Subject: Electronic CIPHER, Issue 28, July 13, 1998 _/_/_/_/ _/_/_/ _/_/_/_/ _/ _/ _/_/_/_/ _/_/_/_/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/_/_/_/ _/_/_/_/ _/_/ _/_/_/_/ _/ _/ _/ _/ _/ _/ _/ _/ _/_/_/_/ _/_/_/ _/ _/ _/ _/_/_/_/ _/ _/ ==================================================================== Newsletter of the IEEE Computer Society's TC on Security and Privacy Electronic Issue 28 July 13, 1998 Avi Rubin and Paul Syverson, Editors Bob Bruen, Book Review Editor Hilarie Orman, Assoc. Editor Mary Ellen Zurko, Assoc. Editor Anish Mathuria, Reader's Guide ==================================================================== http://www.itd.nrl.navy.mil/ITD/5540/ieee/cipher/ Contents: [3037 lines total] o Letter from the TC Chair o Letter from the Editor Security and Privacy News Briefs: o LISTWATCH: Items from security-related lists, by Mary Ellen Zurko o Microsoft Plans for FIPS 140-1 Compliance o Common Criteria Full-use Version 2.0 Completed o Purdue CERIAS Opens o US Government Announces Comprehensive Privacy Plan o Controversial Intellectual Property Law Headed Towards Enactment o SKIPJACK and KEA declassified, Biham et al. Announce Cryptanalysis o AES Submissions All In o DataFellows Reports On Word Macro Virus o Industry coalition pushes for new Encryption policy Commentary and Opinion: Book Reviews by Bob Bruen o Virtual Private Network. by Charles Scott, Paul Wolfe & Mike Erwin. Reviewed by Robert Bruen o Java Security. by Gary McGraw and Edward Felten. Reviewed by Robert Bruen o Java Security. by Scott Oaks. Reviewed by Robert Bruen o Java Cryptography. by Jonathan Knudsen. Reviewed by Robert Bruen o Protecting Networks with Satan. by Martin Freiss. Translated by Robert Bach. Reviewed by Robert Bruen Conference Reports: o IEEE Symposium on Security and Privacy (Oakland '98) by Mary Ellen Zurko o IEEE Computer Security Foundations Workshop (CSFW11) by Levente Buttyan o LICS98 Workshop on Formal Methods and Security Protocols by Scott Stoller Conference announcements: o ACM Conference on Computer and Communications Security o ASIACRYPT'98 New reports available via FTP and WWW: several New Interesting Links on the Web Who's Where: recent address changes Calls for Papers: NDSS, DCCA, ASSET, FC, PKC, S&P (Oakland), JCS, DPS Reader's guide to recent security and privacy literature o Conference Papers o Journal and Newsletter articles Calendar List of Computer Security Academic Positions, maintained by Cynthia Irvine Publications for Sale -- S&P and CSFW proceedings available TC officers Information for Subscribers and Contributors ____________________________________________________________________ Letter from the TC Chair ____________________________________________________________________ I want to use this letter to share with you some things from the recent meeting of the IEEE Computer Society Technical Activities Board (TAB), which consists of the chairs of all the technical committees. There are two points of significance. First, the membership in our technical committee has been rising at a comfortable level. We currently have over 1900 members in the U.S. and almost 1100 outside the U.S., for a total of almost 3000 members. (Unfortunately, it is not easy to compare the membership list with our Cipher mailing list.) I think we provide good services to our members, in the form of our conferences and our newsletter (and I want to reiterate my thanks to all who are responsible for those things). The question still arises, however, of what more we could be doing for our members, and what other things the Computer Society could be doing for its members. At the last TAB meeting we spent some time discussing services and benefits, and I will be proposing some of those through our Executive Committee. But if you know of something that we or the Computer Society could do that would be a service to our members or our profession, please let me know. Of course, you may then be asked to help bring your idea into practice, if that is appropriate. The second issue discussed at the TAB meeting was the Computer Society periodicals, such as Computer, Software, Networks, Transactions on Software Engineering, and others. Many of these periodicals need reviewers in specialized fields, such as subfields in computer security. If you would like to volunteer as a potential reviewer for one or more of these journals, please let me know, or make direct contact with the editor in chief of the journal in which you are interested. It is hard to know when a need will arise, so editors like to have some potential reviewers on file. It is easy to focus just on your own technical committee and your own profession, and to lose sight of some of the larger implications of being in the IEEE Computer Society. I hope these two points from the recent TAB meeting help you to appreciate our context. Please feel free to contact me if I can give you any additional information on these two matters. Charles P. Pfleeger Chair, IEEE Computer Society Technical Committee on Security and Privacy ____________________________________________________________________ Letter from the Editor ____________________________________________________________________ Dear Readers, Much has happened since the last issue of Cipher. Both of the conferences sponsored by the IEEE CS TC on Security and Privacy took place, and you will find reports on each of these below---as well as a report on the Workshop on Formal Methods and Security Protocols that followed LICS98. Most of the news reported below is specific to the US: intellectual property legislation, the declassification of SKIPJACK, the closing of submissions for AES, the announcement of a comprehensive privacy plan, etc. This is probably in part due to where much of of the Cipher relevant news has occurred. But, it is also due in no small part to what your (US based) editors are aware of and what is sent in to them. We know from the subscription lists that there is a substantial readership outside the US. We would like to hear from our readers, both in and out of the US, about Cipher related news. As in every issue, we'd like to thank all of the contributors who make this newsletter possible, especially all of our associate editors, who do the real work behind this "publication". Also, thanks to Carl Landwehr for continuing guidance and helpful suggestions. Avi Rubin and Paul Syverson Editors, Cipher ____________________________________________________________________ ____________________________________________________________________ SECURITY AND PRIVACY NEWS BRIEFS ____________________________________________________________________ ______________________________________________________________________ LISTWATCH: items from security-related mailing lists (7/10/98) by Mary Ellen Zurko, (mary_ellen_zurko@iris.com) ______________________________________________________________________ This issue's highlights are from cypherpunks, risks, tbtf and e$. I've taken a new job, so there's been some churn in the lists I watch. I signed up for TBTF immediately, cypherpunks as soon as I got mail agents working, and Risks as soon as I could. I also follow pkix, dcsb, and shaksper :-). As before, the list may change as my interests, work, or bandwidth varies. I'd be interested in hearing if there are other lists that people think are worth watching. The Junger decision caused a lot of discussion on cypherpunks. Junger is a law professor in Ohio who wants to post examples of crypto on the web for teaching purposes. He has been challenging current export laws that prohibit that, mostly on the basis of the First Amendment. The judge found that "the Export Regulations are constitutional because encryption source code is inherently functional, because the Export Regulations are not directed at source code's expressive elements, and because the Export Regulations do not reach academic discussions of software, or software in print form." In addition, source code is "all but unintelligible to most people". Discussion on cypherpunks has pointed out that the basis of software patents is similar to the judges' findings and the difficulty in defining just which speech is protected, encouraged people to get involved in the appeals process (financially, testifying as experts, attending hearings, and so on), and explored ways to point up the similarities between source code and more obviously protected forms of speech, such as making it part of a book title or using English recognition instead of C to drive a computer. There is serious discussion of producing a flood of newspaper ads on a chosen date with the infamous 3 lines of RSA in Perl. The National Security Agency has declassified its 80-bit-length Skipjack encryption algorithm and its 1,024-bit-length key exchange algorithm, and made them publicly available (http://csrc.nist.gov/encryption/skipjack-kea.htm). The motivation is said to be enabling industry to write products that are interoperable with Fortezza. A cypherpunk reposted the almost 5 year old Skipjack review which claimed that while the algorithm was strong, its release would "jeopardize law enforcement and national security objectives." I'd love for someone to comment on why it no longer does, but I suppose that would still be protected. Within 48 hours of the algorithms being posted, several reference implementations were available, timing tests were being done, and one group had posted an initial analysis. [Cf. newsitem on analysis below -ed.] A researcher at Lucent found a flaw in many implementations of SSL V3 based on PKCS#1 padding checks that allows recovery of a specific session key after sending about one million carefully malformed messages to the server of interest. I really hope that attacks like this one generate an increased interest in auditing Internet based applications. The NY Times reported that a small gang tapped public phones at airports and stole a bunch of calling-card number. In a success story for human auditing "The Secret Service was tipped off by AT&T, Bell Atlantic and MCI after they received an unusually high number of complaints from customers who had recently used their calling cards in airports.". The 22-member U.S. government Technical Advisory Committee to Develop a Federal Information Processing Standard for the Federal Key Management Infrastructure (TACDFIPSFKMI) (who names these things???) has failed in a two-year effort to design a federal computer security system that escrows keys. The panel wrote that it "encountered some significant technical problems that, without resolution, prevent the development of a useful FIPS. ... Because the focus of this work is security, we feel that it is critically important that we produce a document that is complete, coherent, and comprehensive in addressing the many facets of this complex security technology.. The attached document does not satisfy these criteria." Administration officials said that the panel had simply needed more time. See http://jya.com/gak-fails.htm for details. A story from Wired posted on cypherpunks announced that Compaq is going to start shipping Fingerprint Identification Technology for PCs. They point out that it won't completely replace passwords for things like mobile network access (but of course don't say why). Privacy advocates are concerned that people will be pressured into using biometrics. A fake rubber finger might spoof the system, and "Toe prints [...] have not been tested". Perhaps not formally ... :-). Walmart is in negotiations for check cashing machines that use biometric facial recognition. A NY Times editorial said the government should stop encouraging weak crypto, and suggested that law enforcement pursue other methods, such as surreptitiously logging information before it was encrypted. Cypherpunks pointed out that keystroke logging is possible because of the poor reliability of commercial OSes (a sentiment I'd bet that most of us share) and theorized that someone was testing public reaction to this idea. One anonymous correspondent reminded folks about Intel's ability to download and run digitally signed software before control is transferred to the OS. The BXA announced it was loosening export restrictions on certain large multinational financial institutions. They would only need a single approval for the use of crypto throughout their company (except for branch offices in terrorist states). This was of course greeted with derision on cypherpunks, as it does nothing for the general populace and it attempts to silence concerns about financial security and to pacify a major lobby. The CIA is starting the "largest recruitment drive for new spies in its history" in order to rebuild that area and in response to over reliance on technical intelligence (satellites and listening devices). However, they also state that they need greater technical support for agent operations, so they're looking for computer expertise. One cypherpunk commented that this would be a good time to plant a mole. The CIA director is warning that Y2K problems "provides all kinds of opportunities for someone with hostile intent". A lawyer turned entrepreneur has patented a bracelet for monitoring parolees that sounds like an extension of Active Badge technology. It receives and transmits radio signals. It is aimed at determining if any are in the vicinity of a crime in progress, and cutting it off is thought to be discouraged by the suspicion it would arouse. NY City is planning on installing cameras that would allow them to fine motorists that block busy intersections. Metrorail [Washington D.C. area commuter rail system-ed.] is going to test smart cards, but promises not to sell any of the data they collect. They're looking at uses of these cards beyond just the Metro. They expect to get a much better picture of the traffic flow, and are guessing most people won't mind giving out their names and addresses for them (which, of course, you wouldn't need to track just traffic flow). The card is passed within three inches of the reader. "Riders can pass their entire wallet or purse over the disk." (Whoever wrote that never used a purse. How many purses have you owned where you could be sure that something in it was within 3 inches of some external point of the purse?) A coalition of right and left organizations in New Jersey turned back the governor's proposal for a smart card drivers license that would have been required for all government programs as well as allowing a wide range of businesses and services to store information on it. The U.S. Department of Transportation's proposed "Driver's License/SSN/National Identification Document" guidelines would compel all states to link drivers licenses and state IDs to SSNs. [On the other hand, the Michigan Jobs Commission decided to stop using SSNs entirely, after exposure on the Web. Full details at http://www.fulldisclosure.org/fdns/fd0423a.html Thanks to Glen Roberts for this pointer -ed.] Gingrich has announced that he will work on easing encryption restrictions. Yet, he is credited with derailing recent bills in Congress that would have done just that. It's hard to know who your friends are ... Bruce Schneier announced a monthly email newsletter on cryptography. I've signed up for it. Details are available at http://www.counterpane.com/crypto-gram.html. Paul Kocher and his consulting firm announced they were able to crack certain smart cards based on inferences from fluctuating power consumption. [More information available at http://www.cryptography.com/dpa/ -ed] The VP of marketing for Bull Smart Cards said they had been aware of this attack for more than 4 years and were immune. There's an OLE bug in Word 98 for Macintosh (and maybe others) that will send also send some of the uncleared contents of memory when a document is emailed as an attachment. The Post Office is worried about losing its monopoly on first class mail. In a speech, a retiring postmaster general said that "Research tells us that within the next 10 years, the infrastructure, security, and public acceptance issues that now limit electronic diversion (of communications currently sent as first class mail) will be solved," Black Unicorn has some fun definitions related to security: Security through Obscurity - Housekey under the doormat Obscurity through Security - Blinded Digital Cash Securely Obscure - Mixmaster Remailers Obscurely Secure - Rivest's Chaffing and Winnowing / ECC Secure the Obscure - Invasion of Granada Obscure the Secure - RSA's Propoganda page Secured and then Obscured - Common White House black bag team coverup tactic Obscured and then Secured - Hillary's billing records Secure but not Obscure - Digicash Obscure but not Secure - RSAs SecurPC Neither Secure, nor Obscure - CIA budget figures Secured - Iridium's deployment date (Last satellites up already) Obscured - Iridium's deployment rate (uses GSM for billing) Unsecured - Whitewater Loan Unobscured - Whitewater Loan ____________________________________________________________________ Microsoft Plans for FIPS 140-1 Compliance ____________________________________________________________________ Federal Information Processing Standard 140-1 stipulates requirements for the cryptographic processing of sensitive but unclassified data. More details at http://csrc.nist.gov/fips/fips1401.htm In EI #27, April 1998, we reported that FIPS 140-1 became mandatory on June 30 and that it was meeting resistance in the US DoD in part because Microsoft products are not currently compliant. The following was sent to us as an update by Patrick Arnold of Microsoft . "Microsoft Corporation is committed to delivering a software-based cryptographic module certified by NIST as FIPS 140-1 compliant. This cryptographic module will be comprised of the Microsoft CryptoAPI and a cryptographic service provider (CSP) supporting DSS/DSA, DES, and SHA-1 at a minimum. As a result of the open CryptoAPI architecture, customers and all independent software vendors (ISVs) alike will realize benefit from Microsoft's FIPS 140-1 evaluation. ISVs who develop to the Microsoft CryptoAPI will have the option to leverage FIPS 140-1 compliant cryptography in their applications. Microsoft is scheduled to enter the validation process with one of the National Institute of Technology's (NIST) approved testing and evaluation labs within the next four months. This commitment from Microsoft clearly enables a FIPS 140-1 migration path for our customers who wish to implement commercial Microsoft Internet technologies today." ____________________________________________________________________ Common Criteria Full-use Version 2.0 Now Completed. contributed by Gene Troy ____________________________________________________________________ "The Common Criteria Project sponsoring organizations (governments of Canada, France, Germany, Netherlands, United Kingdom, and United States) have just completed the Common Criteria for IT Security Evaluation (CC) version 2.0, and it is now ready for full use. This version supersedes the trial-use version 1.0, which was published in January 1996 primarily for the purpose of gaining field experience via application and secondarily for in-depth public review. The very large number of technical revisions and additions that were made via that process have resulted in a much improved version 2.0 document that is substantially different from the older version in numerous respects. "The CC Project has a cooperative working relationship with ISO JTC1 SC27 in developing an International Standard IT security criteria based on the CC. The Final Committee Draft (FCD) International Standard now being balloted within ISO is identical in content to the CC version 2.0. It is anticipated that the CC will be published as International Standard 15408 by the Spring of 1999. "CC version 2.0 is initially