Subject: Electronic CIPHER, Issue 30, December 18, 1998 _/_/_/_/ _/_/_/ _/_/_/_/ _/ _/ _/_/_/_/ _/_/_/_/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/_/_/_/ _/_/_/_/ _/_/ _/_/_/_/ _/ _/ _/ _/ _/ _/ _/ _/ _/_/_/_/ _/_/_/ _/ _/ _/ _/_/_/_/ _/ _/ ==================================================================== Newsletter of the IEEE Computer Society's TC on Security and Privacy Electronic Issue 30 December 18, 1998 Avi Rubin and Paul Syverson, Editors Bob Bruen, Book Review Editor Hilarie Orman, Assoc. Editor Mary Ellen Zurko, Assoc. Editor Anish Mathuria, Reader's Guide ==================================================================== http://www.itd.nrl.navy.mil/ITD/5540/ieee/cipher/ Contents: [3590 lines total] o Letter from the Editor 1999 IEEE Computer Security Foundations Workshop Call for Papers Security and Privacy News Briefs: o LISTWATCH: Items from security-related lists, by Mary Ellen Zurko --Wassenaar, and more, from cypherpunks, dcsb, privacy, and tbtf o NIST Issues High Level FIPS 140-1 Certifications o Common Criteria News, by Gene Troy Commentary and Opinion: Book Reviews by Bob Bruen o The Happy Hacker. by Carolyn Meinel o Intrusion Detection. Network Security Beyond the Firewall. by Terry Escamilla. o Stopping Spam. by Alan Schwartz and Simson Garfinkel Conference Reports: o First AES Candidate Conference, by Edward Roback and Morris Dworkin o Workshop on Security and Integrity of Data Intensive Applications, by T. Mandry, G. Pernul, and T. Schlichting o CCS5, 5th ACM Conference on Computer and Communications Security Conference announcements: o DCCA o FC 99 New reports available via FTP and WWW: o ATIP US-Japan Encryption Policy Comparison o Wei Dai's latest PipeNet advances o NSF E-Commerce Research Priorities Workshop Report o US DoD Web Site Policy New Interesting Links on the Web: IACR Newsletter, Wassenaar, UK Software Protection Page Who's Where: recent address changes Calls for Papers Reader's guide to recent security and privacy literature o Conference Papers o Journal and Newsletter articles Calendar List of Computer Security Academic Positions, maintained by Cynthia Irvine Publications for Sale -- S&P and CSFW proceedings available TC officers Information for Subscribers and Contributors ____________________________________________________________________ Letter from the Editor ____________________________________________________________________ Dear Readers, We are pleased to bring you another issue of the Cipher newsletter. As in virtually every issue, we include reports on security conferences and workshops---in this case, the first AES conference, the ACM CCS conference, and the Workshop on Security and Integrity of Data Intensive Applications. These provide the community with insights into what has occurred at these conferences beyond what can be obtained from the proceedings. And, speaking from experience, it often enhances the writer's experience of a conference as well. There are many security conferences in the early part of next year, e.g., DCCA, as well as ones that have just past, e.g., ACSAC. If you have attended or will be attending any such conference in the near future, we urge you to consider contacting us about writing up the experience for Cipher. As always, our contributors have helped to make this issue what it is. In addition to our named contributors we would like to thank the anonymous contributors. Finally, (this should be boilerplate by now) a special thanks to Carl Landwehr who continues to provide pointers to papers, stories, URLs, also magazine clippings, and invaluable advice. Avi Rubin and Paul Syverson Editors, Cipher (P.S. from Paul: I am sorry to say that the force of other obligations has prompted Avi to move on, and this will be his last issue as editor. He has been an invaluable help with respect to both content and structure of the newsletter as well as in simplifying much of the technical apparatus that comes with assembling Cipher and putting it on the Web. He will be sorely missed, and I can only hope that future issues will not lose too much appeal without his input.) ____________________________________________________________________ ____________________________________________________________________ 1999 IEEE Computer Security Foundations Workshop Call for Papers ____________________________________________________________________ (also available on the Web at ) Call For Papers 12th IEEE Computer Security Foundations Workshop June 28-30, 1999 Mordano, Italy Sponsored by the Technical Committee on Security and Privacy of the IEEE Computer Society This workshop series brings together researchers in computer science to examine foundational issues in computer security. This year the workshop moves to continental Europe for the first time, near Bologna Italy. It is also timed to coordinate with FLoC (the Federated Logic Conference) taking place later the same week in relatively nearby Trento, and which includes a workshop on Formal Methods and Security Protocols. We are interested both in new results in theories of computer security and also in more exploratory presentations that examine open questions and raise fundamental concerns