security framework for low-cost transactions, which execute in the context of an ongoing, extended client-server relationships. For example, a Web-site which offers personalized and authenticated stock quotes to each of its subscribers. The framework is focused on minimizing the cryptographic costs on the server side and at the same time enabling mobility on the client side via transparent key management. Cryptographic costs on the server is currently a central issue as people realize the cost of protocols, such as SET. Even SSL, in the case where a client changes machines and a new handshake is required, carries non- neglible cost. At the same time, clients increasingly move from PCs at work to labtops when traveling and, in the future, to Internet kiosk in airports and hotels. Thus, client mobility is definitely required. The authors suggest that this new framework could be used on VPN's and Intranets, or, alternatively, Hicould be integrated into SSL making it less exepensive for servers and enabling mobility for clients. ________________________________________________________________________ USENIX Security Symposium VII Tutorials by Nimisha Mehta ________________________________________________________________________ This year the four-day USENIX Security Symposium took place in San Antonio, Texas. The program chair was Avi Rubin of AT&T Labs-Research. There were 708 people who attended the conference this year. The overall impression of the people I met (mostly from the research community) was that this year's symposium seemed to be more technically rounded than that of previous years and included more interesting talks and papers. The main topics covered in the technical section included intrusion detection, crypto, CAs, access control, and web security. The tutorials provided an in-depth look at a particular topic taught by a champion in the field. Here we will briefly cover the tutorial on certification by Carl Ellison from CyberCash, Inc. and the tutorial on cryptography by Bruce Schneier of Counterpane Systems. There were several other tutorial that I did not attend. The half-day tutorial on certification, entitled "Certification: Identity, Trust, and Empowerment" provided a broad overview of the history, philosophy, and deployment of public key certificates. First, Ellison covered the historical development of public key certificates from Diffie-Hellman's early papers on public keys in 1976, to Kohnfelder's MIT thesis in 1978, to the notion of global identity certificates as with X.500 and X.509 in the late 1980s. He spoke about how the advocates of X.500 certificates dreamt of having a global directory (i.e. a telephone book) binding all people and their certificates. However, this failed because of the non-technical yet fundamental problem of confidentiality where certain organizations cannot reveal the identities of their employees. He then talked about the more recent development in the early 1990s, from PEM (privacy-enhanced email) to PGP and SSL. PEM, needing a global hierarchy of names, failed for the same reasons as X.500. However, RIPEM, not needing certificates, is more widely deployed than PEM. PGP, developed by Phil Zimmerman in response to the FBI's request for having access to all information passed in the cleartext, is used worldwide for securing email, while SSL is widely used for securing Web transactions. However, Ellison complains that there is no real trust management engine when using SSL. The certificates are merely toll booth certificates where the user is not informed about the server other than it having a certificate from e.g. VeriSign. SPKI, on the other hand, is based on an authorization model, where certificates carry permissions along with the names. This, Ellison believes, gives meaning to the certificates and would be a step forward from the current toll booth certificates. He envisions that there would be as many issuers as there are entities; e.g. different issuers for accessing medical files, for writing prescriptions, and for trespassing behind the firewall. He then went on to discuss the overall issues with Trust and Empowerment. He warned us that CAs only focus their attention on trusting the strength of the cryptographic algorithms, trusting the legal support, and trusting the procedures for revocation, reissuance, and unique identification. However, they do not address how one goes about trusting the issuer to grant permissions. He advises that one always need to ask whether the issuer of the certificate is empowered with that authority. For example, in the PICS system one needs to decide whether the page was rated by a trusted rating service. The other big issue he discussed was that with Identity: how does one go about naming the correct entity. His basic recurrent message was that having global names is not the correct approach since that requires human guesses as part of the security protocol in order for users to distinguish between computer generated unique identifiers. He instead supports the local name space approach introduced in the SDSI model by Rivest and Lampson at MIT. The basic idea of SDSI is that each user maintains his/her own local name space and these name spaces are linked together by referring to names in other name spaces. In Ellison's words, "SDSI did for security for namespaces what Einstein did for physics", noting that Einstein replaced the notion of global space and time with that of local ones relative to the observer. Overall, this tutorial is recommended for those who want a general overview of the history and future of public key certificates and to clarify any false notions of certificates. The main messages were 1. we do not really need a global PKI in order to enable electronic commerce, 2. local name spaces are more secure than global ones, 3. certificates that bind authorization provide a more trustworthy approach, and finally, 4. certificates do not bind a public key to a person, but rather a name string to a public key. The cryptography tutorials consisted of two half-day tutorials by Bruce Schenier. The first half focused on the basics of cryptography and surveyed the various encryption algorithms for symmetric cryptography, public-key cryptography, one-way hash functions, and random number generation, and covered a few current cryptographic protocols. The second half talked about how cryptography is used on the internet for electronic commerce, secure email, trust management, and IP security. Here I will mainly discuss the proceedings of the first half. He first described the standard secret key algorithms including DES, IDEA, Blowfish, RC5, CAST, and Skipjack. He recommended using Triple-DES if possible, otherwise IDEA, RC4, or Blowfish. He announced that a new standard AES (Advanced Encryption Standard) will be chosen by NIST in 1999 from the submissions they receive. He then discussed the difficulty of generating a stream of random numbers. Any deterministic method for generating a stream of data will *not* generate random numbers. Most pseudorandom generators use some sort of a secret seed. However, once the seed is determined the stream can be easily reproduced. He noted that some Berkeley graduated students had cracked the random number generator used by Netscape. Crytanalysis is the study of breaking codes. He compared differential and linear cryptanalysis. Both can be protected against by increasing the number of rounds and using random and large S-boxes. On the other hand, the only defense against brute-force crpytanalysis is having a long key. Currently, it can take only 3.6 hours to break a 56-bit key and 38 days to break a 64-bit key given a $1M computer. He predicts that for every five years in the future, assume the attack will be either ten times faster or ten times cheaper. However, he advises not to feel that cryptography will solve all our problems. For example, it is easier to implement algorithms and protocols correctly than it is to handle and manage the private keys securely. As for public-key algorithms, he notes that although RSA depends on the difficulty of factoring numbers, our ability to factor has been doubling every ten years. He also briefly mentioned that it is too early to tell about the future of elliptic curves since researchers have not yet proved that we will not find a subexponential time algorithm to solve the discrete logarithm problem. He advises that in choosing an algorithm, you need to decide what the value of your secret is and how long it should be secure. The main messages delivered in both halves of the cryptography tutorials were 1. "the problem with bad cryptography is that it looks just like good cryptography", 2. it is prudent to prepare for the worst, 3. the social problems are much harder than the mathematics, 4. the solution is different for each consumer depending on their specific needs, and 5. "if you think cryptography can solve your problem, then you don't understand your problem and you don't understand cryptography." ________________________________________________________________________ USENIX Security Symposium VII by Kevin Fu ________________________________________________________________________ Invited Talk: The Security Product Market: Trends and Influences Marcus J. Ranum (Network Flight Recorder, Inc.) Clad in western-style boots and wearing just-out-of-bed hair, Marcus Ranum spoke about money and its effect on the security industry. Known for his work on firewalls, Marcus now serves as president and CEO of Network Flight Recorder, Inc. and chief scientist at V-ONE Corporation. Marcus gives a disclaimer that his opinions could be right or wrong. Use his opinions at your own risk. One morning people just "woke up" as security experts. But apparently they never went back to sleep; Marcus calculates that the US security market has a 70% compound annual growth! Such enormous changes come from natural growth, IPOs, and the injection of VC money (or energy, as he describes it). Several security companies announced IPOs in 1995-97. IPOs pressure companies into short-term development. Investors expect *something* each quarter. Investors salivate over Internet-related IPOs coincidentally scheduled with interviews, articles, and industry initiatives. However, IPOs and VC often produce artificial growth. On an aside, Marcus offered an exaggerated get-rich-quick scheme: Go to security companies and read the guest register. Maybe you will see the names of a lawyer, some investment bankers, and a prominent CEO all on the same day. Then bet with your kids' college tuition. I could almost hear the audience thinking aloud. With new capital a company can either compete like mad or perish. It can outsell a competitor, claim to own most of the market share, buy the pieces it does not own, or watch its stock value sink. Investors don't care about technical details of security. They care about the right press. Of course, this produces lots of short-term fluff. Most public companies just want to get something out the door because they cannot develop long-term strategies while pleasing investors each quarter. Marcus then gave his opinion on future industry trends. Instead of licensing technology, companies will acquire or merge with others. For instance, Security Dynamics (authentication) purchased RSADSI (encryption). Likely merger paths include the marriage of authentication with firewall technology. However, Marcus does not expect monster IPOs from encryption companies. And everyone knows the importance of controlling a public key infrastructure (PKI) -- that's the problem! Marcus vividly described wanna-be-CAs as "greedy pigs" who "knocked over [the PKI] while charging at the trough." The next part of Marcus' talk concerned