available for downloading in both Acrobat PDF and FrameMaker5 formats at the NIST CC website (http://csrc.nist.gov/cc). It will subsequently be made widely available from the CC Project Organizations in the various countries, in paper and CD-ROM formats, along with an HTML version. "A revised draft of the companion document, "Guide for Production of Protection Profiles and Security Targets" (3/98), being developed by ISO is also available via the NIST website. "For further information on the Common Criteria, see the website or contact: Gene Troy, NIST, at criteria@nist.gov." ____________________________________________________________________ Purdue CERIAS Opens ____________________________________________________________________ On May 7, 1998, Purdue University unveiled a new University Center devoted to education and research into protection of critical information resources: CERIAS. The Purdue CERIAS (pronounced "serious") is the: Center for Education and Research in Information Assurance and Security The mission of the CERIAS is to provide innovation and leadership in technology for the protection of information and information resources, and in the development and enhancement of expertise in information assurance and security. The Center is multidisciplinary in nature and will address the problems of information protection from a variety of different perspectives. More information on the CERIAS is available at the Center WWW site: . Other inquiries may be e-mailed to the Director, . ____________________________________________________________________ US Government Announces Comprehensive Privacy Plan ____________________________________________________________________ On May 14, the Vice President announced a comprehensive privacy action plan to give people more control over their personal information. In addition to legislative plans and the intention to hold a privacy summit, there is also a Web site that allows consumers to opt out of sharing of their personal information by companies and states. http://www.ftc.gov/privacy/index.html White House press release at http://www.whitehouse.gov/WH/Work/051498.html ____________________________________________________________________ Controversial Intellectual Property Law Headed Towards Enactment: Independent Security Analysis of Software to be Criminal in US? ____________________________________________________________________ Legislation to implement the World Intellectual Property Organization (WIPO) copyright treaty has already passed the US Senate and, as of this writing, is headed for passage by the House of Representatives. President Clinton has indicated that he will sign the legislation. One purpose of the treaty is to prevent people from disabling copyright protection in software and electronic media. Current versions of the legislation are controversial because they appear to make it a criminal offense for anyone not authorized by the copyright owner to, e.g., test the security mechanisms in software to determine if they are adequate for an intended application. Bruce Schneier of Counterpane Systems noted that this legislation "is going to criminalize my profession." While Gene Spafford of Purdue noted that "Products such as the ISS scanner, SATAN, SAINT, and the like may no longer be legal to develop, sell or distribute (or use). Firewalls will need to be "dumbed down" and not allowed to block or proxy traffic. Anti-virus researchers may be arrested for disassembling new viruses. Penetration testing would be illegal. Security testing of products you want to purchase or deploy might be a felony." Alternative legislation more favored by those who oppose the current bills has been proposed before the House with many cosponsors. Text of the current bills (S 2037 and HR 2281) along with their status and references to them in the Congressional Record may be found at http://thomas.loc.gov/ Also found their is the alternative (HR 3048). Some side-by-side comparisons of the various bills (which strongly favor the alternative) can be found at http://www.dfc.org ____________________________________________________________________ SKIPJACK and KEA declassified, Biham et al. Announce Cryptanalysis ____________________________________________________________________ As noted above under LISTWATCH the SKIPJACK algorithm of Clipper fame, along with the associated Key Exchange Algorithm were recently declassified. Within a week a group of researchers at the Technion (Eli Biham, Alex Biryukov, Orr Dunkelman, Eran Richardson) together with Adi Shamir of the Weizmann Institute announced some cryptanalytic results. "The main result is an attack on a variant, which we call SkipJack-3XOR (SkipJack minus 3 XORs). The only difference between SkipJack and SkipJack-3XOR is the removal of 3 out of the 320 XOR operations. The attack uses the ciphertexts derived from about 500 plaintexts which are identical except for the second 16 bit word. Its total running time is equivalent to about one million SkipJack encryptions, which can be carried out in seconds on a personal computer." More details can be found at http://www.cs.technion.ac.il/~biham/Reports/SkipJack/. ____________________________________________________________________ AES Submissions All In ____________________________________________________________________ Submission period for AES the Advanced Encryption Standard closed on June 19th. AES is more or less the successor of DES. Candidate algorithms that meet the official criteria for submission have not been announced. However, ten candidates are listed on the AES Web page www.ii.uib.no/~larsr/aes.html hosted by Lars Knudsen and Vincent Rijmen, along with pointers to public cryptanalytic results. The list of submitters contains most of the most prominent names in block cipher design. The official AES Web page at NIST www.nist.gov/aes lists additional information including registration information about the first AES Candidate Conference to be held this August. ____________________________________________________________________ DataFellows Reports On Word Macro Virus ____________________________________________________________________ 6/18/98 - Datafellows reported a Word macro virus (WM/PolyPoster) that may, if it takes hold on a machine, post infected versions of documents it finds there to certain heavily-used newsgroups. PolyPoster is probably not in the wild at present, and would require particular combinations of software to deliver its payload. Nevertheless, it is in line with a recent trend towards malicious software attempting to trawl for information (documents, IP numbers, passwords) rather than just replicating and damaging data. For more information see http://www.DataFellows.com/news/pr/eng/fsav/19980618.htm ____________________________________________________________________ Industry coalition pushes for new Encryption policy ____________________________________________________________________ The Washington Post reports (7/12/98) that a new industry coalition consisting of such companies as Sun Microsystems Inc., Novell Inc., Hewlett-Packard Co. and Network Associates lans to unveil a plan it hopes will persuade the U.S. government to dramatically loosen export restrictions on sophisticated data-scrambling technology. Government officials say they are cautiously optimistic that the coalition's approach, dubbed the "private doorbell," will win their approval. The full Washington Post story can be found at http://www.washingtonpost.com/wp-srv/WPlate/1998-07/12/194l-071298-idx.html A plain ascii reproduction of the story can also be found at http://www.jya.com/giant-ploy.htm Cisco Systems Inc., which according to the Post article heads the industry coalition, has a white paper on the approach that can be found at http://www.cisco.com/warp/public/146/july98/2.html ____________________________________________________________________ COMMENTARY AND OPINION ____________________________________________________________________ ____________________________________________________________________ Virtual Private Network by Charles Scott, Paul Wolfe & Mike Erwin. O'Reilly & Associates, Inc. 1998. 177 pages. Index. Two Appendices. $29.95. ISBN 1-56592-319-7 Reviewed by Robert Bruen, Cipher Book Review Editor ____________________________________________________________________ Virtual Private Networks (VPN) have been around for a fairly short time still not widely deployed. They offer organizations a secure method for members to connect from any point on the internet to the home base but have it appear they are all on the local net. It is unlike connecting to your ISP then connecting to a home base machine where you are a peer at the ISP. With a VPN you still connect through your ISP (or whatever) but you are a peer on what appears to be you local net. This approach obviously has many advantages, especially in security, for people who travel and must have access to home base information and other resources. As with most useful ideas there are difficulties in implementation that must be overcome first. For starters, the ISP you use needs to accommodate you by setting things up, which may or may not be a problem depending on the ISP. Someone who travels nationally may find a wide range of experiences when it comes to ease of use to various ISPs. Probably the biggest headache will be at the home base where the VPN will need to be administered, not unlike the usual experience we all have where management thinks that this is a good idea, but the resources will not be provided. The current staff will just add it on in spite of the fact it does require expertise and time to install and maintain. This book goes through the steps necessary to get a VPN up and running with examples that come from having actually done it. It is intended to be a practical book, which may explain why it is a short book, and perhaps why it is an NT-centric book. There a couple chapters on what a VPN is, why you want one and a cost model (something technofolks often ignore). Three products are explained: Point-to-Point Tunneling Protocol (PPTP), AltaVista Tunnel and the Cisco PIX Firewall, although these are not the only products in the marketplace. PPTP is an obvious choice because it is available with NT. There are a total of ten chapters with lots of diagrams including one on managing and maintaining a VPN. I think the price is a little higher than it should be and I am still looking for a comprehensive book on VPN, but if you want a light introduction to VPN this is a helpful book. It is a quick read, especially if you know something about networks and security. There is more information available on the net including an IETF draft and some good articles from the press and vendors pages like Cisco. ____________________________________________________________________ Java Security by Gary McGraw and Edward Felten. John Wiley & Sons 1997. 192 pages. $19.95 Index, bibliography and two appendices. ISBN 0-471-17842-X. LoC QA76.73J38M354 Reviewed by Robert Bruen, Cipher Book Review Editor ____________________________________________________________________ Java and Java security should be on the top of list for those who run web sites or just surf the net. The only choices seem to be shutting off Java or running the risk of the hacker's idea of a joke that will cause you difficulties. The authors of this book were among the early discoverers of security problems with Java even as Java was being proclaimed to be secure. They have set up a program to continue to investigate Java security. This book has had some well known security and Java folks give it praise, but I am less enthusiastic about the book. On the upside the book was prepared in 1996 making it an early entry. It also does explain enough for the reader to understand the security holes without it being a complete recipe for exploiting the weaknesses. The information presented is something that anyone who cares about Java should read and it is not expensive. My complaint is that the book is short with lots of white space and too many repeats of phrases. It seems to be a few good papers stretched into a small book. There are only six chapters, a FAQ and reproductions of a few CERT advisories. It is not an in-depth look at Java security. I am sure that the authors have much more to give than appears here. The book is still worth reading because the information is useful, it is well written, just understand it is limited in scope. Since the information is about two years old it is somewhat dated. All of the problems mentioned have been, or should have been, fixed, for example at the time of the research Netscape was only at around 2.0. The embedded Java has been improved. The biggest problems with Java are not the bugs in the code, but rather the design problems. The book describes the security architecture problems with reasonable suggestions for improvement. There is much to be done with respect to formal verification and there is much underway. Until some of the work on the security and cryptography aspects of Java is completed and matured, electronic commerce will not advance as it should. Java is necessary for it, but Java that provides confidence. I am glad these guys are helping out. ____________________________________________________________________ Java Security by Scott Oaks. O'Reilly & Associates 1998. 456 pages. Index, four appendices. $32.95. ISBN 1-56592-403-7. Reviewed by Robert Bruen, Cipher Book Review Editor ____________________________________________________________________ Java was intended to be a secure environment from the beginning, but as we all know, there is no perfect security. Several Java related security holes were made public fairly early on. Along with the general evolution of the Java environment, its security model has continued to mature with many significant changes. Scott Oaks has tried to capture the state of affairs at Java version 1.2, which at this point is not as widely available as I would like. The initial chapters lay out the philosophical basis for Java security providing definitions that may not be what you expect. Given the way security seems to work, one must have a clear context which contains the goals for that particular security model. If the goals are met through the methods employed, then the model can be called secure. This is not the same as saying that the model is secure compared to any other idea of security. Since I consider it important to have such a context provided, it was a good sign that this book does so. It helps to alleviate criticism that comes from unrelated sectors that are based on different assumptions. There are thirteen chapters, the first three cover Application Security, Language Security and Class Loaders, all of which are helpful in understanding Java itself in addition to the security aspects. Chapters four, five and six introduce the Security Manager and the Access Controller and the implementation of security policies. Chapters seven through twelve show how to implement cryptography, message digests, keys and certificates, and digital signatures, the underlying reasons for having a security model. The architecture of the Security Provider in explained in chapter eight. The last chapter on encryption is worth reading as a precursor to Jonathan Knudsen's new book Java Cryptography. Java security is complex and it is changing. Version 1.2 has added some features such as encryption along with changes in the way one handled security policy. Version 1.1 had already added authentication as a change to version 1.0. Of course we can expect more changes in the future. While this is not surprising for software, it does mean that one must pay continuing attention as it all progresses. For example, the implementation of the security manager in an application will have serious downstream implications, if was not done without careful thought. Proper implementation by application programmers will take a bit of effort, but the author has provided an excellent resource. The language has many built in features, but not everything is included. However, there are hooks available, for example, if you want to use your own encryption algorithms. Oaks provides a good explanation on how to do this as well as many other things. The book has nice flow from the top level concepts down to the actual code as you progress through the book. I never felt surprised by the introduction of a new idea where I had to try to figure out what its relationship was to the previous train of thought. It is not overly long and verbose, but it is not a brief introduction to the topic either. There are lots of examples of code throughout the book that are not just filling up space. Although this book is Java specific, it is worth reading for the purpose of understanding the design and implementation of a security model in a language environment. I can cheerily recommend this book as necessary for anyone who develops Java applications or wants to increase their knowledge of Java security. ____________________________________________________________________ Java Cryptography by Jonathan Knudsen. O'Reilly & Associates 1998. 