about existing theories. Both papers and panel proposals are welcome. Possible topics include, but are not limited to: --------------- access control authentication data and system integrity database security network security distributed systems security information flow privacy anonymity security protocols security models formal methods for security as well as foundational issues relating to other critical system properties and in emerging areas such as mobile computing and executable content. The proceedings are published by the IEEE Computer Society and will be available at the workshop. Selected papers will be invited for submission to the Journal of Computer Security. Instructions for Participants: Submission is open to anyone. Workshop attendance is limited to about 40 participants. Prospective participants should send an ELECTRONIC copy of a paper (limit 7500 words) or proposal for panel discussion to Paul Syverson at syverson@itd.nrl.navy.mil. Please clearly identify the contact author and provide email addresses and telephone numbers (both voice and fax). (Paper submissions will be accepted if received by the deadline, but electronic submission of postscript is strongly encouraged.) IMPORTANT DATES: Submission deadline: February 1, 1999 Notification of acceptance: March 12, 1999 Camera-ready papers: April 9, 1999 Program Committee ----------------- Paul Syverson (chair), Naval Research Laboratory, USA Martin Abadi, Compaq Systems Research Center, USA Simon Foley, University College Cork, Ireland Dieter Gollmann, Microsoft Research, UK Joshua Guttman, MITRE, USA Dahlia Malkhi, AT&T Labs--Research, USA John McLean, Naval Research Laboratory, USA John Mitchell, Stanford University, USA Jonathan Millen, SRI International, USA George Necula, University of California, Berkeley, USA Peter Ryan, Defence Evaluation and Research Agency, UK Pierangela Samarati, University of Milano, Italy Fred Schneider, Cornell University, USA Dennis Volpano, Naval Postgraduate School, USA Aris Zakinthinos, Independent Consultant, Canada Workshop Location ------------------ The workshop will be held at the Hotel Panazza, in Mordano, Italy. Mordano is a small town, very close to Imola, where each year the Formula One San Marino Grand Prix is held. Imola is about half an hour's drive from Bologna, a medieval city of half a million inhabitants, hosting the oldest university in Europe (founded in 1088). Other attractions in the area include Ravenna (capital of the western roman empire, with marvelous byzantine mosaics) and Ferrara (for some centuries an independent dukedom). Hotel Panazza is made up of seventeenth century buildings, newly restored (including air-conditioning). Facilities include a large park for relaxing walks, a romantic lake with swans and peacocks, a tennis court and two swimming pools for sport activites, a restaurant, and a conference hall in a former church. The hotel has forty-five rooms, each with private bathroom and telephone. Bologna is connected to many european cities by an international airport. Imola is about half an hour from Bologna by train or highway, and Mordano is about 5 minutes drive from the Imola exit of the highway. For those going on to FLoC, Trento is about 3 hours away by car and 4 hours by train. For further information contact: General Chair Program Chair Publications Chair Prof. Roberto Gorrieri Paul Syverson Joshua Guttman Dipartimento di Scienze Naval Research Laboratory The MITRE Corporation dell'Informazione Code 5543 202 Burlington Road Via Mura Anteo Zamboni 7 Washington, DC 20375 Bedford, MA 01730-1420 I-40127 Bologna, Italy USA USA +39 051-354509 +1 202-404-7931 +1 781-271-2654 gorrieri@cs.unibo.it syverson@itd.nrl.navy.mil guttman@mitre.org More online information at . ____________________________________________________________________ SECURITY AND PRIVACY NEWS BRIEFS ____________________________________________________________________ __________________________________________________________________________ LISTWATCH: items from security-related mailing lists (12/08/98) by Mary Ellen Zurko (mzurko@iris.com) ___________________________________________________________________________ This issue's highlights are from cypherpunks, dcsb, privacy, tbtf. Last week the report came back that the countries who had signed the Wassenaar Agreement had agreed to limitations on cryptography. The reports on details and just what it will mean continue to come in, and I expect what's available will be superseded by the time you see this. Public statements on the meeting are at . U.S. special envoy for cryptography David Aaron was reported saying that the countries had agreed to impose controls on mass market software. The gist seems to be that mass-market software, symmetric key length is limited to 56-bits, generally available software (with other restrictive tests on end-user re-configurability) symmetric key is length limited to 64-bits, asymmetric key lengths limited to: RSA & Digital logarithm: 512 bits, Elliptic curve : 112 bits. And its up to signatory states to interpret and legislate. John Gilmore has put out a call to replicate the archives of PGP, Kerberos, IPSEC and others as widely as