new growth areas. Intrusion detection will become popular. "Network grep" technology has a big market because it's easy to explain. You passively look for intrusion patterns. [See the summary on "Bro".] However, virtual private networks have their lines drawn; it's too late for startups. By 2000, analysts expect a $14 billion/year market for complete, managed network systems. Customers want one box (count 'em, one) for security, firewalls, and pizza. The one-trick pony company will give way to one-stop shopping. As a side effect, bogus products and bogus consultants will proliferate, tarring the real security experts with bad press. Name recognition will become the metric of security quality. Customers will choose one of the five big name companies. Expect serious commoditization. What is the effect on security? The industry gobbled up everyone who understands security. Moreover, security experts can charge top dollar -- attracting wanna-bes and diluting the market. However, Marcus offers some assurance that the joyride will soon slow down; astronomical fees will not last forever. Throughout his talk, Marcus advised people to learn more about Windows NT. He explained that "Microsoft takes things the customer wants, then rolls it into an operating system." People want to use NT because they wrongly believe it is easier than UNIX. The UNIX community can partially blame itself for this perception. We bicker over flavors of window managers and GUI's; we "scare people" to use NT. If you design a plug-in security module for NT, you will get money. Microsoft will either buy you or steal you, but either way you will get a red Ferarri. Otherwise Microsoft will drive you to the ground. "You have to be a total schmxxx to fail," said Marcus. In the end, everyone will use NT. "Cry, but don't laugh," he warns. An audience member asked for justification that token-based authentication systems and smartcards will soon fade away. Marcus replied, "Why carry a token when you can carry a Pilot?" He further explained that tokens alone do not complete transactions and that smartcards need backing from computer giants for widespread acceptance. I note that large growth reduces the accuracy of market predictions. If the security market has a compound growth of 70% year, no one can accurately predict the future. For more information about Marcus' work, see http://www.clark.net/pub/mjr/. Intrusion Detection Refereed Papers Track Session Chair: Mike Reiter, AT&T Labs - Research Bro: A System for Detecting Network Intruders in Real-Time Vern Paxson, Lawrence Berkeley National Laboratory Named for its Orwellian potential for privacy violations, Bro detects intrusions by passively monitoring network traffic. Particular traffic patterns cause a monitor to make intrusion announcements in real-time. Vern is a member of the LBNL Network Research Group and the author of flex, a program to generate a lexical analyzer for the front end of compilers. Developing Bro since 1995, Vern easily earned the best paper award. Bro's design considers seven goals: high-speed, large volume monitoring; resistance from dropping packets; real-time notification; separation of mechanism from policy; extensibility; avoidance of simple policy mistakes; and tolerance for attacks on the monitor. Vern gave the example of the large LBNL network in which security needs not be airtight, but intrusions must be detectable. Offline intrusion detection has its own applications, but it is nowhere nearly as good as real-time notification. Vern separates mechanism from policy to easily allow policy changes in the future. Moreover, an explicit policy language helps avoid simple mistakes. Bro consists of several layers. At the bottom, the network layer feeds a packet stream to the libpcap library (tcpdump uses this library). After some initial filtering, packets arrive at the event engine, which is controlled by the policy script interpreter. The event engine filters out unwanted traffic. For instance, you may only care about FTP or portmapper packets. Finally, the interpreter makes intrusion announcements in real-time. A figure in the paper better describes the interface between each layer. Key to the design of Bro is a policy language. This strongly-typed language aims to catch policy errors at compile-time. One notable feature protects against malicious strings. Rather than terminating a string with a NUL character, Bro represents a string by a vector of bytes and a byte count. If Bro were to use NUL-terminated strings, an intruder could trick a monitor with a string such as "USER nice\0USER root". No explicit looping mechanism (besides recursive calls) exists because Bro cannot afford the execution time and loops open up denial of service attacks. The single-threaded implementation offers timer management (10,000 easily), interpretation instead of compilation, checkpointing, and the ability for offline analysis. The paper gives an overview of the language and offers several policy code snippets. The mere existence of a monitor invites attacks. As such, Bro defends itself against three categories of attacks. An overload attack forces the monitor to drop packets so that an intruder can sneak in unnoticed. Bro defends against this attack by doubting the monitor's capabilities; the monitor will shed load if necessary. A second attack causes the monitor to crash. An intruder could cause fatal errors by exploiting bugs or making the monitor run out of resources. In defense, a monitor uses a watchdog timer and records a traffic audit trail. Vern notes that crashes are hard to prevent since a single bug in any program can open up attack avenues. A third attack involves subterfuge. A nasty intruder could mislead the monitor. For example, an intruder may fragment IP datagrams in hopes that the monitor will fail to reassemble the fragments. The paper devotes an entire page to this difficult problem. Vern also explained that security through obscurity alone is not sufficient, but you should not advertise a policy script since it could reveal local bottlenecks to an intruder. Wrapping up his talk, Vern gave the current status of Bro. Currently Bro can analyze four specific applications: finger, ftp, portmapper, and telnet. As for performance, Bro easily handles a 25Mbps FDDI ring during busy hours (the statistic in the paper is incorrect; the paper claims 50Mbps). Generally the system drops no packets. However, the event engine processes about 200 packets/second after the filter discards unwanted packets. At LBNL the monitor generates about 40MB of connection logs and 20 real-time notifications each day. This resulted in several CERT reports and many account deactivations. The source is available upon request. See http://www-nrg.ee.lbl.gov/nrg-papers.html for more information. A participant asked whether Bro could handle the capacity of ATM and switched technology. Vern answered that in such a case, you can deploy multiple coordinated boxes. He does not expect any problems arising from ATM packet assembly. Another audience member asked whether Bro would overload if placed on a gateway. Vern explained that such a system could be a reactive firewall or could talk to a firewall or router. You want to filter out the majority of traffic. Cryptographic Support for Secure Logs on Untrusted Machines Bruce Schneier and John Kelsey, Counterpane Systems Bruce Schneier, president of Counterpane Systems, presented a paper on secure logs. Essentially the secure logging system detects modifications to logs on an untrusted machine. Drawing analogies to the legal system, Bruce explained that "we don't prevent crime in this country, we detect it." The same idea is put forth in secure logging. Bruce's work includes the authorship of "Applied Cryptography" and creation of the blowfish cipher. Instead of presenting slides in ascending order, Bruce counted downwards since he claims the audience "really wants to know when they can get out." Incidentally, I saw Bruce writing his slides during the previous session. In any case, his talk went well and he made the audience roll with laughter. In the general model, a untrusted machine, U, talks to a trusted machine, T. An ATM machine or smartcard qualifies as an untrusted machine. U maintains audit logs, occasionally commits logs to T, but is not necessarily expected to be compromised. If an intruder attacks U at time t, the intruder can not undetectably alter log entries before time t. There are limits to possible solutions. First, no security measure can protect U after time t. An intruder can do anything after time t. Second, if T and U communicate online continuously, the problem no longer exists. Third, cryptography alone cannot prevent deletion. Write-only hardware such printouts or WORM drives can prevent deletion. Bruce identified a few wrong ways to protect logs. The logger could encrypt log entries, but then the key is stored on U (ignoring performance-heavy public key crypto). MACs suffer from the same problem. A logger could use hash chains, but an intruder can fake them. The approach in this paper combines MACs and encryption keys for an irreversible process. A complicated diagram depicts the addition of entries to a log file. Several variants of the logger exist (offline versions, phone transmission medium). You should see the paper for an outline of the protocol. An audience member questioned whether this system can detect intrusions at the time of attack. Bruce explained that the secure logger does not exactly detect attacks; that's a "hardware problem." If an intruder can get into a system without generating log entries, then this system cannot help. Another participant pointed out that an electronic wallet can be attacked at time t=0. In Bruce's scheme, he assumes the owner is an attacker. It is a vulnerability. Questioned about the difference between irreversible hashing and hash chains, Bruce responded that an attack could delete log entries in reversible hash chains. Chains allow easy forward hashing. Bruce's logger uses hash chains, but prepends extra information. Finally, an audience member asked why the system does not use public-key encryption. If you have small logs infrequently accessed, would not PK encryption help? Bruce replied that PK encryption is too slow and and annoying for the goals of this secure logger. In the future, Bruce hopes to provide better multi-party logging, distributed trust, and anonymization. His talk explained the problem of secure logging well, but the logger itself could not be fully explained in 25 minutes. Bruce has online information at http://www.counterpane.com/secure-logs.html StackGuard: Automatic Adaptive Detection and Prevention of Buffer-Overflow Attacks Crispan Cowan, Oregon Graduate Institute Leader of the IMMUNIX system survivability group and one of the few tie-wearing USENIX attendees, Crispan Cowan talked about a general method to prevent buffer-overflow attacks. System administrators typically patch vulnerable programs one at a time. Taking a pro-active approach, StackGuard modifies the compilation process to prevent most overflow attacks. A buffer overflow can allow local accounts (or compromised accounts) to obtain root privileges. In the standard buffer overflow attack, kids use cookbook methods to feed a long string into a function that does not check array bounds. In doing so, an attacker can inject code into the stack, overwriting the return address. When the function returns, the system jumps to the memory location of choice, typically code to obtain a root shell. StackGuard uses a compilation technique to prevent overflows. The method is so simple you will cry: detect changes to the return address by pushing one more word on the stack. StackGuard