344 pages. Index, five appendices. $29.95. ISBN 1-56592-402-9. Reviewed by Robert Bruen, Cipher Book Review Editor ____________________________________________________________________ Aimed at Java programmers, Java Cryptography is not a book on cryptography, but instead about to how use cryptography in Java 1.2. There is an introductory chapter on crypto, but is it intended only as a backdrop to the real focus of the book. If you are new to Java, it will be work for you get the fullest benefit from the book, but if you can write Java code and know something about encryption, keys and authentication, you should get a lot out of reading it. It is a hands-on-while-reading book. The first example of code appears on page 6, a simple program that creates a message digest for the contents of a given file using MD5. I dutifully typed it in and ran it with no problem. It is accompanied by a clear, step by step explanation of how it works. The subsequent examples require JDK 1.2 which requires a Sun or Wintel at the present time. (I am waiting on the Linux version.) These examples are as well written as the first with the same clear explanations for what is going on in the code. The first four chapters are mainly background material for concepts, architecture and random numbers, all very useful. Chapter five is is a solid one that covers key management in detail. Java has classes for key generation, translation and agreements (like Diffie-Hellman). You can specify your choice of algorithms easily when invoking a method. Knudson provides an in depth look at writing code to use the Simple Key Management for Internet Protocols (SKIP) for both the client and server side. He addresses the change from 1.1 to 1.2 in the approach to key management which started as a javakey command-line utility and ended up as a keystore which uses a command line interface called keytool. This represents noticeable change for developers, but this chapter should help. The topic of chapter six is authentication: message digests, digital signatures and certificates, again with good explanations and example code. Chapter seven covers encryption through a close look at the javax.crypto class using cipher block chaining and cipher feedback modes for code examples. Java applets that are signed are supposed to be a way to permit code to run outside of the sandbox, beyond the normal controls placed on Java code. It is the contentious DMZ where security requirements meet user desires for utility and convenience. In order to spice up web pages some security concerns must be ignored. By cryptographically signing applets the level of trust by the user is raised for an unknown applet running on some remote web site. The specifics of how HotJava, Netscape and Internet Explorer implement signed applets are discussed in chapter eight, and yes they are all slightly different. The same applet is used for each for comparison. Extending Java by writing your own cryptographic provider is explained in chapter nine using ElGamal. If you were not sure how ElGamal works, this is a good way to find out. The author provides a set of classes to support signatures and ciphers using ElGamal. Chapters ten and eleven are in depth examples of applications: SafeTalk and CipherMail. Chapter twelve wraps up the book discussing application design and security. The appendices are all full of useful information on Javakey, jar files, and a summary of the crypto classes. I found Java Cryptography easy to read because of the author's style, informative, and a great place to start working with cryptography and Java. It delivers on its promise, making it a recommended book, something that should have if you want to develop code in this area. ____________________________________________________________________ Protecting Networks with Satan by Martin Freiss. Translated by Robert Bach. O'Reilly & Associates 1998 (English edition, first edition 1997) 112 pages. Index, one appendix. $19.95. ISBN 1-56592-425-8. Reviewed by Robert Bruen, Cipher Book Review Editor ____________________________________________________________________ When SATAN was first released about four years ago, it caused quite a stir in the press and and in the field. The quick discovery of a security hole with its subsequent fix also got a lot of attention. The nonsense had mercifully subsided, but SATAN still remains a helpful tool. Although it is naturally limited in what it can do, it does some necessary things, making it a standard tool for systems and network managers. I have heard it said that SATAN is obsolete because another package is on its way, but I have not yet seen such a package, so this book is still quite relevant. This book is a translation from the German edition published last year, bringing non-German readers up to par. Since SATAN has been freely available for some time this book is a little late in getting out. It would have been helpful if it had been published soon after the software was released. It is still helpful, however, especially for the overworked sysadmin who has yet to really get a handle on security. Freiss not only explains SATAN, but covers the rationale behind each test it performs thereby extending the reader's knowledge of security. Protecting Networks is a practical how-to book, so I followed the directions to acquire, install and run SATAN according to the book. I was happy to discover that they were clear and accurate. To be fair, I had done this when SATAN first became available. This time I used a 4.2 Redhat Linux which is not straight forward, as warned by author. As expected it would not compile, but it was easy to find the five pieces of code with the same, unnecessary, automatically generated line, delete the lines, then compile. It ran fine. Trying it next on 5.1, I encountered a different problem, but it was easily identified and fixed. The generous folks at CEBAF have made a set of include files for Linux that handle the vast majority of the Linux idiosyncrasies. The architecture of SATAN is well presented along the things SATAN does and does not do. There is a chapter on how to extend SATAN to the things you wish it had done in the first place. For those who worry about being attacked by SATAN, there is chapter describing how to recognize an attack, as well how to get the software (Gabriel and Courtney) to help you. I found this book a quick, easy, useful read. It works well as a general introduction to system security through its explanations of why, for example, NIS and NFS have security problems. I cannot comment on the German edition, but the product of the translation by Robert Bach is a good one. It's recommended for getting the most of out SATAN and for folks who need more reading in systems security, especially for the price. ______________________________________________________________________ CONFERENCE REPORTS ______________________________________________________________________ ______________________________________________________________________ 1998 IEEE Symposium on Security and Privacy May 4-6, 1998, Oakland, California by Mary Ellen Zurko. ______________________________________________________________________ The 19th IEEE Symposium on Security and Privacy was held in Oakland, CA, May 4 - 6, 1998. Mike Reiter was general chair. There were 116 papers submitted, with 20 accepted. Based on mailing address, papers were submitted from 18 countries, and accepted from 5. The program committee covered 4 countries. My apologies in advance for not knowing the names of some attendees who I quote below. The first session was Access Control, chaired by Cynthia Irvine. The first paper was "Access Control in an Open, Distributed Environment" by Jean Bacon (Cambridge University), Richard Hayton (APM Ltd.), and Ken Moody (Cambridge University). Richard presented. Their work emphasized transfer of privilege with formal rules of delegation and revocation, and an architecture to support them. Their Role Definition Language describes preconditions of role entry. Revocation may be predicated on a number of conditions (delegator wishes, delegator is revoked, preconditions fail, or side conditions such as group membership change). Their architecture equates certificates with role entries. Services manage policy related to service objects and roles, and issue certificates to clients. Certificates are specific to a client. Services build their proof of role entry when they issue certificates, based on other certificates, preconditions, and so on. The proof tree is collapsed on revocation. This architecture makes revocation fast. Graphs can span services. When a communication failure occurs, the records are marked unknown and the state is propagated to the children in the graph. Maintaining the state allows for fast recovery when communications are restored. Communications is checked by a heart beat that pushes updates down links from one service to another. Stuart Stubblebine suggested a separate freshness policy in addition to the heart beat. Another questioner was concerned about the scalability of this architecture, particularly in settings such as academia which have predicable peak demand times (beginning of term). The second paper was "Ensuring Continuity During Dynamic Security Policy Reconfiguration in DTE" by Timothy Fraser and Lee Badger (TIS Labs at NAI). Timothy presented. Their work considered how to safely reconfigure policy. Their problem was that when modules with new policy information was added to their system, they were composing policies, and were not assured of retaining some essential aspects of the original policy. They called that "policy conflict", and decided to address the problem where a new policy causes information to flow in the "wrong" direction. Their policies are broken down into a set of ORed rules. They used their Domain and Type Enforcement work as a basis. For each policy module they generated two sets of graphs; one for information flows, and one for controls. These graphs were logically ORed together, then the transitive closure was taken. Any new flows signaled a conflict. There are restrictions to this approach. It can't model non-tranquil policies such as the Chinese Wall policy, and it can't represent policies based on interference. It's also non-commutative; it matters who gets there first. The third paper was "Composing Partially-Specified Systems" by Heather M. Hinton (Ryerson Polytechnic University). At some level, composition requires a complete representation of the system, including all environmental possibilities. This level of completeness is impossible. Thus, implicit assumptions always arise. Her research aims to make implicit assumptions explicit. It involves identifying assumptions (vulnerabilities) and using safe constraints to explicitly represent the good behavior. She builds on the Abadi-Lamport composition principle from `90. When composing, you start with a "total environment" where anything is possible. Then, you disallow certain undesirable environment behavior to get a "partial environment". You then continual refine the environment criteria for the partial environment. Ideally, constraints are physically enforced (such as network topology). If not, you must evaluate the reasonableness of the desired behavior. It was clear that this activity requires some thoughtful consideration. Heather's advice was "You should be using intelligent people and you should be taking advantage of them." The second session was Java Security, chaired by Martin Abadi. The first paper of that session was "Security Execution of Java Applets using a Remote Playground" by Dahlia Malkhi, Michael Reiter, and Aviel Rubin (AT&T Labs - Research). Michael presented. Their approach attempts to retain the benefits of mobile code while minimizing the threat of mobile code's doing damage while accessing local resources. They have implemented a sacrificial machine, called the playground, to help protect organizations from misbehaving Java 1.1 applets. Mobile code is rerouted to the playground. Only I/O is ported to the user's browser. The playground is a second level of defense beyond existing measures (sandbox, server, author, attributes of actual code). A proxy parses returned pages and identifies references to mobile code via applet tags. It changes those applet tags to point to a trusted applet on the user's machine (a graphics server applet). In addition, the proxy modifies all I/O code of original applet, and ships it to the playground. The playground runs it; I/O is sent to browser. The playground runs each page's applets in a separate JVM, running under an account with tight restrictions to leverage OS protections. Unfortunately, changing tags is not enough. JavaScript can cause classes to be requested and can dynamically emit such tags in response to user events. You can either rely on the proxy to keep these from being loaded (which requires a pretty sophisticated proxy) or directly disable network class loading in the browser. There may be performance issues for some applets, since they are not running locally. Scalability is limited ; replication and load balancing may help. It is also less effective for hostile window opening applets. Digitivity has independently marketed a very similar system. One questioner pointed out that users are not notified when a bomb gets sent to the playground. The next paper was "Understanding Java Stack Inspection" by Dan S. Wallach and Edward W. Felten (Princeton University). Dan presented. Java stack inspection is corned with attempting to draw a box around the unrestricted features allowed to untrusted applets, thereby defining "safe" violations of the general policy. Pointers are added to the stack frames to enabled privileges. When a privilege is required, you search down the stack frame looking for it. Their work formalized this somewhat ad hoc technique, with an eye to fast implementation. They use BAN logic. The decision procedure proves that the operation is OK in an automated fashion. It has not proved completeness. For some cases, the proof would say X is denied when it's allowed. It is safe and sound, however. They have a finite state system that can examine the current state instead of stack walking and can pass these states as arguments to the functions. This roughly doubles overhead of null method call. However, a very smart compiler might specialize the code and get rid of arguments when they're not used. They extend their work to RPC. Authenticated pipes don't work well for mobile code, since you want to use the applet identity, not the host identity. Their work models the channel as "channel says" from the host, communicating the applet's identity. The security- passing style works with RPCs by taking the intersection of privileges of the host and applet. The Cryptography I Session was chaired by Mike Reiter. The first paper in the session was "Efficient Key Distribution of Slow Computing Devices: Achieving Fast Over the Air Activation for Wireless Systems" by Yair Frankel (CertCo), Chris Carroll and Yiannis Tsiounis (GTE Laboratories). Chris presented. This paper discusses the concerns involved in achieving performance and security in cellular phones. There is a recognition that the process was closed in the past, and that it wasn't using the available scientific research. This paper is part of the process opening up. In the past, keys had to be manually entered into secure mobile phones (all 40 million). A third party potentially knows these secret keys. They want to transition to Over The Air Service Provisioning - the cryptography is there when you walk out of Kmart. In addition, Diffie Hellman (DH) is slow on these 8 bit microprocessors (6 minutes per key exchange, with no authentication). They can get it down to 4 minutes on a 16 bit microprocessor. They want to use certification of service providers (SPs). A CA's public key given to mobile units at manufacturing time. Then, the SP sends a certificate. The Mobile Unit verifies a Rabin signature on the certificate and sends a Rabin encrypted session key. The SP decrypts session key and sends an authentication key encrypted with session key. This protocol is 160 times faster than DH, and is authenticated. Each manufacturer will implement proprietary number generator, though they suggest using some pre-loaded randomness and some digits from the user. The major manufacturers are aggressively upgrading to this new protocol but the installed base is still at 75% of old model. They're not sure how long this scheme will last, but they have plans to evolves. The next paper was "Efficient and Practical Fair Exchange Protocols with Off-Line TTP" by Feng Bao, Robert Deng (National University of Singapore), and Wembo Mao (HP Laboratories, Bristol). Wembo presented. Bao should have presented, but he doesn't have a visa to USA. Two remote, mutually distrustful opponents are engaging in a "practically fair" protocol if neither can have a clear advantage over the other. Wembo reviewed some previous work on other types of fair exchange protocols. Bit by bit exchange of identical length messages assumes the same computing capacity for both parties has a high communication complexity. There are probabilistic and online Trusted Third Party (TTP) models. Their proposed model is a verifiable escrow signature with an off-line TTP. It uses a Certificate of Encrypted Message Being a Signature (CEMBS). It is made universally verifiable with the TTP's public key, Alice's pub key and some hashed values. In the protocol, if Bob receives a valid CEMBS, he releases his own signature to Alice, then vice versa. If Bob stops, he has no useful information. If Alice stops, Bob can go to TTP. This is an improvement in communications efficiency compared to the previous computational and probabilistic models. Use of an off-line TTP lowers the TTP workload to resolving disputes. One party may have to do slightly more by contacting TTP if abnormal termination occurs. The next paper was "Asynchronous Protocols for Optimistic Fair Exchange" by N. Asokan, V. Shoup, and M. Waidner (IBM Research, Zurich). N. Asokan presented. This work approaches fairness as a security service that guarantees that participants in electronic commerce are not at a disadvantage if they follow the rules. They are also worried that TTPs in the middle of protocols can become a bottleneck. They assume that the communications channels are not reliable, but that the channel to the TTP is resilient (messages arrive in some finite time). Their requirements are effectiveness (things work if everyone plays), fairness, timely completion (either player can complete the protocol fairly without cooperation) and verifiability of TTP. The optimistic approach optimizes for players being honest, as the most common case. It meets the requirements, though timeliness is not guaranteed. The protocol determines the format of the contract, which is considered invasive. And the TTP is not invisible. In the general case, only weak fairness is achieved, which is useful only if a subsequent all-party dispute is possible. For generatable or revocable items, strong fairness is possible. Techniques to add generatability to a large class of items exist. In this case, they use verifiable encryption (while only one party can open the box, anyone can see the contents). In their work, they can use any kind of encryption. A questioner was concerned about the tradeoffs between privacy and verifiability. What's in the box matches some public description. Another asked about state maintenance for the TTP, which must be maintained as long as you want to use it (forever, or define a timeout). A panel, "Trust Considerations in PKI Systems", closed the first day. It was moderated by Dale Johnson (MITRE). Panelists were Santosh Chokhani (CygnaCom Solutions), Bob Blakley (IBM), Mack Hicks (Bank of America), and Warwick Ford (VeriSign). Santosh discussed the parties involved in e-commerce and the scope of policies needed. The certificate policy needs to cover the signing CA, the authenticating RA, the subscriber and the relying party, assurance that anyone exposed to the private key is protecting it and that their systems are capable of that protection. He recommended PKIX as covering these issues. He recommended tying namespaces to CAs to contain potential rogue CA. He saw the next big area of interest was how to map policies between CAs; what does 90% the same mean? Mack gave the banking perspective (We're a big bank and we're going to be a bigger bank through mergers). He called SET an over-engineered solution for taking care of not that much risk. Lotus Notes has the largest installation in most banking infrastructures. The trust structure is not well understood by users; they have to carry around a diskette for some reason. SSL with 40 bits is a good start. They don't care for impenetrable, just enormously annoying. However, SSL is still not understood by wide variety of customers. They have to put up their own icon that says it's secure, and the customer still don't understand what it means. They believe the X.500 promise, but they're still waiting. They are only interested in authenticated requests (user id and password or signed request). They are used to referring to their customers by account number only; that to them is "warm and comfy". They want to try out buying experiences with no value. This keeps them from getting lost in liability and risk. "You'd be surprised how long it takes to do something worthless." You don't want to have to ask someone else's bank for information; they won't tell. Banks have been agents of trust since the middle ages and before. CRLs are of limited use at the root level; look what happened to the book for looking up credit cards. The conclusion is conclusions are yet to be reached. SET is a beautiful design but impossible to explain to anybody, let alone implement it. Experimentation is necessary now. Bob tackled the issue of names and identity. Certificates bind an identifier to a public key. The hard problems arise from a fundamental error: trying to shift the responsibility for identity management from people to the technical infrastructure. Names are not identities, they're identifiers. While Jekyll and Hyde were the same identity, your experience depended on where you sampled. Names can change, or even be used in parallel. Two names can be found to lead to the same person. We can throw the name away and start from scratch, but they don't do that