possible, while the barriers are not in place. Jim Choate has warned that anyone doing so could face punishment from their local government (depending, of course, on what the rules are, how they're enforced, and how the web site is controlled). John Young has put up a preliminary list of international cryptography sources for mirroring . Steve Bellovin commented on cryptography that encryption algorithms are easy to type in, but easy to use or interoperable cryptography is harder. I agree with the sentiment that widely deploying strong cryptography takes a great deal of engineering (and business) effort. Someone from Denmark claimed that in a call to the Danish Ministry of Commerce he mentioned his web site that posts strong cryptography and was told that he could be fined or jailed for maintaining such a site. Another poster pointed out that national laws and regulations cannot have changed so fast and several have stated that an agreement in secrecy like this still faces problems making it into enforced law. However, another poster pointed out that in some countries they are able to enforce the agreement without extra regulations. Some people claim the effect will be to diminish domestic crypto use, as it will shrink the market for such software. Reports from the UK, Finland and Australia support the reported results. Bob Hettinga points to Sun's handling of crypto in Java as an excellent strategy. They only ship strong cryptography within the US. Users outside of the US are expected to find or produce their own version. They define the Java Cryptographic Extensions API, which they adhere to, and they ship building blocks such as big numbers, a key management framework, and digital signatures everywhere. [Wassenaar information is still unfolding: Sites giving the text of the Arrangement and related documents and links are indicated below under "New Interesting Links on the Web". There was also a global strike called to protest Wassenaar planned for Monday Dec. 14. Information about the strike and related commentary is at . Thanks to Mez for sending in these URLs after her LISTWATCH summary was turned in Dec 8. (We experienced an unavoidable delay assembling this issue.) Also, a recent posting in RISKS notes that some member countries have exemptions for Open Source crypto software. --Eds.] Any account's NorthWest airlines frequent flier miles can be used by anyone else with the phone number of account holder, and catching and punishing misuse the is the responsibility of the account holder. At least according to a poster to the Privacy list. I find this amazing, and if I had an account there, I'd certainly check this claim out. Markus Kuhn, a Ph.D. student under Ross Anderson, is doing work on joint administration of distributed archives like Eternity. The goal is to allow for control of content (for, example, spam management) while not exposing the managers to punishment by the legal system of national powers. He states "The distributed administration in my system will be controlled via a sort of cryptographically enforced digital constitution (written in a tiny special purpose functional programming language) that determines administrative rights in a freely configurable way for a distributed server architecture (allowing elections, votes, vetoes, impeachment, updates to the constitution, etc.). This way, no single person will be responsible for the maintenance of such international software repositories, but a (usually international) group of democratically controlled volunteers does this." Posters to cypherpunks suggest the use of e$ instead, either by the content providers or by the recipients (readers). While money gives influence to those who have, it also provides a representation of scale of passion. There was also some concern that the content provider would really be the one in danger of litigation. The ZapMe! Corp. provides equipment and Web access to schools in return for the ability to monitor student browsing habits by age, sex and zip code, allowing its advertisers to microtarget students . It sells advertising that run constantly in the lower left hand corner of its browser. It gives kids access to about 10,000 screened Web sites, with Internet at-large available with parental permission. The kids also get email accounts and a place to store their bookmarks. Digicash has filed for bankruptcy protection . It may have to sell its assets. Bob Hettinga (rah@shipwright.com) is trying to get a syndicate together to buy the blind signature patent. A frame security hole allows spoofers to replace the information in a frame with their own. There are no obvious clues that the spoof has happened, but you can tell that some of the information in the frames is not from the spoofed site with a View Page Info in Netscape (not like I ever even though of issuing this menu item until now). >From the Vancouver Sun: "The [Canadian] federal government believes tonnes of highly-sensitive material, including tax records, unemployment insurance claims and parole records were sold intact by a Lower Mainland company that was supposed to shred and recycle the material, The Vancouver Sun has learned. Federal agencies found