pushes a "canary" value (a direct descendant of the Welsh miner's canary) after the return address. When returning, a function checks whether the canary value has changed. The canary must be secret, randomly generated at execution time, and decidable. [The last two conditions sound contradictory to me, but I haven't looked under the hood.] MemGuard, a variant of StackGuard, has granularity to protect a single word in memory. Unfortunately, MemGuard has disappointing results. Crispan admitted that the "5400% to 8800% overhead probably is not worth it." On the other hand, StackGuard requires a simple patch to gcc, which emits a little more in the function prolog and epilog. StackGuard function calls are more expensive, but GCC compilation time does not appear affected by StackGuard. GCC does not spend much time on function calls. Experimental evaluation shows that StackGuard defends against *future* attacks. Crispan's group tried exploits from bugtraq, linux security announcements, and comp.unix.security. In most cases, StackGuard detects an overflow, halts, then warns the user. For instance, the Samba overflow came out after the implementation of StackGuard, yet StackGuard detected the attack. However, StackGuard fails to detect attacks where the return address is not attacked. For instance, the SuperProbe overflow involves the rewrite of a function pointer. Crispan gave wonderfully simple demonstration of StackGuard. Typing just a few commands, an unaltered dip binary produced a root shell. When compiled with StackGuard, dip dumps core and warns of the overflow. Crispan identified two remaining problems: restarting daemons and responding to an attack. Halting is not too important for daemons started by inetd. But persistent daemons such as sendmail or inetd need a restart mechanism. A watchdog program could restart such services. The second problem involves what to do after detecting an attack. A more restrictive program to start (eg, using MemGuard). This could result in denial of service. StackGuard is not perfect; buffer overflow problems can get through. But StackGuard is effective against overflows you do not know about. This gives you time to apply patches, which you should still patch anyway. An audience member asked whether an attacker could guess every canary. Crispan explained that two versions of the pseudo-random number generator exist. One uses seeding from the time-of-day (cringe!) and another uses /dev/random. Luckily StackGuard will not give an attacker a chance to guess a canary twice. Given that the canary is a 32-bit word, attackers will have to try to get around the canary rather than attack it directly. Overflow attacks usually overwrite data pushed earlier on the stack. To protect against a downwards attack, return addresses should live on an another stack. It may be useful to put return addresses on another stack, but Crispan's group did not do this. Another audience member asked why detect overflows instead of preventing overflows in the first place. Crispan replied that you would have to check on every write. You could check array bounds for every write, but StackGuard checks just once per function call. You may find lower overhead if reads occur more often than writes. I note that buffer overflow attacks appear benign at first. But when combined with local account compromises, a single buffer overflow (hundreds are known to exist) can turn your system to swiss cheese. The common attack works as follows: an intruder will sniff a password (we all use encrypted telnet, right?), exploit a cookbook overflow, install a packet sniffer, then repeat the first step. Related work includes Snarskii's FreeBSD libc fix and Solar Designer's non-executable stack. Crispan notes that StackGuard and other solutions can combine for better protection. In the future, StackGuard hopes to protect non-stack data structures, integrate with intrusion detection software, and secure a linux distribution. StackGuard is GPL'ed and currently works on the x86 architecture. A whole range of IMMUNIX projects can be found at http://www.cse.ogi.edu/DISC/projects/immunix/ Data Mining Approaches for Intrusion Detection Wenke Lee and Salvatore J. Stolfo, Columbia University Wenke Lee, a PhD student of Professor Stolfo, presented the paper on detecting intrusions by data mining. By applying data mining to intrusion detection, a systematic framework allows the construction of adaptive detection models. Unfortunately it was difficult to hear Wenke, but his paper explains most topics in the talk. Wenke aims to avoid manual or ad-hoc intrusion detection mechanisms. Such mechanisms fall into two categories: misuse detection and anomaly detection. The problem with misuse detection is that someone must manually code known intrusion detection patterns. Moreover, new patterns are not detectable. In anomaly detection, someone must select the right set of system features for measurement. No solid guidelines exist, just experience and intuition. Why use data mining? Intrusions usually leave trails of audit data. For example, cellular phones and credit cards use data mining approaches to detect fraud. In data mining, you select appropriate features to audit. Wenke chose data from sendmail function call traces and tcpdump output. The rest of the system consists of a low-level learning agent, base detection agent, and meta detection agent. An agent will extract connection level features like such as the number of connection attempts, the method of termination, etc. Experimental results show single-digit misclassification rates for local traffic, but misclassification rates as high as 22% for inter-LAN communication. However, the addition of temporal statistical features reduces misclassification. Specifically, small window sizes for longer sampling periods produce better classification. One problem involves the selection of an optimal window size. A classifier should learn trends and patterns. For instance, it should predict whether you will visit web site C after visiting web sites A and B. Wenke is just in the beginning of project and hope to insure further work in data mining approaches to intrusion detection. Currently Wenke is testing the effectiveness against known intrusions. After the session, Vern Paxson and Wenke Lee discussed ideas as USENIX attendees flocked around them like ants. Maybe we will see a hybrid of data mining and network monitoring in the future. You can find more information on http://www.cs.columbia.edu/~sal/hpapers/USENIX/usenix.html Cryptography Refereed Papers Track Session Chair: Dan Boneh , Stanford University Certificate Revocation and Certificate Update Moni Naor and Kobbi Nissim, Weizmann Institute of Science Kobbi Nissim presented a paper on efficient certificate revocation. Kobbi analyzed existing certificate revocation schemes and a new scheme with better incremental efficiency. The Naor-Nissim (NN) certificate revocation scheme uses Certificate Revocation Lists in the form of authenticated search structures. In addition, Kobbi won the best student paper award. Certification involves three parties: a trusted certification authority (CA), an untrusted directory, and untrusted users. A CA issues and revokes certificates offline and periodically updates a directory. Users query a directory for "proofs" of validity and receive personal certificates from a CA. This paper addresses the problem of revoking users' certificates while keeping communication costs and message sizes to a minimum. Kobbi summarized three existing certificate revocation schemes: Certificate Revocation Lists (CRLs), Micali's Certificate Revocation System (CRS), and Kocher's Certificate Revocation Trees (CRTs). The CRL offers the simplest approach. A CA periodically sends a digitally signed message to a directory. This message lists all revoked certificates. An obvious drawback is that the size of the message can grow overwhelmingly large. In CRS, a CA periodically signs a message denoting the validity of each certificate (revoked or not revoked). CRS has excellent query communication costs, but suffers from an increase in CA-to-directory communication. CRTs use binary hash trees to authenticate statements about certificate validity. CRT has the advantage that the entire CRT is not necessary to verify a given certificate. Moreover, users can easily prove certificate validity to other users. On the other hand, updates cause the re-computation of the entire CRT. In the NN certificate revocation scheme, authenticated directories allow efficient directory queries and certificate "proof" updates. NN actually consists of a family of solutions, but Kobbi demonstrated the 2-3 tree version. Leaves represent revoked certificates' serial numbers (in ascending order) while values of internal nodes result from collision-intractable hashes of their children. The paper describes other data structure variations. To vouch for the validity of the authenticated data structure, a CA signs a message containing the root node and tree height. Checking for a revoked certificate involves the re-computation of the path (of hashes) from the root node to the leaf representing the revoked certificate. This computation requires knowledge of all nodes on the path from the root to the leaf, along with all the children of the nodes on this path. Then to prove the validity of a certificate, a user must demonstrate two paths from the root node to two neighboring leaves such that the serial number of the unrevoked certificate is sandwiched between the values of the neighboring leaves. Because a proof of validity is small and hashes can be easily verified by any user, the new scheme allows users to efficiently prove validity to each other, reducing the user-to-directory communication costs. Kobbi exhibited a table which denotes the presence or absence of desirable qualities in CRLs, CRS, CRTs, and NN. Unfortunately the paper does not replicate the same table, but you can deduce the information by reading the itemized lists within the paper. Qualities include low CA-to-directory communication, low directory-to-user communication, high directory update rate, whether a user may hold a proof of validity, scalability, and the existence of an update mechanism. The NN scheme works well except that the amount of directory-to-user communication increases (and thus the overall amount of communication). The new scheme can also update certificates incrementally. In traditional certification schemes, CAs may issue short-lifetime certificates, then reissue new certificates for *each* user. But the CA becomes a bottleneck. In the NN scheme, Kobbi suggests that the CA broadcast an update message to all users. Taking advantage of the tree structure, users can update their certificate "proofs" appropriately. An audience member asked what would happen if a directory or user were to miss an update. Kobbi replied that proxies can collect update messages. Furthermore, one can authenticate proxies by checking the time of an update since the reissuing period is a known expression. The appropriate method of revocation depends on requirements of response-time (propagation of revocation) and efficiency (the amount of communication). I recognize two main reasons for certificate revocation. Casual revocations result from non-critical reasons such as job changes or college graduation. If risk is low and most revocations are casual, decreasing the amount of communication at the cost of more propagation delay may be acceptable. However, revocations due to a compromise need immediate revocation. In a high-risk system, immediate revocations may justify the cost of extra communication. Kobbi's clever overlays helped introduce certificate revocation, but too many