in real world. In real world, we annotate (Jill Jones nee Bailey). He suggested we use annotation instead of revocation. Identity is something that is managed by each of the users that comes in contact with one of these things, based on their own interactions. People don't want to keep track of all that without assistance. Keys tie sequences of actions to a name. Issues include identity theft and playing identity games. We know how to analyze complicated games from Axelrod's "Evolution of Cooperation". Warwick addressed a number of technical issues. His number one issue is scalability. There is a need for community standards, along with commitment and enforceability. He does not believe incremental community building (the bottom-up approach) will scale. He is not sure if cross certification between organizations can scale. He believes we need to build a large community first, with a set of rules or standards and ensure that every participant is signed up to those rules, with safeguards to ensure that everyone follows those rules. Hierarchies are the simplest to implement. We need to break away from the notion that it's a power hierarchy. There are problems with CRLs such as timeliness and size. He recommends CRL distribution points where each CRL can cover a subset of the population. The certificate points to which CRL applies. This pointer can be changed in different environments, which is a feature. The question and answer session touched on e-commerce as a driver for large scale PKIs, the difficulty of training users about security in general and certificates in particular, and how humans cope with name collision problems. Mack pointed out that consumers in general make very bad security decisions in general. Bob suggested that their decisions are not very bad, since most are still alive and spending money. Mike Reiter asked about liability. The certificate policy covers some. The CA has to take some responsibility for its actions. It's such a new business, everyone is cautious. There is no history of case law. Mack pointed out that letters of credit flow around the world now. If someone signs one they shouldn't, a bank will be taking a hit. In a PKI, no liability means no value. Some asked what do you do when someone dies while holding a valid certificate. Bob suggested you annotate it with the fact of death. It may mean no more signatures should be forthcoming (except for elections in Chicago :-). The first session on Tuesday was on Architectures and chaired by Stuart Stubblebine. Stuart suggested it should be called the architecture vulnerabilities session. The first paper was "An Automated Approach for Identifying Potential Vulnerabilities in Software" by Anup K. Ghosh, Tom O'Connor, and Gary McGraw (Reliable Software Technologies). Anup presented. They instrument programs with a fault perturbation engine and security policy assertions to discover potential vulnerabilities. This requires some knowledge of the types of vulnerabilities in the past. They try it all over the code, not just in obviously security critical code. This enables dynamic analysis and exercises the code. They corrupt program states to simulate flaws and introduce anomalous behavior. They work with both simple perturbations (strings) and complex ones (buffer overflow, composable classes). Fault injection can be used for identifying potential security critical coding errors and developing coding techniques to minimize them. It only detects the potential for security critical errors, not security holes. They tested their technique with application such as Web servers. One questioner asked how does the security point of view change this method from safety-critical arena? Anup stated that they find new classes of faults. The next paper was "Detecting Disruptive Routers: A Distributed Network Monitoring Approach" by Kirk A. Bradley, Steven Cheung, Biswanath Mukherjee, Ronald A. Olsson, Nick Puketza (University of California at Davis). Nick presented. In this work, every router watches over its neighbors, trying to detect routers that drop or misroute packets. They need to know the router graph to find misbehaving routers. Generally, they count data bytes incoming and outgoing. The WATCHERS protocol exchanges data with all the other routers and they then analyze the data. Routers ask themselves, For each incoming packet, does it make sense that the neighbor sent it to me? If not, they increment the misroute counter for that router. Each router periodically sends all of its counter values to every other router. There is a potential for network congestion; a flooding protocol is used for other router maintenance tasks. Good routers virtually disconnect bad routers. The requirements for this protocol to work are that each router must have one good neighbor, each pair of routers must be connected by one good path, and good routers must be in the majority. Routers may legitimately drop packets, so they allow small differences in flow. There is a potential for false positives or detection failures. Much of the computation could be moved off line to enhance performance. One questioner ask about impersonation. There has to be some authentication. Another noted that an arbitrary attacker can force a link to be dropped by forcing it to expire the packet with a short time to live. The next paper was "Timing Attacks Against Trusted Path" by Jonathan T. Trostle (Cisco Systems). He used two timing attacks. His first used timing signatures to determine the length of a password and which characters are upper or lower case. His second attack used information on the key map to get the relationship between characters. He posits that you need at least two out of three of the following countermeasures for these attacks: a good password policy, a modified trusted path implementation, and protocols resistant to off line attacks. He looked at trojan horse attacks that can leak bits from a user password enabling a brute force attack. User keystrokes have timing signatures. The length of the password is immediately apparent. Upper case characters have a distinct interrupt pattern, so you can get one bit per character. This attack reduced a 10 character password to about 55 bits and an 8 character password to about 44 bits. The second attack looked at how timings were affected by whether key map is in the memory cache or not (using an X11 server). He typed "rpx" and "rpo" 60 times to unlock his terminal. He found it took 572 microseconds for the x and an average of 565 microseconds for the o. His hypothesis is that o is timing equivalent to r. He figures you can get 19 - 39 bits for an 8 character password. He didn't test on WNT as it doesn't have an accessible microsecond granularity clock. A questioner asked if fuzzy time help. Jonathan said probably. Jay Lepreau pointed out that on WNT, any program can access the hardware cycle counter which has 100's of megahertz granularity. Another questioner asked if one time passwords help/ Jonathan thought so. The next session was Database Security and Biometrics chaired by Cathy Meadows. The first paper in this session was "Practical Security Policies to Support Timeliness in Secure Real-Time Databases" by Sang Son, Craig Chaney, and Norris Thomlinson (University of Virginia). Sang presented. Timeliness and predictability are most important in real time systems. Security and timeliness can conflict, forcing priority inversion (low priority task keeping a high priority task from running) or a security violation. The canonical example is lock contention between a high priority, high security task and a low priority, low security task. If the lock is given to the high process, there is a potential covert channel. If the lock is given to the low process, that is a priority inversion. They explored different levels of security policy, each of which guarantee certain security aspects. Their goal was to satisfy minimum requirements of both real time and security. 99% is not necessarily better than 85%; it depends on what information needs most to be protected. Their rules covered static and dynamic cases. For example, some deadlines can be missed one or two times, but not the third. They are working towards a tool that can analyze policies and tell the designer the implications of their tradeoffs. They ran simulations to come up with some partially ordered set of MLS-based security policies. They found a significant improvement in performance as more potential covert channel are allowed. Their work is on a distributed database on Legion. Marv Schaefer asked why not just replicate the data? Sang said that there are issues with managing distributed replicated data. The next paper was "On Enabling Secure Applications Through Off-Line Biometric Identification" by George I. Davida (Univ. of Wisconsin, Milwaukee), Yair Frankel (CertCo), and Brian J. Matt (Sandia National Laboratories). Brian presented. The considered a variety of architectures for where biometric information is stored, and where it is checked. Checking biometrics at the biometric station is simpler and requires fewer secured channels than checking at an authorization server and sending the results to the station. The station compares against the biometric results that are on a card, encrypted and signed. They are concerned about the privacy of the biometric data, which lets them assume it's a strong key (that it's not publicly available). For both the source and verification data, the biometrics are sampled, a majority decoder votes on each bit, then the two are compared with a bounded distance decoder. A signature over the user's name, public attributes, biometric and check digits is on the card. The biometric information can be combined with a PIN to preserve the privacy of the keys that are stored on the card. One questioner who works at a bank said that they had found that people have a real aversion to sticking their face in a machine for an iris scan. Another questioned whether the privacy of biometrics really needed to be protected. Brian said there are issues of user acceptance, health, and genetic heritage concerns. The 5-Minute Talks session was chaired by Yair Frankel. "Experiments with Software Wrappers" by Lee Badger (TIS Labs at Network Associates) touched on imposing interesting policies with wrappers such as intrusion detection, sequencing, time. They think of them as micro firewalls. "StackGuard 1.1: Stack Smashing Protection for Shared Libraries" by Crispin Cowan, Tim Chen, Calton Pu, Perry Wagle (Oregon Graduate Institute of Science and Technology) and Heather Hinton (Ryerson Polytechnic University) was an update of a Usenix security paper. "Security Requirements of the Emerging Information Infrastructure: Relationship to a National Study Committee" by Henry M. Gladney (IBM Almaden Research Center) recommended visiting www4.nas.edu/cp.nsf/. "Security Agility for Dynamic Execution Environments" by Karen A. Oostendrop and Lee Badger (TIS Labs at Network Associates, Inc.) presented a subsystem bolted on to components that maintains security information. "How to Protect Against Subscription Sharing and Server Profiling" by Stuart Stubblebine (AT&T Labs - Research) (with Paul Syverson, NRL and David Goldschlag, DIVX) dealt with the problems of proving group membership without revealing identity or linking appearances from one transaction to the next (no profiling), and enabling a vendor to deter low volume sharing of credentials and detect and stop high volume sharing and fraud. "Nested Java Processes: OS Structure for Mobile Code" by Patrick Tullmann and Jay Lepreau (University of Utah) brings their multi-user OS research to active networks. "Methods for Security Sharing Kerberos Credentials Among Cooperating Distributed Web-Based Client Components" by W. David Shambroom (GTE Laboratories Incorporated) presented an architecture for a large client population that uses SSL for sending the Kerberos username and password. "Code Verification as a Tool for Formal Systems Development" by Mark E. Woodcock (NSA) presented an idealized LCF prover that shows the synergy between a faster prover and better language coverage. "Advanced Security Proxies" by E. John Sebes (TIS Labs at Network Associates) takes the functionality of current proxy based firewalls and puts it on network components for very high speed networks. The final session on Tuesday was Formal Methods I chaired by John McLean. The first paper was "Strand Spaces: Why is a Security Protocol Correct?" by F. Javier Thayer Fabrega, Jonathon C. Herzog, and Joshua D. Guttman (MITRE). Joshua presented. This is a new method for proving correctness the of cryptographic protocols that focuses on the combinatorial issues introduced by the protocol itself. It clarifies the protocol goals and allows the application of uniform, straightforward proof methods (a bag of tricks). A strand is one principal's experience of one run of the protocol. A strand space is a collection of strands, which might be very large. Penetrator activities are also strands (typically they are short). There are two kinds of causal relations: send and receives, and precedes on a strand. Penetrators can concatenate, decompose, repeat, or discard messages. This method deals with what a principal can know directly, what it can reasonable assume (such as freshness assumptions), and what it can infer. Inferences include real world contains events which could causally explain what the principal saw (someone must have sent this message I received). A bundle is a causally well-grounded collection of interactions. Some limitations of this approach are that it doesn't have a way of representing type flaw attacks (two nonces misinterpreted as session key), there is no good way to reason about cryptographic system protocol interactions, and it doesn't reason about cryptographic weaknesses or implementation weaknesses. The next paper was "On the Formal Definition of Separation-of-Duty Policies and their Composition" by Virgil D. Gligor (University of Maryland), Serban I. Gavrila (VDG, Inc.), and David Ferraiolo (NIST). Virgil presented. He stated that there are significant difference between policy properties and policies themselves. Separation of Duty (SoD) policies define an integrity policy that partitions applications into operations and objects, and assigns users to those partitions. These application-oriented policies are limited scope and require separate administration. The current solution is to make SoD a special feature of a more global policy, such as Role Based Access Control (RBAC). He discussed attribute properties such as a lattice of secrecy and integrity levels and inheritance of memberships of hierarchy of roles, access management properties such as distribution, revocation, creation and destruction, and access authorization properties such as those found in Bell and LaPadula, Unix and RBAC. You have to have all three types of properties in conjunction. SoD is mostly access management and access authorization properties. Mandatory policies are known to break applications. There are also properties of policies that cannot be enforced in reference monitors (such as availability). Compatibility and administratability, which are desired, are also beyond the scope of a reference monitor. His work clarifies and formalizes previous work by Simon and Zurko that provides a foundational intuition on what separation of duty policies are about. His work shows the relationships between SoD properties and addresses composition issues. At the Technical Committee Meeting, Charle Pfleeger discussed the options for where future symposiums would be held (after next year's, which is at the Claremont again). He is soliciting electronic suggestions at pfleeger@arca.com and berson@anagram.com. The first session on Wednesday was Formal Methods II chaired by Heather Hinton. The first paper was "Complete, Safe Information Flow with Decentralized Labels" by Andrew Myers and Barbara Liskov (MIT). Andrew presented. They have a technique for statically analyzing information flow in programs. It has good performance since it relies on compile time checking. It is an implemented Java extension called Jflow, based on a decentralized label model that expresses the privacy concerns of multiple principals (users, groups or users, and roles). They use a notion of acts-for between two principals that is similar to speaks-for. A label is a set of information flow policies. There is an owner of each policy (considered the source of information) and a set of readers to which information can flow. Every policy has to be obeyed. Assignment (x = y) relabels a value such that for every policy in y, there is a policy in x that is at least as restrictive. Combining values uses the least upper bound of labels. Label checking is an alternate form of type checking. They can handle implicit flows, exceptions, objects, dynamic type tests, label polymorphism and label inference. They consider these safe incremental relabelings: removing a reader, adding a policy, replacing an owner by superior, and adding a superior reader (a superior is a principal that can act for A, up the principal hierarchy). They also defined formal semantics for their system. The interpretation depends on the principal hierarchy, which can change at runtime. They statically check with partial knowledge and allow relabelings that are safe under all possible dynamic hierarchies. They have proven their relabeling sound and complete. This paper caused the most commotion in the question period, into the next break, and beyond. One questioner asked for a comparison to taint in Perl. Andrew responded that taint is dynamic. One questioner was concerned that this paper did not reference existing work from the security community such as information flow tools (GIPC). There was some debate over just what the differences were. There was also a comment about the lack of any mention of MLS in the paper. Discussion during the break included the concern that there was no notion of confinement. The next paper was "Stack and Queue Integrity on Hostile Platforms" by Prem Devanbu (Univ. of Calif at Davis) and Stuart Stubblebine (AT&T Labs - Research). Stuart presented. This work addressed the integrity of large data structures stored on a hostile device. A memory and bandwidth constrained smart card is responsible for checking on it when it comes back. The adversary can perform an operation on the data structures. The trusted processor analyzes and certifies the values. For LIFO stacks, the card maintains a signature over the current top of stack. It can check whether what's returned on a pop is expected. In addition, each item is made up of the value plus a signature on the next item on the stack. For FIFO queues, the card maintains a signature for everything ever removed from the queue as well as a signature on the rear of the queue, so that it can check whether it's really empty when that is the claim. It validates the next value on the queue on a dequeue operation with a signature over the value and the previous signature. The signatures must be keyed . The final session was Cryptography II chaired by Michael Waidner. The first paper was "Necessity and Realization of Universally Verifiable Secret Sharing" by Wenbo Mao (HP Laboratories, Bristol). This work is related to escrowed cryptographic systems. The threat model is that Alice and Bob are potentially bad guys, whereas the Eavesdropper is the good guy! The requirements are compliance and fairness. The system uses multiple good guys to prevent some from becoming bad through unlawful privacy intrusion or destroying the recovery material. There are two-party protocols to streamline the secret sharing with many good guys. EES (Clipper) has poor secret sharing. You must get information from two out of two of the sharers, plus manufacturer can know the secret. More recent work adds fairness, including partial key escrow (which produces a non-trivial cost to searching for the missing portion). Previous fair schemes are all multi-party protocols. Alice has little freedom to choose her shareholders. Reducing the number of shares required will increase reliability but decrease fairness. The honesty of a majority of shareholders can be a dangerous assumption. Also, it is impractical to use large number of shareholders. Unfortunately, it is also unfair or dangerous to use a small number of them (5 seems too small). If a secret sharing can be verified universally (by anybody) then a multi-party protocol can be streamlined into a two-party one with guaranteed correctness in secret sharing. Then a "large" number of shareholders can really mean large. If Alice's public key is a discrete log problem, you can encrypt her private key under a third party's public key with a proof of correctness of the encryption. The verifier can be anybody, using the third party's public key. Their work uses bit by bit encryption, but more efficient block encryption methods exists. The last paper was "Towards Mobile Cryptography" by Tomas Sander and Chritian F. Tschudin (Intl. Computer Science Inst., Berkely, CA). Tomas presented. This work emphasized protection of the mobile code against tampering by the under lying execution environment (code and execution integrity), against disclosure of the algorithm to the host, and against disclosure of the user's private key to the host (even if it signs something while executing there). They've undertaken some first steps in Executing Encrypted Functions (EEF), Homomorphic Encryption Schemes (HES) and Undetachable Signatures. Protecting mobile code is like trying to protect a good-minded middle American with 100 dollar bills hanging out of his back pocket who is walking around in Rio de Janero, in a bad neighborhood. They want to execute encrypted programs directly. The sender must be able to decrypt the results to extract the return value of running the encrypted function. The specific case they study is polynomials on rings Z/nZ. In addition, they look to glue the signature routine to the function that generates the output to be signed, to keep an adversary from taking an encrypted signature function and using it to sign things. Their technique is function composition. They compose the signing routine and the function generating the output to sign so that the signing routine remains secret. If we could find encryption schemes "compatible" with + and *, general programs could be encrypted! The bad news is that it has been an open problem for a long time in cryptography whether these exist. Tomas stated that we need a sound theoretical foundation for mobile code security, not just beliefs [I would offer the caveat "except in panels!", as facts rarely make for an entertaining panel :-)]. Their first positive results for polynomials and rational functions are only the first steps. The final announcements of the conference were that Jon Millen will be registration chair next year, and Mike Reiter will be junior program chair. ______________________________________________________________________ 11th IEEE Computer Security Foundations Workshop (CSFW11) June 9-11, 1998, Rockport, Massachusetts by Levente Buttyan. ______________________________________________________________________ This year's CSFW took place in Rockport, MA, from the 9th to the 11th of June. As in 1997, the workshop was held at the Ralph Waldo Emerson Inn in Pigeon Cove, which is a more than 100 years old building situated at the coast of the Atlantic Ocean. The house has a nice garden, which was the scene of the croquet tournament organized among the workshop participants every year. The General Chair of the workshop was Jonathan Millen, the Program Chair was Simon Foley, and the Publications Chair was Joshua Guttman. The workshop had about 45 participants. The technical program contained 17 presentations organized into 7 sessions, and 2 panels. Session 1: Distributed Services Chair: Li Gong Weakly Secret Bit Commitment: Applications to Lotteries and Fair Exchange Paul Syverson Paul also gave a subtitle for his talk: 'How I learned to stop worrying and love exportable cryptography'. He argued that weak cryptography is not only acceptable in certain situations but it might even be desirable. He illustrated this with two example applications: lottery games and fair exchange protocols. In the lottery games that he proposed, the result of the lottery is determined by a set of public inputs from the bettors, but no one (not even the lottery organizer) can control the outcome or determine what it is until after the game closes. This is achieved by the application of a weakly secret bit commitment (WSBC) function, which keeps the outcome secret in a way that is breakable after a predictable amount of time and/or computation. The second application of WSBC proposed by Paul is a variant on fair exchange that requires no trusted third party at all. It accomplishes this by a short sequence of messages that combine a diminishing disincentive to cheat with either increasing ability to complete the exchange or evidence that cheating has occurred. Thus, self interested parties would prefer completing the protocol to cheating. For this reason, Paul called this type of protocol 'rational' exchange. On the Structure of Delegation Networks Tuomas Aura Tuomas presented a formal model for SPKI-like, key-oriented delegation systems. After having defined what a delegation certificate is, he introduced the notion of delegation networks. The delegation network is a graph that represents how keys delegate access rights to other keys through delegation certificates. A key idea was that an issuer key can delegate access rights to more than one (i.e., a set of) subject keys, who must then co-operate to use the authority. Then, he presented a formal semantics for delegation networks by defining how the basic question 'Does key k1 delegate authorization for operation o to another key k2?' can be answered for a given delegation network. He also proved that certificate reduction is a sound and complete decision technique. In certificate reduction, certificates are merged into one. The soundness and completeness of this process means that the reduced network (or the single certificate to which the network may finally be reduced) represents the same authorizations as the original one. Tuomas concluded that the presented model can be used as a basis for development of algorithms for managing certificate databases. Two Facets of Authentication Martin Abadi The main idea of Martin's talk was that authentication can have two goals: assigning responsibility and/or giving credit. He explained the concepts of responsibility and credit through example protocols, which were adequate for applications that require responsibility but not necessarily for applications that require credit. He said that it is, therefore, prudent to state whether a new protocol designed is intended to establish responsibility, credit, or both. Similarly, when an authentication protocol is analyzed, it is prudent to clarify whether its properties are sufficient for establishing responsibility or credit. He concluded that responsibility is essential, because it is crucial for access control, but there does not seem to be a consensus on whether an authentication protocol should also establish credit or not. Establishing credit, however, can make the protocol more robust and clear, and can help avoid confusions. Somebody asked if there is any protocol that establishes credit but no responsibility. Is there any? Session 2: Noninterference Chair: Stewart Lee Probabilistic Noninterference in a Concurrent Language Dennis Volpano and Geoffry Smith Dennis started his talk with an example multi-threaded program. The program was possibilistically noninterfering (i.e., changing the initial values of the high (private) variables does not change the sets of possible final values of the low (public) variables). He showed, however, that if thread scheduling is probabilistic then there is a probabilistic interference (i.e., changing the initial values of the high variables changes the probability distribution of the final values of the low variables). Then he presented their solution for the problem. He proposed that conditionals with high guards be executed atomically. This is accomplished by wrapping the conditional with a new command, called 'protect', that guarantees the atomic execution. He proved that such well-typed programs satisfy the probabilistic noninterference property. He noted that, although, their result rules out all covert flows from high variables to low variables with respect to internal program behavior, if external observation of the running program is allowed, then covert channels are still possible. He emphasized that the application that they had in mind was mobile-code. A key assumption in the mobile-code framework is that any attempt to compromise privacy must arise from within the mobile-code, which is internal to the system. The system can control what the mobile-code can do and what it can observe. Partial Model Checking and Theorem Proving for Ensuring security Properties Fabio Martinelli In his paper, Fabio addressed the problem of the decidability of a property called Bisimulation Non Deducability on Compositions (BNDC). In short, a system is BNDC, if interaction with high level users does not change the appearance of the system to the low level users. Thus, no information at all can be deduced by low level users. He proved the decidability of BDNC for finite state systems and presented a tool for ensuring such security properties. This tool can be also used to check functional properties of the system automatically. The tool is built over mudiv, which is a program for checking properties of finite state systems, and a proof assistant developed in Coq for the modal mu-calculus. Session 3: Protocol Verification Chair: Catherine Meadows Formal Analysis of a Non-repudiation Protocol Steve Schneider Steve presented a CSP based formal analysis of the Zhou and Gollmann non-repudiation protocol. Non-repudiation protocols are used to enable agents to send and receive messages, and provide them each with evidence of the message transmission. The Zhou and Gollmann protocol also aims to provide fairness (i.e., no party should be able to reach a point where they have the evidence that they require without the other party also having the required evidence). The CSP modeling revealed an unusual security property required in this protocol. Namely, most security properties of such protocols are safety properties, while in this protocol non-repudiation also involves liveness. Steve modeled the protocol from the point of view of the judge who would be used to arbitrate in the case of dispute. The modeling of the protocol required a different approach than the standard approaches taken to, for instance, authentication protocols. Here, agents require protection from each other, rather than from an external hostile agent. The CSP modeling allowed Steve to formally state the specification claimed for the protocol, and to verify it. It was also helpful in clarifying issues concerning the protocol and its context. Honest Ideals on Strand Spaces Javier Thayer, Jonathan Herzog, and Joshua Guttman The paper was presented by Javier. He introduced the notion of ideals. An ideal is a set of messages closed under encryption and invariant under composition with arbitrary messages. He used this new notion to state and prove general facts about the power of the penetrator, who wants to subvert the goals of a security protocol. In particular, he proved that if a legitimate protocol participant can never utter any message in an ideal I, then a penetrator can never utter any message in I either. He applied the method to analyze the Otway-Rees protocol, and to explain what this protocol can achieve and what its limitations are. Panel 1: Varieties of Authentication Moderators: Roberto Gorrieri and Paul Syverson Panel Members: Martin Abadi, Ricardo Focardi, Gavin Lowe, Catherine Meadows, and Dieter Gollmann The aim of the panel was to encourage a discussion on the current attempts to give formal definitions of authentication. Despite the widely accepted intuitive meaning of authentication, formal definitions are rather rare and not widely agreed upon. This is sometimes due to the lack of a formal model on which the problem can be defined and with respect to which a formal definition can be given. Martin emphasized the need for higher level guarantees of authentication and authorization. He said that when people talk about authentication, then they do not really care whether the authentication protocol used has certain lower-level properties that are concerned with messages and keys. They do not even want to hear about keys. What they need is a higher level guarantee. The question is what this higher-level guarantee is and how we can achieve it by guaranteeing lower-level properties. He mentioned his work on the join calculus and the s-join calculus. Ricardo raised the issue of exploiting off-line information (information that is not visible to the parties of the protocol but is available before the execution to those who verify the correctness of the protocol) in the verification of the protocol and defining authentication in terms of that. As an example, he suggested to consider the locations of protocol participants as off-line information. Then, authenticating an entity means mapping an entity name to its address. And an attack against a protocol can be discovered by obtaining incorrect mappings of names to addresses. He raised the question if it is possible to exploit other kind of off-line information for authentication. Dieter suggested that to avoid confusion, we should agree on when to use the term authentication, rather than trying to find its intrinsic meaning. He pointed out that the verification of the identity of an entity, the verification of the origin of a message or access request are all termed as authentication. Gavin position was that authentication is about what an agent can deduce about the state of other agents (e.g., about its partners in the protocol). This can be something like the other has recently sent a message, run the the protocol, agreed upon some details (e.g., a session key), etc. He emphasized that the difference between authentication and secrecy. The latter is about what an agent can deduce about the state of malicious third parties. Cathy focused on the issue of authentication in the Internet era. She pointed out that with the widespread use of the Internet and related technologies such as mobile-code, it becomes more likely that a single entity may be authenticated in more than one way and this raises some interesting questions. She talked about her experiences with the Internet Key Exchange (IKE) protocol that she had analyzed. Although the aim of the panel was to give formal definitions of authentication, no one gave any. Finally, Michael Merritt put up a slide with one line written on it: (for all t)[(t |- A says m) -> (I(t) |= A says m)] His purpose was to create more confusion, as he said. According to this formula, authentication means that for all traces (executions?) of the system, if A says m follows from the trace t, then A says m really holds in some interpretation of the trace. Now, what remains is to define what traces are, what the interpretation function does, and what A says m means exactly. After all, this was more specific than the previous discussion of the panel. Session 4: Protocol Model Checking Chair: Jonathan Millen Proving Security Properties with Model Checkers by Data Independence Techniques A. W. Roscoe In his presentation, Bill addressed the general problem of model checking approaches to the verification of security protocols. Namely, model checkers can only prove that a small instance of the system, usually restricted by the finiteness of some set of resources such as keys and nonces, is free of attacks. In general, this does not prove that the protocol is error free. He showed how techniques borrowed from data independence can be used to achieve the illusion that an infinite number of different keys and nonces are available, even though the actual types used for these things remain finite. This result can be used to create models of protocols for which it is sufficient to run the model checker on a finite system in order to prove that the protocol is secure from attacks. An important limitation of the result is that it does not allow protocol participants to run more than one instance of the protocol at the same time. Towards a Completeness Result for Model Checking of Security Protocols (Extended Abstract) Gavin Lowe Gavin addressed the same problem as Bill in his talk: if no attack is found by the model checker, then this means only that there is no attack on a particular small system, and there may be an attack on some larger system. He presented sufficient conditions on the protocol and its environment such that if there is no attack on a particular small system leading to a breach of secrecy, then there is no attack on any larger system leading to a breach of secrecy. The small system that is sufficient to check is simply the protocol with one honest agent for each role that run one instance of the protocol at a time. The conditions that has to be satisfied by the protocol are the following: encrypted components should be textually distinct, identities should be inferable from encrypted messages, the protocol should not use any temporary secrets. He also made some model-based assumptions such as perfect cryptography. His results can be used to verify secrecy properties, but he considers to extend the approach to authentication as well. Efficient Finite-State Analysis for Large Security Protocols Vitaly Shmatikov and Ulrich Stern The paper was presented by Vitaly. He addressed the problem of the large number of reachable states in finite-state modeling and analysis of security protocols. He proposed two techniques that reduce the number of reachable states and thus allow the analysis of larger protocols. The main idea of the techniques was that if we have a state s, then those states where the honest protocol participants have the same knowledge as in state s and the intruder has less knowledge than in state s can be safely removed from the state-graph. The first technique was to let the intruder always intercept messages sent by the honest participants. The second technique was to prevent the intruder from sending messages if at least one of the honest participants is able to send a message. Intuitively, both techniques increase the intruder's knowledge. He proved that the proposed state reduction techniques are sound (i.e., each protocol error that would have been discovered in the original state-graph will be discovered in the reduced graph). The techniques have been implemented in the Murphi verifier, and reduced the execution time significantly. Vitaly and Ulrich proposed another technique as well that does not reduce the number of states but speeds up the evaluation of the transition rules in Murphi, and hence reduces the execution time. Session 5: Composition Chair: Roberto Gorrieri Composing Secure Systems that have Emergent Properties Aris Zakinthinos and Stewart Lee Aris presented the paper, which investigates the existence of emergent properties. An emergent property is one that is not satisfied by all the constituent components of a system, but is satisfied by the overall system. He presented conditions on properties that enable one to infer how the property might emerge. He also