complicated ideas uprooted the end of his talk. Nevertheless, the NN certificate revocation scheme is elegant and worthy of the best student paper award. Attack-Resistant Trust Metrics for Public Key Certification Raph Levien and Alexander Aiken, University of California at Berkeley Raph Levien, a graduate student of Alexander Aiken, presented a paper on the role of trust metrics for attack-resistant public key certification. The authors characterize existing trust metrics, establish a theoretical best-case in their model, and offer a metric which meets the theoretical best-case. Trust metrics address the problem of binding public keys to opaque names. For instance, an email address may bind to a trusted public key. Trust metrics aim to accept most good bindings, but reject forgeries. By requiring multiple certifications, bindings become more attack-resistant. In the general case, a certification authority asserts that a key k belongs to a name n. This model naturally leads to a certification graph where nodes are keys or name/key associations and edges represent certification. A [binary] trust metric evaluates such a graph and outputs either accept (trusted) or reject (untrusted). Raph admitted that the following makes two bold assumptions: the metric will accept most of the good name/key bindings and the name space is opaque (names reveal no information). Without these assumptions, the analysis becomes intractable. He suggests the metric is good for email, but maybe not for high security applications. The proposed model considers two types of attacks. In a node attack, an adversary steals keying material from a CA. The adversary could reuse the keying material over and over. In an edge attack, an adversary can convince a CA to falsely certify a node. The adversary does not actually have the keying material. Why distinguish between node and edge attacks? It is harder to protect against edge attacks. Within the paper you can find a table of successful attack thresholds. The table summarizes the necessary number of compromised nodes and edges to invalidate a trust metric. Resistance to attack ranged from single points of failure (just a single node) to quadratic numbers of nodes. The maxflow-edge metric achieves the theoretically best case. Each key is certified by exactly d other keys (for concreteness, d could be 10). This method is consistent with both the web-of-trust and the CA model. For a successful node attack, an adversary must compromise d nodes. Approximately d^2 nodes or edges are necessary for a successful edge attack. Other attacks include chosen node (breaking a certain key) and random node (breaking any key). Both attacks need d nodes for a successful node attack or about d^2 nodes for a successful edge attack. Raph mentioned problems with metric evaluation. Trust metrics are limited, cost grows slowly with cost of certification, will not scale up to the Internet. Raph calls the graph model somewhat simplistic. For instance, revocation is not part of the model. The paper could use more detailed captions so that the casual reader can see the main ideas. Breaking what must be a USENIX record, Raph delivered his talk with several minutes to spare. This paper offers good advice for designers of authentication metrics. You can find the paper and related information at http://www.cs.berkeley.edu/~raph/. Software Generation of Practically Strong Random Numbers Peter Gutmann, University of Auckland Peter Gutmann gave a review of poor pseudo-random number generator (PRNG) implementations and presented a practically (not pseudo) strong random number generator. Peter's accomplishments include the Secure File System and CryptLib. This self-proclaimed eternal graduate student warned the audience of his tendency to speak fast. In order to thwart this habit, an associate routinely shot Peter with a Texan rubberband gun (three times, to be exact). Peter first highlighted significant holes found in PRNG implementations, including Netscape, Kerberos V4, MIT_MAGIC_COOKIE, and SESAME. Because these implementations used predictable and/or public seeding, one could easily determine the seed. Once an adversary has the seed, most PRNG implementations become deterministic. In fact, Peter looked at the SSH source code just before giving his talk. Apparently the SSH generator does not use a OWF, rather it uses a LSFR and exposes the internal state of the pool. In designing a practically strong random number generator (PSRNG), Peter accumulated a list of general requirements. A PSRNG should protect against input analysis, manipulation of input, output analysis, and disclosure of internal state. Moreover, a PSRNG should use good coding practices. For example, Peter complained of the difficultly in understanding spaghetti source code in PGP 2.x. A PSRNG should tap several sources for randomness. Random sources include the purely physical devices (lava lamps, radioactive decay); physical and post-processing (SG100); multi-source; single-source (PGP 2.x or /dev/random); secret nonce and PRNG (Applied Cryptography); fixed secret value and PRNG; or a known value plus a PRNG (Netscape, Kerberos V4, SESAME). To gauge the effectiveness of entropy polling, Peter tried to compress successive samples of random data. Peter analyzed entropy polling on several platforms. DOS and OS/2 do not offer much entropy. In Windows 95 and Windows NT, you have some relatively non-deterministic system statistics to exploit. Surprisingly Peter found that Win16/32 produces lots of entropy upon reboot (about 2.5 times as much as a long-running machine). This results from the start up of 16-bit Windows drivers in somewhat non-deterministic order. However, network statistics in Windows NT contain almost no entropy and reboots cause little change in entropy. In evaluating UNIX randomness polling, Peter had to "handwave." BSD has more sources of randomness, but Peter did not test rebooted machines because 150 people use his only BSD machine. Protecting the pool state is as important as protecting cryptographic keys. In UNIX root can use the mlock() call. And in Windows NT, locking does not work as documented. Macs can use the HoldMemory() call. Windows 95 locking does not work (the function returns "true"). Since Windows has "methods" to read the pool, one can obfuscate things by spreading the pool all over the place. Peter found this method "pretty good." Peter also presented a PSRNG implementation which is better described by diagrams in the paper. In his PSRNG, Peter used hard-coded paths to utilities such as netstat to acquire randomness. He recommends running the randomization process with the UID nobody (so as not to expose root-privileged information) and timing the harvest of random numbers to kill slow entropy sources. CryptLib contains Peter's practical random number generator. A participant questioned Peter about blocking issues in the Linux implementation of /dev/random. If the /dev/random is "drained" of its randomness, it may block to obtain more entropy. Peter explained that one cannot easily speed up /dev/random because it tries to estimate how long to stir pool for the amount of randomness you request. If you empty the pool, /dev/random will block until the pool is refreshed. Trading some security for performance, programs may find the urandom() call sufficient for some applications. Throughout the talk Peter gave random bits of advice. For instance, generating a public and then the corresponding private key from the same pool can expose the state of pool for the private key. You have to keep them separated or intruders will come out to play. Peter hesitated to call his scheme pseudo-random in the pure sense. Pseudo-randomly generated numbers usually refer to bit strings indistinguishable from truly random bit strings, given a polynomial amount of computation time. However, most PRNGs suffer from performance drawbacks. Instead Peter calls his scheme practically random -- a balance between trial-by-fire security and performance. I note that even the experts can overlook PRNG problems. For instance, Jeff Schiller, a well-established security expert, co-designed Kerberos and co-authored an Internet RFC titled, "Randomness Recommendations for Security" in 1994 (see RFC 1750). However, people found a flaw in the Kerberos V4 random number generation in 1996! Even the experts can overlook random number generation. Therefore, PSNG designers should pay careful attention. This entretaining talk addressed issues of practical security and good implementation practices. For more information, see http://www.cs.auckland.ac.nz/~pgut001/. Invited Talk: Elliptic Curves -- Ready for Prime Time Alfred Menezes, University of Waterloo In this invited talk, Alfred Menezes gave a quick introduction to elliptic curve cryptosystems and their advantages over other cryptosystems. Alfred charged into the most mathematical talk of the symposium. Alfred's work includes co-authorship of the "Handbook of Applied Cryptography" and "Elliptic Curve Public Key Cryptosystems." Once at Auburn University, he now works for the Advanced Cryptographic Research Center at the University of Waterloo. Alfred began by defining multiplicative groups in a finite field. For instance, discrete log problem (DLP) cryptosystems usually operate in $Z_p^*$. Why use fancy groups other than just Z_p^*? Arithmetic and security of protocols may be more efficient or better. For instance, you could use smaller numbers, yet retain the same security. Elliptic curve cryptosystems (ECC) are based on two variations of the DLP. An elliptic curve comes from the equation y^2=x^3 + ax +b where a and b are elements of Z_p^* such that 4a^3 + 27 b^2 does not equal zero (mod p). The set E(Z_p^*) consists of all points (x,y), x,y in Z_p^*, which satisfy the above equations, together with a special "point of infinity." Given a fixed prime p, there are many curves to choose. This means everyone could share the same prime, allowing construction of cheap, special-purpose hardware. Because ECC appears to provide good security with small secrets and little energy, companies like Motorola will want to use ECC in small devices such as pagers. Alfred took a defensive stance on ECC. Has IFP been intensely studied? Yes, but Gauss could not even perform modular exponentiation. This prevented him from further success. Moreover, the Number Field Sieve (NFS) would have been useless to them since computers did not exist. The Integer Factorization Problem (IFP) really studied last 20 years. IFP is "sexier" than DLP, but in Alfred's opinion, IFP is not a better basis than DLP. None of these systems are provably secure; they make heavy-duty assumptions. ECC assumes an elliptic curve analog of DLP. There exist good breaks on specific instances of ECC, but no sub-exponential algorithm has been found for the general case. Although ECDLP was just proposed in 1985, DLP and ECDLP abstractly concern the same problem -- just different arithmetic structures. Many DLP problems apply to EC's. Therefore, elliptic curves have been studied about as much as DLP. IFP attacks appear to have better software attacks. For instance, the RSA-129 effort involved several hosts over the Internet. On the other hand, DLP-based cryptosystems have better hardware attacks (according to Wiener). An audience member asked about patent issues with ECC. With RSA, patent issues come into play. But for general ECC, no patents exist (just certain implementations). With ECC you can avoid patents. However, government standards protects liability. Some companies like patented technology for liability and licensing reasons. Currently there exists no sub-exponential attacks on ECC. However, cryptographers disagree on whether to assume no