gave a sufficient condition for the composition of two systems to yield a system that satisfies a stable property. Merging Security Policies: Analysis of a Practical Example Frederic Cuppens, Laurence Cholvy, Claire Saurel, and Jerome Carrere The paper was presented by Claire. She introduced a general approach to analyzing situations wherein several possibly conflicting security policies apply. She proposed a language to specify security policies and a method to detect conflicts by using the technique of consequence finding. For resolving conflicts, she proposed the approach of defining strategies. A strategy defines an order of preference between rules. She introduced the notion of 'good' strategy that enables resolution of all conflicts in a policy. Finally, she showed how strategies can be used to derive the actual norms in a merged security policy with possibly conflicting rules. The approach was illustrated through an example (an organization that has to deal with classified documents, and the problem of downgrading the classification level of them when they become obsolete). Session 6: Protocol Logics Chair: Gavin Lowe Evaluating and Improving Protocol Analysis by Automatic Proof Stephen Brackin Stephen summarized the results of Automatic Authentication Protocol Analyzer (AAPA) analyzes of 52 security protocols. The AAPA found no problem in 16 that have known problems, and found problems in 3 that were not identified as having problems previously. He explained why the AAPA missed attacks. Most of these types of failure would occur for belief logics in general, and some for all types of protocol analysis tools. There is only one that arises from an AAPA-specific error. Stephen is working on a new version of the tool that overcomes many of the problems of the current version. A Simple Logic for Authentication Protocol Design Levente Buttyan, Sebastian Staamann, and Uwe Wilhelm The paper was presented by Levi. He proposed a BAN-like logic, in which encryption and keys are replaced by channels with various access restrictions. This abstraction makes the logic compact because the cryptographic operations that are usually used in authentication protocols can all be described with a uniform notation. Furthermore, channels enable thinking about protocols at a high abstraction level without being concerned with the implementation details. He suggested that the logic should be used for constructing protocols at the first place rather than verifying existing protocols. For this reason, he proposed synthetic rules derived from the logic that can be used by designers to construct protocols in a systematic way. He illustrated the use of their synthetic rules by re-designing the Woo and Lam authentication protocol, which has known flaws. Panel 2: The Security Impact of Open/Distributed Computing Technologies Moderator: Peter Ryan Panel Members: Dieter Gollmann, Li Gong, Gunter Karjoth, and Gene Tsudik The panel was concerned with the question: to what extent the tools and techniques developed to design and evaluate secure systems apply to the radically new technologies such as Java, CORBA, ActiveX, mobile-code, etc.? The aim was to identify the key problems and to propose approaches to addressing them. Dieter suggested that the challenge is to provide solid foundations for the security services in open/distributed systems. These services can guarantee security if they are properly implemented and cannot be bypassed. Furthermore, security relevant information that are needed by the services to function is present in lower layers of the architecture. Thus, if there is no sufficient protection at the lower layers, 'the foundation of the fortress will crumble'. He also pointed out that standardization of policies is an important issue. However, for making standards, we need experience with implementations. This seemed to be contradictory, but Paul Syverson noted that there exists a similar approach today, namely, the Internet standardization process in the IETF. Li's position was that the new trends present new opportunities for programmers by making programming tasks appear to be easier than they are, but poses significant challenge for security professionals, who have to ensure that software applications provide adequate levels of security. The problem is that today's software developers lack the knowledge and tools to produce secure applications, while their output is more critical for the society. Li suggested that this problem can be addressed by technical and non-technical approaches such as building security features into the platform, providing security primitives and design patterns for programmers, and educating and influencing industry. Gunter's opinion was that the main characteristics of open/distributed systems that make securing them hard are the complexity, the large scale distribution, the inclusion of legacy code and COTS products, mobility, and flexibility. Security is not an integral part of the distributed computing technology, and integrating it is not trivial. He mentioned, as examples, CORBA and SNMP. Security was not a primary issue in the design of these systems. Although, a security specification for CORBA is now available, the attempt to secure SNMP failed. He pointed out that security and software engineering should converge if we want open distributed computing technologies to be securely applicable on a wide scale. Gene did not seem to agree with the previous speakers of the panel. He said that new technologies did not always mean new security issues. He argued that papers about secure electronic payment systems have been published in the early 80's, research in mobile-code and its security implications have been done in the 80's (e.g., Cerf's knowbots), the problem of protecting a host from a malicious mobile agent is very similar to the problem of viruses, which have been studied in the 80's, and have been shown to be an intractable problem. Little has been done to address the issue of protecting the mobile agent from malicious hosts. However, this issue arises only for itinerant (multi-hop) agents, the utility of which is somewhat in doubt today. Gene finished his talk with a list of issues that he believes hot research topics today: intrusion prevention; new access control dimensions (location based AC, groups as first class objects); efficient credentials revocation; signature translation, notarization, and renewal; group security services (e.g., group signatures). Obviously not everybody agreed with Gene. Virgil Gligor noted that the prevention against denial of service attacks in the new environment is really an issue, and existing techniques do not work because of the variability of the user population. Paul Syverson added that the large scale also make existing techniques unusable. The discussion ended with the consensus that the problems are not new but the existing solutions might not work in the new environment. Session 7: Database and Intrusion Detection Chair: Robert Morris A Fair Locking Protocol for Multilevel Secure Databases Sushil Jajodia, Luigi Mancini, and Sanjeev Setia Sushil presented the paper, in which they addressed the problem of unfairness of existing concurrency control algorithms that are free from covert channels. Most of these algorithms prevent covert timing channels by ensuring that transactions at lower security levels are never delayed by the actions of a transaction at a higher security level. Thus, low transactions have higher priority than high transactions, which can lead to poor performance and even starvation of high transactions. They analyzed the performance of the secure version of two phase locking, which provided insight into the conditions under which this algorithm provides poor performance to high transactions. Based on this analysis Sushil proposed three new versions of the secure two phase locking algorithm that mitigate the performance problems. The approach that he took is based on the restriction of the number of low transactions executing in the system. Data Level Inference Detection - A Rule Based Approach Raymond W. Yip and Karl Levitt The paper was presented by Raymond. He argued that using only functional dependencies for inference detection in databases is inadequate, and data in the database should also be considered. He presented their data level inference detection system, which is based on five inference rules: 'subsume', 'unique characteristic', 'overlapping', 'complementary', and 'functional dependency'. Users can apply these inference rules any number of times, and in any order to infer data. These rules are sound, but might not be complete. The proposed system is open, so whenever a new inference rule is discovered it can easily be integrated into the system. Raymond also reported a prototype that he implemented in Perl. The performance studies show that it takes a few seconds (on a Sun SPARC 20) to process a query that returns hundreds of records from a database of 10000 records. Hence, the system should rather be used off-line. Abstraction-Based Misuse Detection: High-Level Specifications and Adaptable Strategies Jia-Ling Lin, Sean Wang, and Sushil Jajodia The presentation was given by Jia-Ling. She introduced a high-level language for describing abstract misuse signatures (MuSig). Due to the high abstraction level, a MuSig can represent complex intrusions yet in a simple form. She also introduced the notion of abstract views. An abstract view specifies abstract events derived from the events in the audit trail. The designer of the misuse detection system is responsible for identifying the abstract views and providing programs to support the views. These programs are called system directives. Jia-Ling proposed ways to translate MuSigs into monitoring programs with the help of the system directives. The behavior of the monitoring program can be changed by the system manager by changing the set of available system directives. The business meeting was held one day earlier (Wednesday) than it was indicated in the program. The topic was the place of the next workshop. Stewart Lee proposed Cambridge, Roberto Gorrieri proposed Bologna as the new possibility. After some rounds of vote, Bologna seemed to be the most preferable among the workshop participants. By the end of the workshop, the regular croquet tournament had been finished as well. The winners were: Tuomas Aura (1st), Michael Merritt (2nd), and Bill Roscoe (3rd). ______________________________________________________________________ Workshop on Formal Methods and Security Protocols (at LICS'98) June 25, 1998, Indianapolis, Indiana by Scott Stoller. ______________________________________________________________________ The Workshop on Formal Methods and Security Protocols was held in Indianapolis, Indiana, on June 25, 1998, immediately following LICS'98. It was organized by Nevin Heintze of Bell Labs and Jeanette Wing of CMU. Roger Needham (Cambridge University and Microsoft Cambridge Research Labs) gave the keynote address. He observed that the assumptions underlying the design of security protocols must change as technology advances. For example, the advent of "truly personal" pocket-sized computers, which are used only by the owner, may provide a feasible mechanism for storage of large amounts of confidential information. He emphasized that security within an organization and security between organizations are often dealt with differently, and that in some cases, it might be feasible to base the latter on direct pairwise negotiation (e.g., use of a different public/private key pair, or even a different list of one-time keys, for each pair of organizations). He also observed that formal methods tend to aim at "absolute" guarantees, while in many commercial applications, business considerations lead to the use of systems that provide weaker guarantees; formal methods that can deal with such guarantees would be useful. Needham also made a few points regarding the famous Burrows-Abadi-Needham logic of authentication ("BAN logic"). He observed that authentication and key establishment protocols are much easier to get right if the designer doesn't try too hard to optimize them (e.g., by reducing the amount of data that has to be encrypted), and that the speed of current hardware has made such optimizations relatively unimportant. Therefore, the community should start to focus on verification of other classes of protocols, such as electronic commerce protocols and software anti-piracy protocols. Also, he pointed out that the abstraction of "freshness" used in BAN logic was not completely successful, because it combines two distinct notions: functional dependence (or correspondence), and recency. Needham's remarks were followed by presentations of the contributed papers, which can be accessed via the URL http://www.cs.bell-labs.com/~nch/fmsp . [Available soon according to workshop organizers -ed.] Scott D. Stoller (Indiana University) described preliminary work on reducing the problem of verifying an authentication or key establishment protocol to a finite-state problem, suitable for model checking. Reductions are needed to bound the number of encryptions performed by the adversary and the number of protocol runs by the honest principals. Catherine Meadows (Naval Research Lab) discussed the use of the NRL Protocol Analyzer to examine the Internet Key Exchange protocol (IKE), which is really a combination of several subprotocols and is therefore considerably larger than most of the security protocols that have been mechanically verified so far. The scale of this analysis prompted several improvements to the Protocol Analyzer. The analysis led to a clarification of the IKE specification. The analysis was not compositional; it would be nice if compositional verification techniques could be used to verify each subprotocol separately. Will Marrero (CMU) described a machine checkable logic of knowledge for specifying security properties of electronic commerce protocols; this is joint work with Ed Clarke (CMU) and Somesh Jha (CMU). One of the features of this logic, compared to some other knowledge-based security logics such as BAN logic, is that it has a precise semantics with respect to a well-defined model of computation with an operational semantics for protocols. Only first-order knowledge can be expressed in the logic, but this seems sufficient for many purposes and hopefully facilitates efficient implementation. The next talk was on "ActiveSPEC: A Framework for the Specification and Verification of Active Network Services and Security Policies", by Darryl Dieckman (U. of Cincinnati), Perry Alexander (U. of Cincinnati), and Philip A. Wilsey (U. of Cincinnati). In this framework, an active network is specified by its security policies, services, and resources. The PVS theorem prover from SRI is used to produce formal proofs that an active network satisfies its requirements. Richard Kemmerer (U.C. Santa Barbara) described the specification and analysis of Mobile IP Using ASTRAL; this is joint work with Zhe Dang. This work exploits the real-time features of ASTRAL, a model checker for real-time systems. As with most model checking approaches, a restricted (but useful!) kind of verification is performed: the user indicates the number of agents in the system and the length of time (on the clock of the simulated system, not the CPU time used by the simulator) for which the system should be simulated, and the model checker checks whether the specified properties hold within those bounds. Grit Denker (SRI) described the use of rewriting logic to specify security protocols and the use of Maude, an interpreter for rewriting logic, as an analysis tool; this is joint work with J. Meseguer (SRI) and C. Talcott (Stanford). The use of rewriting logic offers some advantages; for example, it may facilitate modular verification of protocols. Paul F. Syverson (Naval Research Lab) talked about "Relating Two Models of Computation for Security Protocols". He presented a model of computation for cryptographic protocols that can serve as a semantics for SvO, a BAN-like logic, and described the relationship between that model and the computational model underlying the NRL Protocol Analyzer. The ultimate goal is to achieve a better integration of these two complementary approaches to protocol analysis. F. Javier Thayer Fabrega (MITRE) discussed strand space pictures; this is joint work with Jonathan C. Herzog (MITRE) and Joshua D. Guttman (MITRE). Their recent work on strand spaces has already provided very simple and lucid correctness proofs for cryptographic protocols. This paper makes such analyses even more lucid by augmenting them with diagrams that illustrate the protocol's behavior, attacks on the protocol, or crucial steps in the correctness proof. The contributed talks were followed by a panel discussion featuring Martin Abadi (DEC SRC), Roger Needham, and Doug Tygar (CMU). Martin pointed out the need for formal methods that can deal with higher-level specifications; this is important for enabling the verification community to proceed from analysis of security protocols in isolation to verification of higher-level requirements of larger systems (e.g., distributed filesystems) in which such protocols are used. Doug Tygar suggested that SET would be a good case study, and expressed his hope that formal methods, by requiring careful study of a problem domain as part of the development of suitable abstractions, might aid in the discovery of new attacks, such as timing attacks or power attacks on smart cards. [Some formal work on SET has already been done by yours truly and Cathy Meadows and presented at FC98. Work on protocols related to SET has also been presented by Steve Brackin at the '97 DIMACS Security Protocols Workshop and by Dominique Bolignano at CSFW10. -Paul S] Martin Abadi and Roger Needham agreed that going out and developing suitable abstractions for a new problem domain is often the most productive part of the use of formal methods. Edmund Clarke and Nevin Heintze will organize a second workshop on this topic, to be held in July 1999 in conjunction with FLOC'99. For more info, keep your eye on the FLOC'99 home page: http://www.cs.bell-labs.com/cm/cs/what/floc99/ ________________________________________________________________________ Conference announcements ________________________________________________________________________ The ACM Conference on Computer and Communications Security (CCS) is the ACM's premier forum for the presentation of new research results and the identification of future research directions in the area of computer and communications security. The 5th conference in the series will be held on November 2-5, 1998, in San Francisco, California. Further information, including a preliminary program, can be found at "http://www.research.att.com/~reiter/ccs5/". ASIACRYPT'98, the fourth ASIACRYPT conference on the theory and applications of cryptologic techniques, Beijing, People's Republic of China, October 18-22, 1998. Submissions due: May 9, 1998). It is sponsored by the State Key Laboratory of Information Security (SKLOIS) and Asiacrypt Steering Committee (ASC), in cooperation with the International Association for Cryptologic Research (IACR). Original papers are solicited on all technical aspects of cryptology. Please send a cover letter and 16 copies of the submission to Prof. Dingyi Pei, one of the Program Co-chairs, at SKLOIS, Graduate School of USTC, #19A Yu Quan Road, Beijing 100039, P.R.China no later than May 9, 1998 (or postmarked by May 1, 1998, and sent via airmail or courier). Further information can be found at http://www.bta.net.cn/csp/isdata/index.htm ________________________________________________________________________ New Reports available via FTP and WWW ________________________________________________________________________ o http://link.springer.de/link/service/series/0558/tocs/t1419.htm Book: Mobile Agents and Security edited by Giovanni Vigna Note that the entire book is available on-line free from Springer until Sept. 30, '98. o http://www.law.kuleuven.ac.be/icri/index.html Proposal for a European Parliament and Council Directive on a common framework for electronic signatures. Reference COM(1998)297final, May 13, 1998. o http://www.interhack.net/pubs/des-key-crack/ An article describing the DES Secret Key Challenge last summer. o http://www.asi.fr/~martinez/crypto/project/final.html Title: Cryptography Algorithm and Application by Sylvain Martinez martinez@asi.fr Description: Overview of the cryptography and explanation of my own cryptography algorithm BUGS (Big and Useful Great Security) v1.8.0 The aim of this project consisted of finding information about cryptography, creating my own cryptography algorithm and creating a Windows 95 cryptography application. The cryptography algorithm I made seems to be really strong (somewhat of DES algorithm) and it is now a multiplatform project (Unix, Windows 9x/NT). o http://www.rand.org/publications/MR/MR976/mr976.pdf Title: The Cyber-Posture of the National Information Infrastructure by Willis Ware ________________________________________________________________________ New Interesting Links on the Web ________________________________________________________________________ o http://www.ftc.gov/privacy/index.html FTC Web Site for opting out of sharing of personal information o http://www.counterpane.com/crypto-gram.html Bruce Schneier's new monthly newsletter, Crypto-Gram o http://www.cerias.purdue.edu/ Purdue's information assurance and security center o http://csrc.nist.gov/encryption/skipjack-kea.htm NIST's SKIPJACK and KEA page o http://www.nist.gov/aes NIST's AES page o http://niim.bus.utexas.edu/ The National INFOSEC Information Mall o http://www.cryptography.com/dpa/ Kocher's Homepage for Differential Power Analysis (DPA) Attacks ________________________________________________________________________ Who's Where: recent address changes ________________________________________________________________________ Mary Ellen Zurko Iris Associates Five Technology Park Drive Westford, MA 01886 978-392-6018 Mary_Ellen_Zurko@iris.com _______________________________________________________________________ Calls for Papers (full list on Web) ________________________________________________________________________ CONFERENCES Listed earliest deadline first. See also Cipher Calendar. Mix of full and abbreviated listings this issue; web will be updated as soon as possible to include abbreviated listings. ISW'98 www.cert.org/research/isw98.html Information Survivability Workshop 1998 ("Protecting Critical Infrastructures and Critical Applications"), Wyndham Safari Resort, Orlando, Florida USA, October 28-30, 1998. (submissions due: July 15, 1998) The second Information Survivability Workshop (ISW'98) will focus on the domain-specific survivability requirements and characteristics of up to four different critical infrastructure and critical application areas (e.g., banking, transportation, electric power, and telecommunications). The primary goal of the workshop is to foster cooperation and collaboration between domain experts and the survivability research community to improve the survivability of critical, real-world systems. Another important goal is to continue to identify and highlight new survivability research ideas that can contribute to the protection of critical infrastructures and critical applications. Attendance at the workshop will be limited to 50 participants, and will be by invitation only, based on the submission of a short position paper (of up to 4 pages in length, single-spaced, 12 pt.). The position paper should clearly indicate how the background or interests of the author(s) would contribute to the goals of the workshop. Position papers must be submitted by electronic mail to isw-98@cert.org, and formatted in HTML, ASCII, or MIME-compliant attachments of Word, FrameMaker, or PowerPoint documents. Please send any questions or comments about the workshop to "isw-98@cert.org". Additional information will be posted periodically in the workshop home page. ICS'98 1998 www.iie.ncku.edu.tw/ics98 International Computer Symposium, National Cheng Kung University, Tainan, TAIWAN, R.O.C, December 17-19, 1998. (submissions due: July 15, 1998) ICS'98 consists of eight separate workshops, each focusing on a specific area. Workshop duration will be from one day up to 3 days, depending on the number of selected papers. Of particular interest to this list is the workshop on cryptology and information security. Topics include: Cipher System Design and Theory, User and Message Authentication, Key Distribution and Management, Secret Sharing, Digital Signatures, Zero-Knowledge Protocols, Secure Broadcasting and Electronic Conferencing, Network Security, Database Security, Distributed System Security, Open System Security, Secure Electronic Voting, One-way Functions, Applications of and Information Security Technology. Authors are invited to submit 4 copies of a complete paper of about 5000 words (no longer than 20 double-spaced pages in A4/letter format using no less than 11-point font) by July 15, 1998, to the following addresses: (Far East Region) ICS'98 Program Chair / Prof. Yung-Nien Sun / Department of Computer Science and Information Engineering / National Cheng Kung University / No. 1, Ta-Hsueh Road / Tainan, TAIWAN 70101, R.O.C. Tel: 886-6-2747076, Fax: 886-6-2084461 or 886-6-2747076. E-mail: ynsun@vision.iie.ncku.edu.tw (Other Regions): ICS'98 Program Co-chair / Prof. Yih-Fang Huang / Department of Electrical Engineering / University of Notre Dame / Notre Dame, Indiana 46556 U.S.A. Tel: 2196315350 Fax: 2196314393 E-mail: huang.2@nd.edu The cover page of each paper should contain: 1) name of the workshop; 2) title of the paper; 3) a short abstract; 4) name, current affiliation, postal address, email address, telephone number, and fax number for each author; 5) name of the contact author; and 6) a list of keywords indicating the content areas related to the paper. Information Center: E-mail: ics98@csie.ncku.edu.tw Additional Information on ICS'98 is available on the conference WWW homepage. NDSS '99 http://www.isoc.org/ndss99/ The Internet Society 1999 Network and Distributed System Security Symposium (NDSS'99). 3-5 February 1999; San Diego, California, USA. The symposium will foster information exchange among hardware and software developers of network and distributed system security services. The intended audience includes those who are interested in the practical aspects of network and distributed system security, focusing on actual system design and implementation, rather than theory. A major goal of the symposium is to encourage and enable the Internet community to apply, deploy, and advance the state of available security technology. Technical papers and panel proposals for topics of technical and general interest are invited. Deadline for electronic submission is 31 July 1998. The complete call for papers is available at the conference web page. DCCA-7 http://www.csl.sri.com/dcca7 Seventh IFIP International Working Conference on DEPENDABLE COMPUTING FOR CRITICAL APPLICATIONS (DCCA-7) January 6-8, 1999 in San Jose California, USA Previously unpublished papers are sought in all aspects of dependable computing, including: attributes such as security, safety, and reliability; techniques such as fault tolerance, formal methods, fault injection, and safety analysis; critical application areas such as transportation and medical systems, and process and power industries; and human factors and regulatory issues. The proceedings will be published as a book by IEEE. Submissions will be electronic and are due 3 August 1998. See web page for further details and submission requirements, or email the program chair John Rushby at Rushby@csl.sri.com. ASSET99 http://www.utdallas.edu/~ravip/asset99/index.html IEEE Symposium on Application-Specific Systems and Software Engineering Technology March 25-27, 1999, Richardson, Texas The main focus of this symposium is on application-specific system engineering and software engineering issues encountered in the design and development of complex systems. The symposium will consist of technical papers, panels, and tutorials. Participation from both industry and academia is sought. The topics of interests include, but are not limited to: Experiences in software design, development, and validation for telecommunication, embedded, multimedia, wireless, and mobile systems. Specialized systems and software engineering techniques, including specification, design, and development techniques for telecommunication, embedded, and transaction processing systems. Integrated system design and assessment techniques that consider multiple systems requirements, such as security, real-time, reliability, availability, survivability, etc. Techniques and algorithms in network security, real-time communication, network management, telecontrol, and high speed networks. CASE tools for application-specific systems development. Simulation environments for integrated design and assessment. Quality of service analysis for various application systems. Performance modeling and evaluation for application-specific systems. Application-specific verification, validation, and assessment techniques. Papers are due Aug 31. See the Web page for details or contact the program chair at ilyen@utdallas.edu. For tutorial proposals contact rmili@utdallas.edu FC '99 www.rsa.com/rsalabs/fc99 Third Annual Conference on Financial Cryptography, Anguilla, B.W.I., February 22-25 1999 (submissions due: September 25, 1998). This conference solicits original papers on all aspects of financial data security and digital commerce. FC99 aims to bring together persons involved in both the financial and data security fields to foster cooperation and exchange of ideas. FC99 is organized by the International Financial Cryptography Association, and the conference proceedings will be published by Springer Verlag in their Lecture Notes in Computer Science (LNCS) series. A list of relevant topics, and instructions for submitting a paper can be found at the conference web page. PKC'99 http://hideki.iis.u-tokyo.ac.jp/pkc99/ 1999 International Workshop on Practice and Theory in Public Key Cryptography, Kanto, Japan, March 1-3, 1999. (Submissions due: September 25, 1998) [posted here 5/26/98]. Both original research papers and high quality surveys pertaining to all aspects of public key encryption, digital signature and one-way hashing are solicited. Submissions may present theory, techniques, applications and practical experience on topics including, but not limited to: certification and time-stamping, cryptanalysis, comparison and assessment, discrete logarithm, elliptic curve cryptography, encryption data formats, fast implementation, integer factorization, international standards, key-ed one-way hashing, lattice reduction, one-way hashing algorithms, provable security, public key infrastructure, secure electronic commerce, signature data formats, and signcryption schemes. Complete instruction on submitting a paper can be found on the conference web page. S&P '99 (Oakland) http://java.sun.com/people/gong/conf/ieee-sp/index.html The 1999 IEEE Symposium on Security and Privacy will once again be held at the Claremont Resort in Oakland, California, May 9-12 1999. The Symposium is the flagship event sponsored by the IEEE Technical Committee on Security and Privacy, and 1999 marks the 20th anniversary of this premier conference. The conference solicits full-length research papers, panel proposals, and abstracts for five-minute presentations. The Call for Papers, with submission instructions, will be posted at the conference Web site by July 31, 1998. This year we strongly encourage electronic submissions in postscript format. Important dates are: Paper submission deadline: October 23, 1998 Acceptance notification: January 18, 1999 Final camera-copy due: March 10, 1999 In addition, a planning group is being set up to organize special events for the 20th anniversary celebration. For the meantime, ideas and proposals for such events are most welcome and should be sent to the program chairs at li.gong@sun.com and reiter@research.att.com. For this year, the conference will be three (3) full days to accommodate the special events in addition to the regular program. JOURNALS Special Issues of Journals and Handbooks: listed earliest deadline first. o A special issue of The Journal of Computer Security on Research in Intrusion Detection. Submissions due: July 15, 1998. Guest editor: Phil Porras, porras@csl.sri.com. URL for further information: http://www.csl.sri.com/jcs-ids-call.html This special issue seeks papers that describe research beyond the scope or orthogonal to what the commercial intrusion-detection community is producing. The intent is to capture results from key efforts in the field, and to understand the directions and motivations that are driving current and future research in this area. Papers are solicited on all aspects of intrusion detection, including the extension of intrusion-detection techniques to new problem domains, as well as the application of other techniques to intrusion detection. Suggested topics include, but are not limited to * Active response capabilities and cooperative decision support * Cooperation policies and distributed correlation across administrative domains * Cross pollination of intrusion-detection techniques and applications with other disciplines * Formalization of activity modeling * Integration into large scale environments, including efficient methods for high-volume event analysis * Integration of intrusion-detection capabilities into existing network services, infrastructure, and management frameworks * Interoperability and reusability among intrusion-detection modules * Service-oriented intrusion-detection architectures (including work toward supportive services such as intrusion-detection management, dynamic registration, event collection, results interpretation) o DISTRIBUTED AND PARALLEL DATABASES: AN INTERNATIONAL JOURNAL - SPECIAL ISSUE ON SECURITY. Submissions due: September 30, 1998 Guest Editors: Vijay Atluri and Pierangela Samarati Papers are solicited describing high-quality original unpublished research, case studies, as well as implementation experiences in any area related to computer and communication security. Manuscripts must be submitted as Postscript files via electronic mail to Prof. Vijay Atluri at atluri@andromeda.rutgers.edu. In addition, send five hard copies of your submission to: Melissa Parsons, Journals Editorial Office, Kluwer Academic Publishers, 101 Philip Drive, Norwell, MA 02061, USA; tel: (+1)781-871-6600; fax: (+1)781-878-0449; e-mail: mparsons@wkap.com. More information at http://www.csl.sri.com/~samarati/ads/dapd.html. ________________________________________________________________________ Reader's Guide to Current Technical Literature in Security and Privacy Part 1: Conference Papers ________________________________________________________________________ IEEE Symposium on Security and Privacy May 4-6, 1998, Oakland, California See above report by Mary Ellen Zurko IEEE Computer Security Foundations Workshop (CSFW11) June 9-11, 1998, Rockport, Massachusetts See above report by Levente Buttyan ICDCS '98 - The 18th International Conference on Distributed Computing Systems, Amsterdam, May 26 - 29, 1998, The Netherlands. [Security related papers only] o Trust Metrics, Models and Protocols for Electronic Commerce Transactions. D. Manchala o A Mechanism for Establishing Policies for Electronic Commerce. N. Minsky and V. Ungureanu o Decentralized Micropayment Consolidation. J. Chomicki, S. Naqvi, M. Pucci, and R. Underwood o Cliques: A New Approach to Group Key Agreement. M. Steiner and G. Tsudik o Experience with Secure Multi-Processing in Java. D. Balfanz and L. Gong 1998 USENIX Annual Technical Conference, New Orleans, Louisiana, June 15-19, 1998, USA. [Security related papers only] o Deducing Similarities in Java Sources from Bytecodes. B. Baker and U. Manber o Implementing Multiple Protection Domains in Java. C. Hawblitzel, C.-C. Chang, G. Czajkowski, D. Hu, and T. von Eicken o The Safe-Tcl Security Model. J. Levy, L. Demailly, J. Ousterhout, and B. Welch LICS'98 - Thirteenth Annual IEEE Symposium on Logic in Computer Science, June 21 - 24, 1998, Indianapolis, Indiana, USA. [Security-related paper only] o Secure Implementation of Channel Abstractions. M. Abadi, C. Fournet, and G. Gonthier Workshop on Formal Methods and Security Protocols, June 25, 1998, Indianapolis, Indiana, USA (following LICS'98). [These are the presented papers. There was no published proceedings -ed.] o Justifying Finite Resources for Adversaries in Automated Analysis of Authentication Protocols. S. Stoller o Using the NRL Protocol Analyzer to Examine Protocol Suites. C. Meadows o A Machine Checkable Logic of Knowledge for Specifying Security Properties of Electronic Protocols. E. Clarke, W. Marrero and S. Jha o ActiveSPEC: A Framework for the Specification and Verification of Active Network Services and Security Policies. D. Dieckman, P. Alexander and P. Wilsey o Specification and Analysis of Mobile IP Using ASTRAL. Z. Dang and R. Kemmerer o Protocol Specification and Analysis in Maude. G. Denker and J. Meseguer o Relating Two Models of Computation for Security Protocols. P. Syverson o Strand Space Pictures. F. Javier Thayer Fabrega, J. Herzog and J. Guttman _______________________________________________________________________ Reader's Guide to Current Technical Literature in Security and Privacy Part 2: Journal and Newsletter Articles, Book Chapters by Anish Mathuria _______________________________________________________________________ IBM Systems Journal, Vol. 37, No. 1 (1998): o P.-C. Cheng, J. Garay, A. Herzberg, and H. Krawczyk. A security architecture for the Internet Protocol. pp. 42-60. o A. Herzberg and D. Naor. Surf'N'Sign: Client signatures on Web documents. pp. 61-71. o J. Abad Peiro, N. Asokan, M. Steiner, and M. Waidner. Designing a generic payment service. pp. 72-88. Computer Communications, Vol. 20, No. 16 (January 1998): o B. Soh and S. Young. Network system and world wide web security. pp. 1431-1436. IEEE Transactions on Data & Knowledge Engineering, Vol. 10, No. 1 (January/February 1998): o E. Bertino, S. Jajodia, L. Mancini and I. Ray. Advanced Transaction Processing in Multilevel Secure File Stores. pp. 120-135. Computers & Security, Vol. 17, No. 2 (1998) [Thanks to Carl Landwehr for this entry]: Refereed papers: o M. Peyravian, A. Rginsky, and A. Kshemkalyani. On probabilities of hash value matches. pp. 171-176. o E. Dawson and H. Gustafson. A method for measuring entropy of symmetric cipher key generators. pp. 177-184. Electronics Letters, Vol. 34, No. 4 (February 19, 1998) [Thanks to Colin Boyd for this entry]: o G. Horng and C.-K. Hsu. Weakness in the Helsinki protocol. pp. 354-355. Computer Communications, Vol. 21, No. 2 (March 1998): o W.-B. Lee and C.-C. Chang. Authenticity of public keys in asymmetric cryptosystems. pp. 195-198. Computer Communications, Vol. 21, No. 3 (March 1998): o B. Smith, J. Garcia-Luna-Aceves. Efficient security mechanisms for the border gateway routing protocol. pp. 203-210. o H.-M. Sun and S.-P. Shieh. Secure broadcasting in large networks. pp. 279-283. o W.-B. Lee and C.