sub-exponential attacks exist simply because no one has found one. Many cryptographers find the security comparisons between ECC and DLP hard to justify. Since describing Alfred's diagrams in words hardly does justice, I suggest reading his book, "Elliptic Curve Public Key Cryptosystems," or the paper, "Elliptic Curve DSA (ECDSA): An Enhanced DSA." See http://www.dms.auburn.edu/~menezal/ for more information. Invited Talk: Factoring, Facts and Fables Arjen K. Lenstra, Citibank, N.A. Summary by Kevin Fu This talk offered a historical perspective of factoring and security assumptions. The world's foremost expert on factorization, Arjen Lenstra became widely known when his team cracked the RSA-129 challenge at Bellcore. Arjen currently works for Citibank and has fun as president of Digicrime. Arjen emphasized that this talk has no relation whatsoever to his employer. He also notes that this is his first time at a USENIX Security Symposium and that "you can't expect much else from a banker." Factoring is a simple problem: given an odd non-prime n, find a non-trivial factor of n. The problem of testing primality is easy. In theory, this runs in random polynomial time while in practice is runs in deterministic polynomial time. However, people believe that factoring large numbers (with no small factors) is difficult. This is a religion and there is no evidence to show it is true. Everyone seems to agree, but "I have no idea why." According to the recently deceased James Ellis (http://www.cesg.gov.uk/ellisint.htm), the British government had trouble maintaining lots of keys for the armed forces. Therefore, they sought a system which required no prior key. This account of Non-Secret Encryption (NSE) exists in a 1970 CESG report by J.H. Ellis: "The Possibility of Secure Non-Secret Digital Encryption." Then in November of 1973, C. C. Cocks wrote "A Note on Non-Secret Encryption" in a CESG report. The algorithm proposed by Cocks (CCC) looks very similar to RSA. Interestingly enough, CCC did not consider signature use. Of course, Diffie-Hellman appeared in 1976 while RSA appeared in 1977. Another scheme from CESG is based on DLP in a ring rather than a multiplicative finite field. This report was made months before Diffie-Hellman. Arjen asked the question: Were PKCS, RSA and DH first discovered in the UK? For a dramatic effect, he left the rest of the slide empty. Security of "accepted" PKCS is based on the supposed difficulty of factoring or taking discrete logs. Do we have non-trivial lower bounds for difficulty of factoring or DLP? No, except for some special cases of no practical use. There do exist non-polynomial upper bounds from algorithms such as the Quadratic Sieve (QS) in 1982 and the Number Field Sieve (NFS) in 1989. Conclusion: Perceived security of PKCS is based on "our credulity and mathematical incompetence." Arjen explained that there are plenty of people talking about factoring who have never factored themselves. For instance, Richard K. Guy doubts "anyone can factor 80 digits without special form in the present century" in his 1976 paper, "How to factor a number." Martin Gardner wrote of "A new kind of cipher that would take millions of years to break." In Arjen's opinion, a laptop computer could soon factor an 80-digit number in a single day. To argue his point, Arjen extrapolated current factoring capabilities. In 1994, a QS factored an RSA-129 modulus. This required 5000 MIPS years for stage 1 (sieving) and two days on a 16K MasPar for stage 2 (matrix). Then in 1996, a NFS factored a 130-digit number in less than 700 MIPS years for stage 1 (68 hours and 700MB). However, stage 2 required much more computation time, even on a Cray C-90. Extrapolating these figures, Arjen believes factoring a 512-bit number with a QS would require 500,000 MIPS years for sieving and 4 days (and 1GB of space) on a Cray C-90 for the matrix. Substituting NFS, sieving would take 20,000 MIPS years and matrix computations would take 3 months (and 4GB of space). Therefore, 512-bit moduli are not long enough for current technology. On the other hand, factoring 1024-bit moduli seems hopeless. Just to sieve, the QS would require 10^15 MIPS years while the NFS would take 10^11 MIPS years. Arjen concludes that 512-bit QS factorization is feasible, 512-bit NFS factorization is hardly feasible, and 1024-bit factorization is hopeless. Looking to the future, Arjen addressed how faster processors and new theory effect factoring. Speeding up a processor will not significantly improve current sieving techniques. Unless memory speeds increase, faster processors will not help. As for new theoretic insights, Arjen says, "Anything may happen." Does difficulty imply security? Yes, if the entire production process is closely watched by people who understand all issues involved. But many people are either "laid off or promoted to security jobs." Then how can you avoid "creative" products? You could use trusted software (but does it exist?). Reading and understanding lots of source code is impractical. Trusting employees to write your own code is unrealistic. You could select the right vendor, but how? Combining products from different vendors is expensive, slow, and may not work. These problems apply to everything (operating systems, compilers, etc). Some experts say 160-bit elliptic curve cryptosystems (ECC) offer security comparable to 1024-bit RSA. Arjen believes 160-bit ECC is merely very difficult, not impossible. Arjen summarized that proving the difficulty of IFP or DLP would not change anything since hardness of IFP or DLP do not imply hardness of many algorithms such as RSA. On the other hand, fast algorithms to solve IFP and DLP would topple most of the foundations of modern public key cryptography. Finally, Arjen concluded by asking, "Why won't business people leave the Internet alone?!" An audience member asked what to do if you were to find a fast factoring algorithm. Arjen offered two suggestions. First, the discoverer should make the finding extremely public and publish the work as soon as possible -- in order to save your own skin. As an alternative, Arjen told the audience, "Just tell me about it." Some confusion errupted over key sizes. Do not confuse bits with digits. For instance, RSA-129 (digits) = 429 bits. ________________________________________________________________________ New Reports available via FTP and WWW ________________________________________________________________________ o http://java.sun.com/people/gong/papers/pubs97.html - L. Gong, M. Mueller, H. Prafullchandra, and R. Schemers, "Going Beyond the Sandbox: An Overview of the New Security Architecture in the Java Development Kit 1.2" . In Proceedings of the USENIX Symposium on Internet Technologies and Systems, Monterey, California, December 1997, pp.103-112. - D. Balfanz and L. Gong, "Experience with Secure Multi-Processing in Java" . Technical Report TR-560-97, Computer Science Department, Princeton University, September 1997. - L. Gong, "Java Security: Present and Near Future" . IEEE Micro, 17(3):14--19, May/June 1997. o http://www.research.digital.com/SRC/publications/src-rr.html "A Calculus for Cryptographic Protocols: The Spi Calculus" Martin Abadi and Andrew D. Gordon Report #149, January 25, 1998, 110 pages Also by anonymous ftp from: gatekeeper.dec.com (16.1.0.2). The path is: /pub/DEC/SRC/research-reports/.. ________________________________________________________________________ Who's Where: recent address changes ________________________________________________________________________ Entered 6 February 1998 Ulf Carlsen Protective Technology AS Postbox 549 N-4500 Mandal Norway Email: carlsen@protective.no Tel: +47 38279080 Fax: +47 38279099 _______________________________________________________________________ Calls for Papers (full list on Web) ________________________________________________________________________ CONFERENCES Listed earliest deadline first. See also Cipher Calendar. Mix of full and abbreviated listings this issue; web will be updated as soon as possible to include abbreviated listings. ACISP '98 http://www.isrc.qut.edu.au/acisp98/cfp.html Third Australasian Conference on Information Security and Privacy, 13-15 July, 1998, Brisbane, Australia. Papers solicited pertaining to all aspects of information security and privacy are solicited. Papers may present theory, techniques, applications and practical experiences on any relevant topic. Electronic submissions (preferred) or seven copies of hard copy anonymized submissions due February 20, 1998, to acispsubmit@isrc.qut.edu.au or A/Prof Ed Dawson, Queensland University of Technology. Details available on web page. VLDB '98 http://www.research.att.com/conf/vldb98/ 24th International Conference on Very Large Data Bases, August 24-27, 1998, New York City. Topics of interest inlcude authorization and security. Submissions in various categories due by 23 February, 1998, with abstracts of original research papers due 16 February to Jennifer Widom, widom@cs.stanford.edu, or Oded Shmueli, oshmu@cs.technion.ac.il. Details available on web page. ESORICS'98 5th European Symposium on Research in Computer Security, Louvain-la-Neuve, Belgium, September 16-18, 1998. (submissions due February 28, 1998) [posted here: 11/9/97] Computer security is concerned with the protection of information in environments where there is a possibility of intrusion or malicious action. The aim of the European Symposia on Research in Computer Security (ESORICS) is to further the progress of research in computer security by establishing a European forum for bringing together researchers in this area, by promoting the exchange of ideas with system developers and users and by encouraging links with researchers in related areas. A complete list of topics can be found on the conference web page at www.dice.ucl.ac.be/esorics98. Papers should be written in English and limited to 6000 words, full page figures being counted as 300 words. Each paper must include a short abstract and a list of keywords. Since special sessions will be devoted to posters and demonstrations, it should be indicated in the paper submission if a demonstration can accompany the paper presentation. A call for posters and demonstrations will be published with the preliminary program. Panel proposals should include title, proposed chair, tentative panelists, a 2 or 3 paragraph description of the subject, format of the presentation, and rationale for the panel. Six hard copies of papers and panel proposals must be received before February 28, 1998, at the following address: Yves Deswarte/ ESORICS 98 PC Chair/ LAAS-CNRS/ 7 avenue du Colonel Roche/ 31077 Toulouse cedex 4, France/ Tel. +33 (0) 5 61 33 62 88 / Fax: +33 (0) 5 61 33 64 11. In parallel with hard copy paper submission, an electronic (ASCII) copy of the paper abstract and key words must be sent by e-mail to: Yves.Deswarte@laas.fr WFMSP '98 http://www.cs.bell-labs.com/~nch/fmsp Workshop on Formal Methods and Security Protocols, 25 June, 1998, Indianapolis, Indiana, (following LICS'98). Submissions due March 13, 1998. Correspondence and submssions to nch@research.bell-labs.com and wing@cs.cmu.edu. Details available on web page. WOMOS http://cuiwww.unige.ch/~ecoopws 4th Workshop on Mobile Object Systems: Secure Internet Mobile Computations In association with the 12th European Conference on Object-Oriented Programming (ECOOP'98) and The ECOOP Workshop on Distributed Object Security 21 July 1998, Brussels, Belgium. The 4th Workshop in the ECOOP series on Mobile Object Systems aims to bring together mobile object system and language designers, security experts, and generally people interested in discussing the current state and future direction of security research in the mobile object system context. The workshop will be a forum to learn about the latest research, and also to discuss and exchange ideas concerning on-going theoretical and implementation work. Both full papers (maximum 15 pages) and position papers (1 page) are welcome. Authors wishing to submit a paper should send the paper in postscript form to the e-mail address ecoopws@cui.unige.ch by March 15, 1998. Along with the submitted paper, authors are requested to send a brief biography, 6 to 7 lines maximum, which should include a description of their current research activities. DEXA'98 http://www.ifs.tuwien.ac.at/dexa98 Int. Workshop on Security and Integrity of Data Intensive Applications (http://www.wi-inf.uni-essen.de/~dexa98ws) Vienna, Austria, August 26-28, 1998. Submissions (short papers up to 2500 words or full papers up to 5000 words) due March 15, 1998. Electronic submission preferred; contact dexa98ws@wi-inf.uni-essen.de and see web page for full details. DEXA-WBPR http://www.di.uoa.gr/~dexa98/e-commerce.html International Workshop on Business Process Reengineering and Supporting Technologies for Electronic Commerce in Conjunction with DEXA'98 Submission Deadline: March 15, 1998. IIIS '98 http://www.ifip.tu-graz.ac.at/TC11/CONF/cfp98.html Second Annual IFIP WG 11.5 Working Conference on Integrity and Internal Control in Information Systems. Papers solicited describing original ideas and results on foundations and applications related to the subject of integrity and internal control in information systems. Six copies of papers up to 5000 words due before 1 April to Prof. Sushil Jajodia, jajodia@isse.gmu.edu. See web page for details. CCS-5 Preliminary call for papers for the Fifth Conference on Computer and Communications Security, San Francisco, California, USA, November 3-5, 1998 (Tutorials on November 2, 1998). (submissions due: April 3, 1998). Papers offering novel research contributions in any aspect of computer security are solicited for submission to the Fifth ACM Conference on Computer and Communications Security. Papers may present theory, technique, applications, or practical experience; a complete list of topics of interest can be found in the call for papers. Instructions for authors: Submitted papers must not substantially overlap papers that have been published or that are simultaneously submitted to a journal or a conference with a proceedings. Papers should be at most 15 pages excluding the bibliography and well-marked appendices (using 11-point font and reasonable margins on letter-size paper), and at most 20 pages total. Committee members are not required to read the appendices, and so the paper should be intelligible without them. Submission instructions for papers, as well as for panel proposals and tutorial proposals, will be posted at http://www.research.att.com/~reiter/ccs5/ and circulated in the final call for papers. NSPW`98 http://www-hsc.usc.edu/~essin/nspw98.html New Security Paradigms Workshop '98, Charlottesville, Virginia, September 22-25, 1998. (Submission due April 3, 1998.) Paradigm shifts disrupt the status quo, destroy outdated ideas and open the way to new possibilities. This workshop explores deficiencies of current computer security paradigms and examines radical new models that address those deficiencies. Previous years' workshops have identified problematic aspects of traditional security paradigms and explored a variety of possible alternatives. Participants have discussed alternative models for access control, intrusion detection, new definitions of security, privacy and trust, biological and economic models of security and a wide variety of other topics. The 1998 workshop will strike a balance between building on the foundations laid in past years and exploring new directions. The workshop will offer a creative and constructive environment for approximately 25 participants. For more information: contact Daniel Essin at essin@hsc.usc.edu ACSAC`98 http://www.acsac.org Fourteenth Annual Computer Security Applications Conference. The conference solicits papers, panels, vendor presentations, and tutorials that address practical approaches to solving these problems in federal, state and local governments, departments of defense, and commercial environments. Selected papers will be those that present examples of in-place or attempted solutions to real problems, lessons learned, original research analyses, and approaches to securing our information infrastructure. All papers, panel/forum proposals, and vendor and tutorial proposals are due by May 29, 1998. Authors will be notified of acceptance by August 7, 1998. Camera-ready copies are due not later than September 25, 1998. You can also contact Vince Reed at Publicity@acsac.org JOURNALS Special Issues of Journals and Handbooks: listed earliest deadline first. o A special issue of IEEE Internet Computing on Internet Security in the Age of Mobile Code, November/December 1998 Guest editors: Gary McGraw (gem@rstcorp.com) Edward W. Felten (felten@cs.princeton.edu) Submissions are due May 12, 1998 URL for submission process information: http://computer.org/internet/ This special issue will be devoted to security implications of mobile code. In particular, we are interested in articles discussing: * Code signing technologies, including models for permissions, capabilities, and principals * Proof-carrying code and security policy resolution * Implications of existing protocols such as SSL on proxy scanning, intrusion detection, and firewalling * Handling denial of service * Design of secure interfaces for devices such as smart cards * Security policy creation and management issues * Injecting security into the software development process ________________________________________________________________________ Reader's Guide to Current Technical Literature in Security and Privacy Part 1: Conference Papers ________________________________________________________________________ o Fast Software Encryption 1998 paper list http://www.dmi.ens.fr/~vaudenay/fse5/ Monday, March 23rd 9h45 registration with coffee 10h15 introductory remarks 10h30 Session 1 --- Cryptanalysis 1 title: New Results in Linear Cryptanalysis of RC5 author: A.A. Selcuk title: Higher Order Differential Attack of a CAST Cipher author: S. Moriai, T. Shimoyama, T. Kaneko title: Cryptanalysis of Twoprime author: D. Wagner, B. Schneier, J. Kelsey, D. Coppersmith 12h00 Lunch 14h00 Session 2 --- New Stream Cipher title: JEROBOAM author: H. Chabanne, E. Michon title: Fast Hashing and Stream Encryption with Panama author: J. Daemen, C.S.K. Clapp title: Joint Hardware/Software Design of a Fast Stream Cipher author: C.S.K. Clapp 15h30 break 16h00 Session 3 --- Construction Analysis title: On the Security of Hashing Scheme Based on SL2 author: K.S. Abdukhalikov, C. Kim title: About Feistel Schemes with Six (or more) Rounds author: J. Patarin title: Monkey: Black-Box Symmetric Ciphers Designed for MONopolizing KEYs author: A. Young, M. Yung 17h30 end of day Tuesday, 24th 9h00 Session 4 --- Hash Functions title: MRD Hashing and its Application to Multisender Authentication author: R. Safavi-Naini, S. Bakhtiari title: New Constructions for Secure Hash Functions author: W. Aiello, S. Haber, R. Venkatesan 10h00 break 10h30 Session 5 --- Pseudo Random Generators title: Cryptanalytic Attacks on Pseudorandom Number Generators author: J. Kelsey, B. Schneier, D. Wagner, C. Hall 11h00 Panel 12h00 Lunch 14h00 Session 6 --- New Block Cipher title: CS-Cipher author: J. Stern, S. Vaudenay title: On the Design and Security of RC2 author: L.R. Knudsen, V. Rijmen, R.L. Rivest, M.J.B. Robshaw title: Serpent: a new Block Cipher Proposal author: E. Biham, R. Anderson, L. Knudsen 15h30 break 16h00 new results (to be submitted at the workshop) [...] 20h30 Dinner Wednsday, 25th 9h30 Session 7 --- Modes of Operations title: Attacking Triple Encryption author: S. Lucks title: Cryptanalysis of some Multiple Modes of Operation author: D. Wagner 10h30 break 11h00 Session 8 --- Cryptanalysis 2 title: Differential Cryptanalysis of the ICE Encryption Algorithm author: B. Van Rompay, L. Knudsen, V. Rijmen title: The first two Rounds of MD4 are not One-Way author: H. Dobbertin title: Differential Cryptanalysis of KHF author: D. Wagner 12h30 Lunch _______________________________________________________________________ Reader's Guide to Current Technical Literature in Security and Privacy Part 2: Journal and Newsletter Articles, Book Chapters by Anish Mathuria _______________________________________________________________________ o Wireless Networks, Volume 4, No. I (1998): J. Goodman and A. Chandrakasan. Low power scalable encryption for wireless systems. pp. 55-70 o Journal of Universal Computer Science, Vol. 3, No.12 (December 1997): G. Bella and E. Riccobene. Formal Analysis of the Kerberos Authentication System. pp. 1337-1381. o Scientific American (November 1997): J. Kephart, G. Sorkin, D. Chess and S. White. Fighting Computer Viruses. pp. 88-93. o IEEE Journal on Selected Areas in Communications, Vol. 15, No. 8 (October 1997): S. Suzuki. An Authentication Technique Based on Distributed Security Management for the Global Mobility Network. pp. 1608-1617. o Data & Knowledge Engineering, Vol. 24, No. 1 (October 1997): R. van de Riet, A. Junk and E. Gudes. Security in Cyberspace: A Knowledge-Base Approach. pp. 69-96. o IEEE Network, Vol. 11, No. 5 (September/October 1997): C.-S. Park. On Certificate-Based Security Protocols for Wireless Mobile Communication Systems. pp. 50-55. o Telecommunication Systems, Vol. 7, No. 4 (1997): J. Gray, A. Kshemkalyani, S. Matyas, M. Peyravian and G. Tsudik. ATM cell encryption and key update synchronization. pp. 391-408. o Information Processing Letters, Vol. 63, No. 5 (September 1997): W.-B. Lee and C.-C. Chang. Authenticated encryption schemes with linkage between message blocks. pp. 247-250. o IEEE Journal on Selected Areas in Communications, Vol. 15, No. 7 (September 1997): D. Samfat and R. Molva. IDAMN: An Intrusion Detection Architecture for Mobile Networks. pp. 1373-1380. o IEEE Internet Computing, Vol. 1, No. 4 (July/August 1997): G. Karjoth, D. Lange and M. Oshima. A Security Model for Aglets. pp. 68-77. Z. Tari and S.