-C. Chang. Using RSA with low exponent in public network. pp. 284-286. Distributed Computing, Vol. 11, No. 2 (1998): o J. Gray and P. Syverson. A logical approach to multilevel security of probabilistic systems, pp. 73-90. IEEE Network, Vol. 12, No. 2 (March/April 1998): o T. Bass, A. Freyre, D. Gruber and G. Watt. E-Mail Bombs and Countermeasures: Cyber Attacks on Availability and Brand Integrity. pp. 10-17. IEICE Transactions on Information and Systems, Vol. E81-D, No. 4 (April 1998): o T. Tanaka, Y. Kaji, H. Watanabe, T. Takata, and T. Kasami. Security Verification of Real-Time Cryptographic Protocols Using a Rewriting Approach. pp. 355-363. Computer Networks & ISDN Systems, Vol. 30, Nos. 1-7 (April 1998): o M. Abadi, A. Birrell, R. Stata and E. Wobber. Secure Web tunneling. pp. 531-539. o M. Naor and B. Pinkas. Secure accounting and auditing on the Web. pp. 541-550. o R. Khare and A. Rifkin. Trust management on the World Wide Web. pp. 651-653. ACM SIGOPS Operating Systems Review, Vol. 32, No. 2 (April 1998) [Thanks to Carl Landwehr for this entry]: o M. de Vivo, G. de Vivo, and G. Isern. Internet security attacks at the basic levels. pp. 4-15. o S. Gritzalis and G. Aggelis. Security issues surrounding programming languages for mobile code: JAVA vs. Safe-Tcl. pp. 16-32. Electronics Letters, Vol. 34, No. 10 (May 14, 1998) [Thanks to Colin Boyd for this entry]: o C. Mitchell, M. Ward and P. Wilson. Key control in key agreement protocols. pp. 980-981. IEEE Journal on Selected Areas in Communications, Vol. 16, No. 4 (May 1998): [Special issue on Copyright and Privacy Protection] o R. Anderson, I. Cox, S. Low and N. Maxemchuk. Guest Editorial. pp. 449-451. o G. Simmons. The History of Subliminal Channels. pp. 452-462. o G. Simmons. Results Concerning the Bandwidth of Subliminal Channels. pp. 463-473. o R. Anderson and F. Petitcolas. On the Limits of Steganography. pp. 474-481. o M. Reed, P. Syverson and D. Goldschlag. Anonymous Connections and Onion Routing. pp. 482-494. o A. Jerichow, J. Muller, A. Pfitzmann, B. Pfitzmann and M. Waidner. Real-Time Mixes: A Bandwidth-Efficient Anonymity Protocol. pp. 495-509. o J. Hernandez, F. Perez-Gonzalez, J. Rodriguez and G. Nieto. Performance Analysis of a 2-D-Multipulse Amplitude Modulation Scheme for Data Hiding and Watermarking of Still Images. pp. 510-524. o C. Podilchuk and W. Zeng. Image-Adaptive Watermarking Using Visual Models. pp. 525-539. o M. Swanson, B. Zhu and A. Tewfik. Multiresolution Scene-Based Video Watermarking Using Perceptual Models. pp. 540-550. o R. Ohbuchi, H. Masuda and M. Aono. Watermarking Three-Dimensional Polygonal Models Through Geometric and Topological Modifications. pp. 551-560. o S. Low and N. Maxemchuk. Performance Comparison of Two Text Marking Methods. pp. 561-572. o S. Craver, N. Memon, B.-L. Yeo and M. Yeung. Resolving Rightful Ownerships with Invisible Watermarking Techniques: Limitations, Attacks, and Implications. pp. 573-586. o I. Cox and J.-P. Linnartz. Some General Methods for Tampering with Watermarks. pp. 587-593. Computer Communications, Vol. 21, No. 5 (May 1998): o Y.-S. Chang and T.-C. Wu. Group-oriented authentication mechanism with key exchange. pp. 485-497. Proceedings of the IEEE, Vol. 86, No. 6 (June 1998): o Swanson, Kobayashi, and Tewfik. Multimedia Data Embedding and Watermarking Technologies. pp. 1064-1087. IEEE Computer, Vol. 31, No. 6 (June 1998) [Thanks to Carl Landwehr for this entry]: o U. Lindqvist and E. Jonsson. A Map of Security Risks Associated with Using COTS. pp. 60-66. o Q. Zhong and N. Edwards. Security Control for COTS Components. pp. 67-73. ACM SIGOPS Operating Systems Review, Vol. 32, No. 3 (July 1998) [Thanks to Carl Landwehr for this entry]: o S. Xu, G. Zhang and H. Zhu. On the Security of Three-Party Cryptographic Protocols. pp. 7-20. Communications of the ACM, Vol. 41, No. 7 (July 1998) [Thanks to Carl Landwehr for this entry]: Digital Watermarking o N. Memon and P. Wong. Protecting digital media content. pp. 35-43. o S. Craver, B.-L. Yeo, and M. Yeung. Technical trials and legal tribulations. pp. 44-55. o F. Mintzer, G. Braudaway, and A. Bell. Opportunities for watermarking standards. pp. 56-65. o J. Zhao, E. Koch, and C. Luo. In business today and tomorrow. pp. 67-72. o J. Acken. How watermarking adds value to digital content. pp. 75-80. Proceedings of the IEEE, Vol. 86, No. 7 (July 1998): o A. Mehrotra and L. Golding. Mobility and Security Management in GSM System and Some Proposed Future Improvements. pp. 1480-1497. ________________________________________________________________________ Calendar ________________________________________________________________________ ==================================================================== See Calls for Papers section for details on many of these listings. ==================================================================== "CWP" indicates there is a hyperlink to a coference web page on the Cipher Web pages. (In many cases there is such a link even though mention is not made of it here, to save space.) Dates Event, Location Point of Contact/ more information ----- --------------- ---------------------------------- 7/15/98- 7/17/98: IFIP WG11.3, Chalkidiki, Greece, CWP 7/15/98: JCS Special iss. on Intrusion Detection papers due, CWP 7/31/98: NDSS '99 Submissions due, CWP 8/ 3/98: DCCA-7 Submissions due, CWP 8/10/98: SETA '98, Singapore; CWP, Submissions to dingcs@iscs.nus.edu.sg 8/17/98- 8/21/98: COMPSAC '98, Vienna, Austria 8/24/98- 8/27/98: VLDB '98, New York City, NY, CWP 8/24/98- 8/28/98: DEXA-WBPR '98, Vienna, Austria 8/24/98- 8/28/98: NBIS '98; Vienna, Austria, CWP 8/24/98- 8/28/98: MDDS '98. Vienna, Austria, CWP 8/24/98- 8/28/98: ECOMM; Vienna, Austria, CWP 8/26/98- 8/28/98: DEXA-SIDIA '98, Vienna, Austria, CWP 8/31/98- 9/ 3/99: EC '98, Boston Mass., CWP 8/31/98- 9/ 4/98: IFIP/SEC '98, Vienna and Budapest, CWP 9/14/98- 9/15/98: RAID '98, Louvain-la-Neuve, Belgium, CWP 9/14/98- 9/16/98: ECC '98, Waterloo Ontario, Canada, ecc98@math.uwaterloo.ca 9/16/98- 9/18/98: ESORICS '98, Neuve, Belgium, CWP 9/21/98- 9/25/98: HPN '98, Vienna Austria, www.ikn.tuwien.ac.at/IKN/events/ 9/22/98- 9/25/98: NSPW `98 Charlottesville VA, USA, CWP 9/24/98- 9/26/98: WDAG '98 Andros Greece, http://helios.cti.gr/disc/ 9/25/98: FC98 submissions due, CWP 9/25/98: PKC submissions due, http://hideki.iis.u-tokyo.ac.jp/pkc99/ 9/30/98: DPD special issue due, http://www.csl.sri.com/~samarati/ads/dapd.html 10/ 2/98: IRW-FMP '98. Australia, CWP 10/ 5/98-10/ 9/98: NISS '98, Arlington VA, USA, http://csrc.nist.gov/nissc/ 10/ 5/98-10/ 9/98: FMLDO 7, Ostfriesland, Germany, CWP 10/ 6/98-10/ 9/98: 21st NISS. Crystal City VA, USA, http://csrc.nist.gov/nissc/ 10/23/98: S&P 99 submissions due, http://java.sun.com/people/gong/conf/ieee-sp/index.html 11/ 3/98-11/ 5/98: CCS-5. San Francisco, CA, USA, CWP 11/19/98-11/20/98: IIIS, Fairfax, VA, CWP 12/ 7/98-12/11/98: 14th ACSAC, Phoenix, AZ, CWP 12/14/98-12/17/98: SETA '98, Singapore, CWP 1/ 5/99- 1/ 8/99: ECT track of HICSS-32, Maui, Hawaii, CWP 2/22/99- 2/25/99: 3rd FC, Anguilla, BWI, http://www.rsa.com/rsalabs/fc99 3/ 1/99- 3/ 3/99: PKC 99, Kanto Japan, http://hideki.iis.u-tokyo.ac.jp/pkc99/ 5/ 9/99- 5/12/99: IEEE S&P 99; Oakland, URL above at 10/23/98 5/11/99- 5/14/99: 11th CITSS, Ottawa; no e-mail address available 8/23/99- 8/26/99: USENIX Sec '99, Washington DC, conference@usenix.org 9/22/99- 9/24/99: NSPW '99, Ontario, Canada, no address available 4/30/00- 5/ 3/00: IEEE S&P 00; Oakland no e-mail address available 5/16/00- 5/19/00: 12th CITSS, Ottawa; no e-mail address available Key: * ACISP = Australasian Conference on Information Security and Privacy * ACSAC = Annual Computer Security Applications Conference * CAiSE*98 = Conference on Advanced Information Systems Engineering * CCS = ACM Conference on Computer and Communications Security * CCSS = Annual Canadian Computer Security Symposium (see CITSS) * CITSS = Canadian Information Technology Security Symposium * CFP = Conference on Computers, Freedom, and Privacy * COMPSAC = Int'l. Computer Software and Applications Conference * CRYPTO = IACR Annual CRYPTO Conference * CSFW = Computer Security Foundations Workshop CSFW 11 * DCCA = Dependable Computing for Critical Applications * DEXA = International Conference and Workshop on Database and Expert Systems Applications * DEXA-SIDIA = DEXA Workshop on Security and Integrity of Data Intensive Applications * DEXA-WBPR = International Workshop on Business Process Reengineering and Supporting Technologies for Electronic Commerce * DOCSec = Second Workshop on Distributed Object Computing Security * DPD = Distributed and Parallel Databases: An International Journal * EC = USENIX Workshop on Electronic Commerce * ECC = Workshop on Elliptic Curve Cryptography * ECOMM = Business Process Reegineering and Supporting Technologies for Electronic Commerce * ECT = Electronic Commerce Technologies Track of HICSS-32 * ECDLP = Workshop on the Elliptic Curve Discrete Logarithm Problem ECDLP * ESORICS = European Symposium on Research in Computer Security * EUROCRYPT = IACR Annual CRYPTO workshop in Europe * FC = IFCA Annual Financial Cryptography Conference * FSE = Fast Software Encryption Workshop * HASE = High-Assurance Systems Engineering Workshop * HICSS-32 = 32nd Hawaii International Conference on System Sciences * HPN = IFIP Conference on High Performance Networking * IEEE S&P = IEEE Symposium on Security and Privacy * IFIP/SEC = International Conference on Information Security (IFIP TC11) IFIP/SEC '98 (Twelfth Annual) * IFIP WG11.3 = IFIP WG11.3 11th Working Conference on Database Security * INET = Internet Society Annual Conference * IRW-FMP = International Refinement Workshop and Formal Methods Pacific * ISCC = IEEE Symposium on Computers and Communications ISCC '98 * JCS = Journal of Computer Security * MDDS = Mobility in Databases and Distributed Systems * NBIS = Network-Based Information Systems * NCISSE = National Colloquium for Information Systems Security Education * NISS = National Information Systems Security Conference * NSPW = New Security Paradigms Workshop NSPW * PKC = Int. Workshop on Practice and Theory in Public Key Cryptography * RAID = Workshop on the Recent Advances in Intrusion Detection * SAC = Workshop on Selected Areas of Cryptography * SETA = Sequences and their Applications * SICON = IEEE Singapore International Conference on Networks SICON '98 * SIGMOD/PODS - ACM SIGMOD International Conference on Management of Data / ACM SIGACT SIGMOD-SIGART Symposium on Principles of Database Systems * SNDSS = Symp. on Network and Distributed System Security (Internet Society) * USENIX Sec = USENIX Security Symposium * VLDB = International Conference on Very Large Data Bases * WDAG = Workshop on Distributed Algorithms (now DISC) * WETICE = IEEE Workshops on Enabling Technologies, Infrastructure for Collaborative Enterprises * WFMSP = Workshop on Formal Methods and Security Protocols ________________________________________________________________________ Listing of Academic (Teaching and Research) Positions in Computer Security maintained by Cynthia Irvine ________________________________________________________________________ * Dept. of Electrical and Computer Engineering, Iowa State University, Ames, Iowa Assistant, Associate, or Full Professor in Computer Engineering (special interest in networks and security) Date closed: December 15, 1997, or until filled http://vulcan.ee.iastate.edu/~davis/job-ad.html * Naval Postgraduate School Center for INFOSEC Studies and Research, Monterey, CA, Visiting Professor, (9/98) http://www.cs.nps.navy.mil/research/cisr/jobs/npscisr_prof_ad.html * Naval Postgraduate School Center for INFOSEC Studies and Research, Monterey, CA, Computer Scientist, (9/21/97) http://www.cs.nps.navy.mil/research/cisr/jobs/npscisr_97de055.html * US Air Force Academy Department of Computer Science, Colorado Springs, CO, Professor, (7/98) http://www.usafa.af.mil/dfcs/ * Purdue University, Computer Science Department, West Lafayette, IN Assistant Professor, tenure track, also Assoc. and Full Prof., (2/98) http://www.cs.purdue.edu/facAnnounce This job listing is maintained as a service to the academic community. If you have an academic position in computer security and would like to have in it included on the Cipher web page and e-mail issues, send the following information : Institution, City, State, Position title, date position announcement closes, and URL of position description to: irvine@cs.nps.navy.mil ________________________________________________________________________ How to become <> a member of the IEEE Computer Society's TC on Security and Privacy ________________________________________________________________________ You do NOT have to join either IEEE or the IEEE Computer Society to join the TC, and there is no cost to join the TC. All you need to do is fill out an application form and mail or fax it to the IEEE Computer Society. A copy of the form is included below (to simplify things, only the TC on Security and Privacy is included, and is marked for you) Members of the IEEE Computer Society may join the TC via an https link. The full and complete form is available on the IEEE Computer Society's Web Server by following the application form hyperlink at the URL: http://computer.org/tcsignup/ IF YOU USE THE FORM BELOW, PLEASE NOTE THAT THE IT IS TO BE RETURNED (BY MAIL OR FAX) TO THE IEEE COMPUTER SOCIETY, >>NOT<< TO CIPHER. --------- IEEE Computer Society Technical Committee Membership Application ----------------------------------------------------------- Please print clearly or type. ----------------------------------------------------------- Last Name First Name Middle Initial ___________________________________________________________ Company/Organization ___________________________________________________________ Office Street Address (Please use street addresses over P.O.) ___________________________________________________________ City State ___________________________________________________________ Country Postal Code ___________________________________________________________ Office Phone Fax ___________________________________________________________ Email Address (Internet accessible) ___________________________________________________________ Home Address (optional) ___________________________________________________________ Home Phone ___________________________________________________________ [ ] I am a member of the Computer Society IMPORTANT: IEEE Member/Affiliate/Computer Society Number: ____________________ [ ] I am not a member of the Computer Society* Please Note: In some TCs only current Computer Society members are eligible to receive Technical Committee newsletters. Please select up to four Technical Committees/Technical Councils of interest. TECHNICAL COMMITTEES [ X ] T27 Security and Privacy Please Return Form To: IEEE Computer Society 1730 Massachusetts Ave, NW Washington, DC 20036-1992 Phone: (202) 371-0101 FAX: (202) 728-9614 ________________________________________________________________________ TC Publications for Sale ________________________________________________________________________ o Proceedings of the 1998 IEEE CS Symposium on Security and Privacy Copies are available directly from the TC on Security and Privacy for $25 per copy. This price includes domestic shipping and handling. For overseas delivery: -- by surface mail, please add $5 per order (3 volumes or fewer) -- by air mail, please add $10 per volume If you would like to place an order, please send a letter specifying * how many issues you would like, * where to send them, and * a check in US dollars, payable to the IEEE Symposium on Security and Privacy to: Brian J. Loe Treasurer, IEEE TC on Security and Privacy Secure Computing Corp. 2675 Long Lake Rd. Roseville, MN 55113 U S A e-mail: loe@securecomputing.com Sorry, we are not yet ready for electronic commerce! You may also order some back issues from IEEE CS Press at http://www.computer.org/cspress/catalog/proc9.htm. o Proceedings of the Computer Security Foundations Workshops (2 through 11, excluding 4) The most recent Computer Security Foundation Workshop (CSFW11) took place the 9th through 11th of June in Rockport, Massachusetts USA. Topics included formal specification of security protocols, protocol engineering, distributed systems, information flow, and security policies. Copies of the proceedings are available from the publications chair for $25 each. Copies of all earlier proceedings (except the first and fourth) are also available at $10. Checks payable to "Joshua Guttman for CSFW" may be sent to: Joshua Guttman, MS A150 The MITRE Corporation 202 Burlington Rd. Bedford, MA 01730-1420 USA guttman@mitre.org Because of travel plans, CSFW orders received after 22 July will be filled in late August. ________________________________________________________________________ TC Officer Roster ________________________________________________________________________ Chair: Past Chair: Charles P. Pfleeger Deborah Cooper Arca Systems, Inc. P.O. Box 17753 8229 Boone Blvd, Suite 750 Arlington, VA 22216 Vienna VA 22182-2623 (703) 908-9312 (voice and fax) (703) 734-5611 (voice) d.cooper@computer.org (703) 790-0385 (fax) c.pfleeger@computer.org Vice Chair: Chair, Subcommittee on Academic Affairs: Thomas A. Berson Prof. Cynthia Irvine Anagram Laboratories U.S. Naval Postgraduate School P.O. Box 791 Computer Science Department Palo Alto, CA 94301 Code CS/IC (650) 324-0100 (voice) Monterey CA 93943-5118 berson@anagram.com (408) 656-2461 (voice) irvine@cs.nps.navy.mil Newsletter Co-editors: Paul Syverson Avi Rubin Code 5543 AT&T Labs - Research Naval Research Laboratory Room B282 Washington, DC 20375-5337 180 Park Ave. (202) 404-7931 (voice) Florham Park NJ 07932-0971 (202) 404-7942 (fax) (973) 360-8356 (voice) syverson@itd.nrl.navy.mil (973) 360-8809 (fax) rubin@research.att.com Chair, Subcommittee on Standards: Chair, Subcomm. on Security Conferences: David Aucsmith Michael Reiter Intel Corporation AT&T Labs - Research JF2-74 Room A269 2111 N.E. 25th Ave 180 Park Ave Hillsboro OR 97124 Florham Park NJ 07932-0971 (503) 264-5562 (voice) (973) 360-8349 (voice) (503) 264-6225 (fax) (973) 360-8809 (fax) awk@ibeam.intel.com reiter@research.att.com ________________________________________________________________________ Information for Subscribers and Contributors ________________________________________________________________________ SUBSCRIPTIONS: Two options: 1. To receive the full ascii CIPHER issues as e-mail, send e-mail to (which is NOT automated) with subject line "subscribe". 2. To receive a short e-mail note announcing when a new issue of CIPHER is available for Web browsing or downloading from our ftp server send e-mail to (which is NOT automated) with subject line "subscribe postcard". To remove yourself from the subscription list, send e-mail to cipher-request@itd.nrl.navy.mil with subject line "unsubscribe". Those with access to hypertext browsers may prefer to read Cipher that way. It can be found at URL http://www.itd.nrl.navy.mil/ITD/5540/ieee/cipher CONTRIBUTIONS: to are invited. Cipher is a NEWSletter, not a bulletin board or forum. It has a fixed set of departments, defined by the Table of Contents. Please indicate in the subject line for which department your contribution is intended. For Calendar entries, please include a URL and/or e-mail address for the point-of-contact. For Calls for Papers, please submit a one paragraph summary. See this and past issues for examples. ALL CONTRIBUTIONS CONSIDERED AS PERSONAL COMMENTS; USUAL DISCLAIMERS APPLY. All reuses of Cipher material should respect stated copyright notices, and should cite the sources explicitly; as a courtesy, publications using Cipher material should obtain permission from the contributors. BACK ISSUES: There is an archive that includes each copy distributed so far, in ascii, in files you can download at URL http://www.itd.nrl.navy.mil/ITD/5540/ieee/cipher/cipher-archive.html =========end of Electronic Cipher Issue #28, 13 July 1998==============