-W. Chan. A Role-Based Access Control for Intranet Security. pp. 24-34. o IEEE Network, Vol. 11, No. 4 (July/August 1997): B. Guha and B. Mukherjee. Network Security via Reverse Engineering of TCP Code: Vulnerability Analysis and Proposed Solutions. pp. 40-48. o ACM Transactions on Computer Systems, Vol.15, No. 2 (May 1997): B. Pfitzmann and M. Waidner. Strong loss tolerance of electronic coin systems. pp.194-213. _______________________________________________________________________ Reader's Guide to Current Technical Literature in Security and Privacy Part 3: Books ________________________________________________________________________ * Anup K. Ghosh, E-Commerce Security: Weak Links, Best Defenses 272 pages, John Wiley & Sons, January 1998, ISBN: 0471192236 * Marcus Goncalves, Firewalls Complete, 1000 pages, McGraw-Hill, January, 1998, ISBN: 0070246459 * Micki Krause, Harold F. Tipton, Handbook of Information Security Management CRC Pr, January, 1998 ISBN: 0849399475 * Robert S. MacGregor, Java Network Security, 200 pages Prentice Hall Computer Books January, 1998, ISBN: 0137615299 * Lincoln D. Stein, Web Security : A Step-By-Step Reference Guide 192 pages, Addison-Wesley Pub Co, January, 1998, ISBN: 0201634899 ________________________________________________________________________ Calendar ________________________________________________________________________ ==================================================================== See Calls for Papers section for details on many of these listings. ==================================================================== "Conf Web Page" indicates there is a hyperlink on the Cipher Web pages to conference information. (In many cases there is such a link even though mention is not made of it here, to save space.) Dates Event, Location Point of Contact/ more information ----- --------------- ---------------------------------- 2/20/98: ACISP '98, Brisbane, Australia, submissions due: acispsubmit@isrc.qut.edu.au 2/23/98: VLDB '98, New York City, NY, submissions due: widom@cs.stanford.edu 2/23/98- 2/27/98: ICDE '98. Orlando, Florida 2/28/98: ESORICS '98, Neuve, Belgium. Submissions due to Deswarte@laas.fr (hardcopy also required) 3/ 4/98- 3/ 5/98: WWCA '98, Tsukuba, JAPAN 3/10/98: IFIP WG11.3 Chalkidiki, Greece Submissions due to jajodia@gmu.edu 3/11/98- 3/13/98: SNDSS '98, San Diego, California 3/13/98: WFMSP, Indianapolis, Indiana; submissions due to nch@research.bell 3/15/98: DEXA-SIDIA '98, Vienna, Austra, submissions due: dexa98ws@wi-inf.uni-essen.de 3/15/98: DEXA-WBPR '98, Vienna, Austra, submissions due: dexa98@di.uoa.gr 3/27/98: FMLDO 7, Ostfriesland,Germany;submissions due to schewe@informatik.tu 3/27/98- 3/28/98: WebDB '98, Valencia, Spain 3/30/98- 4/ 3/98: ETAPS '98. Lisbon, Portugal 4/ 1/98: IIIS, Fairfax VA; submissions due to jajodia@isse.gmu.edu 4/ 3/98: CCS-5. San Francisco, CA, USAConf Web page 4/ 3/98: NSPW`98. submissions due zurko@opengroup.org or sjg6@gate.net 4/14/98- 4/17/98: AGENTS-EMCSR '98, Vienna, Austria 4/15/98- 4/17/98: IH Workshop; Portland, Oregon 5/ 3/98- 5/ 6/98: IEEE-S&P; Oakland, California 5/ 5/98- 5/ 7/98: DOCSec '98, Baltimore, MD 5/12/98: Internet Computing, Mobile Code Sec. spec.iss. due gem@rstcorp.com 5/12/98- 5/15/98: 10th CITSS, Ottawa; no e-mail address available 5/29/98: 14th ACSAC; submissions due, contact Publicity@acsac.org 5/31/98- 6/ 4/98: EUROCRYPT '98, Helsinki, Finland 6/ 1/98- 6/ 4/98: SIGMOD-PODS. Seattle, Washington 6/ 8/98- 6/12/98: CAiSE*98, Pisa, Italy 6/ 9/98- 6/11/98: CSFW 11; Rockport, Massachusetts 6/25/98: WFMSP, Indianapolis, Indiana 6/30/98- 7/ 2/98: ISCC '98. Athens, Greece 7/ 1/98- 7/ 4/98: SICON '98. National University of Singapore 7/13/98- 7/15/98: ACISP '98, Brisbane, Australia 7/15/98- 7/17/98: IFIP WG11.3, Chalkidiki, Greece 8/17/98- 8/21/98: COMPSAC '98, Vienna, Austria 8/24/98- 8/27/98: VLDB '98, New York City, NY 8/24/98- 8/28/98: DEXA-WBPR '98, Vienna, Austria 8/26/98- 8/28/98: DEXA-SIDIA '98, Vienna, Austria 8/31/98- 9/ 4/98: IFIP/SEC '98, Vienna and Budapest 9/16/98- 9/18/98: ESORICS '98, Neuve, Belgium 9/22/98- 9/25/98: NSPW `98 Charlottesville VA, USA 10/ 5/98-10/ 9/98: FMLDO 7, Ostfriesland, Germany 11/ 3/98-11/ 5/98: CCS-5. San Francisco, CA, USA 11/19/98-11/20/98: IIIS, Fairfax, VA 5/ 2/99- 5/ 5/99: IEEE S&P 99; Oakland no e-mail address available 5/11/99- 5/14/99: 11th CITSS, Ottawa; no e-mail address available 4/30/00- 5/ 3/00: IEEE S&P 00; Oakland no e-mail address available 5/16/00- 5/19/00: 12th CITSS, Ottawa; no e-mail address available Key: * ACISP = Australasian Conference on Information Security and Privacy * ACM-MOBILE = ACM Mobile Computing and Communications Review * ACM-MONET = Special Issue of the Journal on Special Topics in Mobile Networking and Applications * ACSAC = Annual Computer Security Applications Conference * AGENTS-EMCSR = From Agent Theory to Agent Implementation * ASIAN = Asian Computing Science Conference * ATMA = Advanced Transaction Models and Architectures ATMA * BDBIS = Baltic Workshop on DB and IS, BDBIS * CAiSE*98 = Conference on Advanced Information Systems Engineering * CCS = ACM Conference on Computer and Communications Security CCS-5 * CCSS = Annual Canadian Computer Security Symposium (see CITSS) * CIKM = Int. Conf. on Information and Knowledge Management * COMAD = Seventh Int'l Conference on Management of Data (India) * CISMOD = Int. Conf. on Information Systems and Management of Data * CITSS = Canadian Information Technology Security Symposium * CFP = Conference on Computers, Freedom, and Privacy * COMPSAC = Int'l. Computer Software and Applications Conference * CoopIS96 = First IFCIS International Conference on Cooperative Information Systems * CORBA SW = Workshop on Building and Using CORBASEC ORBS CORBA SW * CPAC = Cryptography - Policy and Algorithms Conference * CRYPTO = IACR Annual CRYPTO Conference * CSFW = Computer Security Foundations Workshop CSFW 11 * CSI = Computer Security Institute Conference * CVDSWS = Invitational Workshop on Computer Vulnerability Data Sharing * CWCP = Cambridge Workshop on Cryptographic Protocols * DART = Databases: Active & Real-Time * DASFAA = Database Systems For Advanced Applications DASFAA '97 * DATANET = Datanet Security, Annual International Conference and Exhibition on Wide Area Network Security * DCCA = Dependable Computing for Critical Applications * DEXA = International Conference and Workshop on Database and Expert Systems Applications * DEXA-SIDIA = DEXA Workshop on Security and Integrity of Data Intensive Applications * DEXA-WBPR = International Workshop on Business Process Reengineering and Supporting Technologies for Electronic Commerce * DIMACS Security Ver = DIMACS Workshop on Formal Verification of Security Protocols '97 workshop * DMKD = Workshop on Research Issues on Data Mining and Knowledge Discovery * DOCSec = Second Workshop on Distributed Object Computing Security * DOOD = Conference on Deductive and Object-Oriented Databases * ECDLP = Workshop on the Elliptic Curve Discrete Logarithm Problem ECDLP * EDOC = Enterprise Distributed Object Computing EDOC '97 * Electronic Commerce for Content II = Forum on Technology-Based Intellectual Property Management URL * ENCXCS = Engineering Complex Computer Systems Minitrack of HICSS ENCXCS * ENM = Enterprise Networking ENM '97 * ENTRSEC = International Workshop on Enterprise Security ENTRSEC '97 * ESORICS = European Symposium on Research in Computer Security * ETAPS = European Joint Conferences on Theory and Practice of Software * EUROCRYPT = EUROCRYPT EUROCRYPT '98 * FIRST = Computer Security Incident Handling and Response * FISP = Federal Internet Security Plan Workshop * FISSEA = Federal Information Systems Security Educators' Association * FME = Formal Methods Europe * FMLDO7 = Foundations of Models and Languages for Data and Objects * FMP = Formal Methods Pacific * FSE = Fast Software Encryption Workshop FSE4 * FMSP = Formal Methods in Software Practice * GBN = Gigabit Networking Workshop GBN'97 * HASE = High-Assurance Systems Engineering Workshop HASE '97 * HICSS = Hawaii International Conference on Systems Sciences * HPTS = Workshop on High Performance Transaction Systems * IC3N = Int. Conference on Computer Communications and Networks Sixth, '97 * ICAST = Conference on Advanced Science and Technology, 13th ICAST * ICCC = International Conference for Computer Communications ICCC '97 * ICDCS96 = The 16th Int.l Conference on Distributed Computing Systems * ICDE = Int. Conf. on Data Engineering ICDE '98 * ICDT = International Conference on Database Theory ICDT97 * ICECCS = International Conference on Engineering of Complex Computer Systems * ICI = International Cryptography Institute * ICICS = International Conference on Information and Communications Sec. * ICNP = International Conference on Network Protocols ICNP '97 * ICOIN = International Conference on Information Networking ICOIN--12 * ICSSDBM = Int. Conf. on Scientific and Statistical Database Management * IDEAS = International Database Engineering and Applications Symposium * IEEE S&P = IEEE Symposium on Security and Privacy IEEE S&P '98 * IEEE NM = IEEE Network Magazine Special Issue on PCS Network Management * IEEE-ANETS = IEEE Network Magazine Special Issue on Active and Programmable Networks * IESS = International Symposium on Software Engineering Standards * IFIP/SEC = International Conference on Information Security (IFIP TC11) IFIP/SEC '98 (Twelfth Annual) * IFIP WG11.3 = IFIP WG11.3 11th Working Conference on Database Security * IFIP Mobile Commns = IFIP 1996 World Conference, Mobile Communications * IFIP-IICIS = First Working Conference on Integrity and Internal Control in Information Systems * IH Workshop = Workshop on Information Hiding * IICIS = Integrity and Internal Control in Information Systems * IMACCC = IMA Conference on Cryptography and Coding, 5th IMACC * IMC = IMC Information Visualization and Mobile Computing * INET = Internet Society Annual Conference * INET = The Internet: Transforming Our Society Now * INTRA-FORA = International Conference on INTRANET: Foundation, Research, and Applications * IPIC = Integration of Enterprise Information and Processes * IPSWG = Internet Privacy and Security Workshop * IRISH = Irish Workshop on Formal Methods IRISH97 * IS = Information Systems (journal) * ISADS = Symposium on Autonomous Decentralized Systems ISADS '97 * ISCC = IEEE Symposium on Computers and Communications ISCC '98 * ISCOM = International Symposium on Communications ISCOM '97 * ISTCS = Fourth Israeli Symposium on Theory of Computing and Systems * ITLIT = CSTB Workshop on Information Technology Literacy * IT-Sicherheit = Communications and Multimedia Security: Joint Working conference of IFIP TC-6 and TC-11 and Austrian Computer Society * IWES = International Workshop on Enterprise Security * JBCS = Journal of the Brazilian Computer Society * JCMS = Journal of Computer Mediated Communication * JCS = Journal of Computer Security * JDSE = Journal of Distributed Systems Engineering; Future Directions for Internet Technology * JSS = Journal of Systems and Software (North-Holland) Special Issue on Formal Methods Technology Transfer * JTS = Journal of Telecommunications Systems, special multimedia issue * JWWW = World Wide Web Journal Web page * KDD = The Second International Conference on Knowledge Discovery and Data Mining * MCN = ACM Int. Conf. on Mobile Computing and Networking. See MOBICOM * MCDA = Australian Workshop on Mobile Computing & Databases & Applications * MDS = Second Conference on the Mathematics of Dependable Systems * METAD = First IEEE Metadata Conference METAD * MMD = Multimedia Data Security MMD '97 * MMDMS = Wkshop on Multi-Media Database Management Systems * MOBICOM = Mobile Computing and Networking MOBICOM '97 * NCSC = National Computer Security Conference * NGITS = World Conference of the WWW, Internet, and Intranet NGITS '97 * NISS = National Information Systems Security Conference NISS '97 * NSPW = New Security Paradigms Workshop NSPW * OBJ-CSA = OMG-DARPA Workshop on Compositional Software Architectures * OOER = Fourteenth Int. Conf. on Object-Oriented and Entity Relationship Modelling * OSDI = Operating Systems Design and Implementation * PAKDD = First Asia-Pacific Conference on Knowledge Discovery and Data Mining * PISEE = Personal Information - Security, Engineering, and Ethics * PKC98 = Practice and Theory in Public Key Cryptography * PKS = Public Key Solutions * PTP = Workshop on Proof Transformation and Presentation * RBAC = ACM Workshop on Role-Based Access Control * RIDE = High Performance Database Management for Large Scale Applications * RTDB = First International Workshop on Real-Time Databases: Issues and Applications * SAC = Workshop on Selected Areas of Cryptography * SAFECOMP = Computer Safety, Reliability and Security * SCRAPC = Smart Card Research and Advanced Application Conference * SDSP = UK/Australian International Symposium On DSP For Communication Systems * SECURICOM = World Congress on the Security of Information Systems and Telecommunication * SFC = Society and the Future of Computing * SFTC-VI = Symposium on Fault Tolerant Computing - VI (Brazil) * SICON = IEEE Singapore International Conference on Networks SICON '98 * SIGMOD/PODS - ACM SIGMOD International Conference on Management of Data / ACM SIGACT SIGMOD-SIGART Symposium on Principles of Database Systems * SNDSS = Symp. on Network and Distributed System Security (Internet Society) * SOC = 18th Biennial Symposium on Communications, SOC18 * SOSP = ACM Symposium on Operating Systems Principles SOSP '97 * TAPOS = Theory and Applications of Object Systems, special issue Objects, Databases, and the WWW TAPOS * TAPSOFT = Theory and Practice of Software Development TAPSOFT '97 * TPHOLs = Theorem Proving in Higher Order Logics * TSMA = 5th International Conference on Telecommunication Systems - Modeling and Analysis TSMA '97 * USENIX Sec Symp = USENIX UNIX Security Symposium, 8th Annual * VLDB = International Conference on Very Large Data Bases * WDAG-9 = Ninth Int. Workshop on Distributed Algorithms * WebDB = International Workshop on the Web and Databases * WebNet = World Conference of the Web Society, WebNet 97 * WECS = ACM Workshop on Computer Security Education * WFMSP = Workshop on Formal Methods and Security Protocols WFMSP * WITAT = Workshop on Information Technology - Assurance and Trustworthiness * WOMOS = Workshop on Mobile Object Systems * WOBIS = Workshop on Satellite-based Information Services WOBIS '97 * WWWC = International World Wide Web Conference ________________________________________________________________________ Listing of Academic (Teaching and Research) Positions in Computer Security maintained by Cynthia Irvine ________________________________________________________________________ * Dept. of Electrical and Computer Engineering, Iowa State University, Ames, Iowa Assistant, Associate, or Full Professor in Computer Engineering (special interest in networks and security) Date closed: December 15, 1997, or until filled http://vulcan.ee.iastate.edu/~davis/job-ad.html * Naval Postgraduate School Center for INFOSEC Studies and Research, Monterey, CA, Visiting Professor, (9/98) http://www.cs.nps.navy.mil/research/cisr/jobs/npscisr_prof_ad.html * Naval Postgraduate School Center for INFOSEC Studies and Research, Monterey, CA, Computer Scientist, (9/21/97) http://www.cs.nps.navy.mil/research/cisr/jobs/npscisr_97de055.html * US Air Force Academy Department of Computer Science, Colorado Springs, CO, Professor, (7/98) http://www.usafa.af.mil/dfcs/ * Purdue University, Computer Science Department, West Lafayette, IN Assistant Professor, tenure track, also Assoc. and Full Prof., (2/98) http://www.cs.purdue.edu/facAnnounce This job listing is maintained as a service to the academic community. If you have an academic position in computer security and would like to have in it included on the Cipher web page and e-mail issues, send the following information : Institution, City, State, Position title, date position announcement closes, and URL of position description to: irvine@cs.nps.navy.mil ________________________________________________________________________ Data Security Letter Subscription Offer ________________________________________________________________________ A special subscription rate of $25/year for the Data Security Letter is now available to IEEE TC members. The DSL is an external, nonpartisan newsletter published by Trusted Information Systems, Inc. Eleven issues (usually 16 pages each) per year are published. The DSL welcomes reader suggestions and contributions and accepts short research abstracts (about 130 words) for publication on an ongoing basis. On occasion, the DSL will be republishing Cipher articles (with authors' approval), but such articles will constitute a small portion of DSL content (thus there will be very little duplication of Cipher material). IEEE TC members wishing to take advantage of the special subscription rate should send the following to sharon@tis.com. The information can also be faxed to 301-854-5363 (attention: DSL) phoned to 301-854-5338, or mailed to Trusted Information Systems, Inc., 3060 Washington Rd., Glenwood, MD 21738 USA. NAME: POSTAL ADDRESS: (Please indicate company name, if a business address) PHONE: (Please indicate if home or business) FAX: E-MAIL: IEEE Membership No. (if applicable): NOTE: If you are already a paying subscriber to the DSL, for the $25 you will receive a 2-year renewal; refunds, rebates, etc., on your current subscription are not available. If you have any questions about the offer or anything else pertaining to the DSL, you may contact the editor, Sharon Osuna, via E-Mail to sharon@tis.com or call her at 301-854-5338. ________________________________________________________________________ How to become <> a member of the IEEE Computer Society's TC on Security and Privacy ________________________________________________________________________ You do NOT have to join either IEEE or the IEEE Computer Society to join the TC, and there is no cost to join the TC. All you need to do is fill out an application form and mail or fax it to the IEEE Computer Society. A copy of the form is included below (to simplify things, only the TC on Security and Privacy is included, and is marked for you) The full and complete form is available on the IEEE Computer Society's Web Server at URL: http://www.computer.org:80/tab/tcapplic.htm (print & mail form) or http://www.computer.org:80/tab/Tcappli1.htm (HTML form for form-enabled browsers) IF YOU USE THE FORM BELOW, PLEASE NOTE THAT THE IT IS TO BE RETURNED (BY MAIL OR FAX) TO THE IEEE COMPUTER SOCIETY, >>NOT<< TO CIPHER. --------- IEEE Computer Society Technical Committee Membership Application ----------------------------------------------------------- Please print clearly or type. ----------------------------------------------------------- Last Name First Name Middle Initial ___________________________________________________________ Company/Organization ___________________________________________________________ Office Street Address (Please use street addresses over P.O.) ___________________________________________________________ City State ___________________________________________________________ Country Postal Code ___________________________________________________________ Office Phone Fax ___________________________________________________________ Email Address (Internet accessible) ___________________________________________________________ Home Address (optional) ___________________________________________________________ Home Phone ___________________________________________________________ [ ] I am a member of the Computer Society IMPORTANT: IEEE Member/Affiliate/Computer Society Number: ____________________ [ ] I am not a member of the Computer Society* Please Note: In some TCs only current Computer Society members are eligible to receive Technical Committee newsletters. Please select up to four Technical Committees/Technical Councils of interest. TECHNICAL COMMITTEES [ X ] T27 Security and Privacy Please Return Form To: IEEE Computer Society 1730 Massachusetts Ave, NW Washington, DC 20036-1992 Phone: (202) 371-0101 FAX: (202) 728-9614 ________________________________________________________________________ TC Publications for Sale ________________________________________________________________________ Proceedings of the IEEE CS Symposium on Security and Privacy Sorry! Strong response has reduced our stocks of old proceedings, and we have closed this year's conference books, so we will not be accepting any more orders for the present. You may still order some back issues from IEEE CS Press at http://www.computer.org/cspress/catalog/proc9.htm. Last year's Computer Security Foundation Workshop (CSFW11) took place the 10th through 12th of June in Rockport, Massachusetts USA. Topics included formal specification of security protocols, protocol engineering, distributed systems, information flow, and security policies. Copies of the proceedings are available from the publications chair for $25 each. Copies of all earlier proceedings (except the first) are also available at $10. Checks payable to "Joshua Guttman for CSFW" may be sent to: Joshua Guttman, MS A150 The MITRE Corporation 202 Burlington Rd. Bedford, MA 01730-1420 USA guttman@mitre.org ________________________________________________________________________ TC Officer Roster ________________________________________________________________________ Chair: Past Chair: Charles P. Pfleeger Deborah Cooper Arca Systems, Inc. P.O. Box 17753 8229 Boone Blvd, Suite 750 Arlington, VA 22216 Vienna VA 22182-2623 (703) 908-9312 (voice and fax) (703) 734-5611 (voice) d.cooper@computer.org (703) 790-0385 (fax) c.pfleeger@computer.org Vice Chair: Chair, Subcommittee on Academic Affairs: Thomas A. Berson Prof. Cynthia Irvine Anagram Laboratories U.S. Naval Postgraduate School P.O. Box 791 Computer Science Department Palo Alto, CA 94301 Code CS/IC (650) 324-0100 (voice) Monterey CA 93943-5118 berson@anagram.com (408) 656-2461 (voice) irvine@cs.nps.navy.mil Newsletter Co-editors: Paul Syverson Avi Rubin Code 5543 AT&T Labs - Research Naval Research Laboratory Room B282 Washington, DC 20375-5337 180 Park Ave. (202) 404-7931 (voice) Florham Park NJ 07932-0971 (202) 404-7942 (fax) (973) 360-8356 (voice) syverson@itd.nrl.navy.mil (973) 360-8809 (fax) rubin@research.att.com Chair, Subcommittee on Standards: Chair, Subcommittee on Security David Aucsmith Michael Reiter Intel Corporation AT&T Labs - Research JF2-74 Room A269 2111 N.E. 25th Ave 180 Park Ave Hillsboro OR 97124 Florham Park NJ 07932-0971 (503) 264-5562 (voice) (973) 360-8349 (voice) (503) 264-6225 (fax) (973) 360-8809 (fax) awk@ibeam.intel.com reiter@research.att.com ________________________________________________________________________ Information for Subscribers and Contributors ________________________________________________________________________ SUBSCRIPTIONS: Two options: 1. To receive the full ascii CIPHER issues as e-mail, send e-mail to (which is NOT automated) with subject line "subscribe". 2. To receive a short e-mail note announcing when a new issue of CIPHER is available for Web browsing or downloading from our ftp server send e-mail to (which is NOT automated) with subject line "subscribe postcard". To remove yourself from the subscription list, send e-mail to cipher-request@itd.nrl.navy.mil with subject line "unsubscribe". Those with access to hypertext browsers may prefer to read Cipher that way. It can be found at URL http://www.itd.nrl.navy.mil/ITD/5540/ieee/cipher CONTRIBUTIONS: to are invited. Cipher is a NEWSletter, not a bulletin board or forum. It has a fixed set of departments, defined by the Table of Contents. Please indicate in the subject line for which department your contribution is intended. For Calendar entries, please include an e-mail address for the point-of-contact. ALL CONTRIBUTIONS CONSIDERED AS PERSONAL COMMENTS; USUAL DISCLAIMERS APPLY. All reuses of Cipher material should respect stated copyright notices, and should cite the sources explicitly; as a courtesy, publications using Cipher material should obtain permission from the contributors. BACK ISSUES: There is an archive that includes each copy distributed so far, in ascii, in files you can download at URL http://www.itd.nrl.navy.mil/ITD/5540/ieee/cipher/cipher-archive.html There is also an anonymous FTP server that contains the same files. To access the archive via anonymous FTP: 1. ftp www.itd.nrl.navy.mil 2. At prompt for ID, enter "anonymous" 3. At prompt for password, enter your actual, full e-mail address 4. Once you are logged in, change to the Cipher Directory: cd pub/cipher 5. Now you can request any of the files containing Cipher issues in ascii. Issues are named in the form: EI#N.9708 where N is the number of the issue desired and 9703 captures the year and month it appeared. ========end of Electronic Cipher Issue #26, 9 February 1998=============