more than 110 tonnes of unshredded files in a Burnaby warehouse last July that were being offered for sale by West Document Shredding (1995) Inc. But they have been unable to determine what happened to nearly another 200 tonnes they know the company was given by National Archives, the federal agency responsible for disposing of classified and non-classified documents no longer required by the government. [...] West apparently sold the material unshredded because it could get a higher price per tonne than if it had to tear it into unreadable strips as required under the terms of its contract." The RCMP's National Security Intelligence Service does not believe there was any security breach (none of the unshredded documents were classified), though there was a privacy breach. So many cypherpunks were using the list as an email address when registering, someone kindly set up a separate list for that very use. Someone noticed that Network Associates is still a member of the Key Recovery Alliance, and there was a flurry of concern about what that might mean for PGP. As is so often the case, TBTF has the story: ---------------------------------------------------------------------- ..Network Associates and the Key Recovery Alliance: nothing new This widely circulated story is without substance Wired News originated a story [1] claiming that NAI had quietly rejoined the KRA, after publicly disavowing it [2] following its acquisition of PGP last December [3]. Here are the facts: NAI ac- quired Trusted Information Systems in May 1998. TIS had been a leader in the Alliance, and its technology was considered to be among the best solutions in this space. NAI resigned the leader- ship posts that TIS had held in the Alliance and continued to mon- itor its work, but stopped attending its meetings. The NAI name still appears on the KRA Web site [4], as it has since May. There is no news here. Perhaps Wired was tipped by a disgruntled KRA member after Network Associates sent a representative to a recent meeting to suggest that they disband, because Open Source develop- ment provides greater security and assurance than any approach based on key recovery. The following statement was sent to me by Jon Callas, CTO of Total Network Security (formerly PGP Inc.) at Network Associates. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Here is the official statement: "NAI officially withdrew from the Key Recovery Alliance in late 1997. In May of 1998, NAI acquired Trusted Information Systems, which had been an active member of the KRA. NAI subsequently reliquished the leadership role TIS had taken in the organization. NAI Labs' TIS Advanced Research Division continues to monitor the KRA's activities from a technical perspective, but Network Associates in no way advocates mandatory key recovery." Jon -----BEGIN PGP SIGNATURE----- Version: PGP 6.0 iQA/AwUBNlC9e335wubxKSepEQJI6wCfSExUUVyfhEO3Nd0xOgu+7gF4SYQAnRBN 35N5BTvab2T8v+PEzhlbzv++ =l7xe -----END PGP SIGNATURE----- [1] http://www.wired.com/news/print_version/technology/story/16219.html [2] http://www.wired.com/news/news/technology/story/9010.html [3] http://tbtf.com/archive/12-08-97.html#s01 [4] http://www.kra.org/roster/roster3.html#netassoc ________________ ---------------------------------------------------------------------- Someone came across the following warning while visiting the Goddard Space Flight Center's website at : U.S. GOVERNMENT COMPUTER If not authorized to access this system, disconnect now. YOU SHOULD HAVE NO EXPECTATION OF PRIVACY By continuing, you consent to your keystrokes and data content being monitored. 3Com issued a Security Advisory for some of its switches, suggesting customers change a series of preset passwords, such as, in the CoreBuilder 7000, username: tech password: tech. Takes me back to the days in VMS of username: System password: Manager. In addition, the admin password was also available through a proprietary MIB variable. Some openings in the area of privacy software: Lorrie Faith Cranor (lorrie@research.att.com) has an opening for a Java programming contractor to implement a P3P user agent as a client-side proxy. Anonymizer Inc. is also looking for programmers to work on various projects under development. John Cutler (jcutler@via.net) is starting a Palo Alto cryptography study group. Someone posted Bill Gates' SSN from the Microsoft filing information at the SEC. Back in October, the FCC proposed that law enforcement agencies armed with court-authorized surveillance orders should be able to determine the location of a mobile telephone caller. Netscape 4.06's "What's Related" feature will, by default, track the user's clickpath after its invoked, to provide more data for the feature . Microsoft's WebTV does similar backchanneling. It polls users and uploads television and Web site viewing habits nightly. Scotland Yard and a local council are trying out a closed circuit TV system in London's East End that will raise an alarm when it spots a face from a database (in this case, of known criminals). It matches on the position of facial features. ____________________________________________________________________ NIST Issues High Level FIPS 140-1 Certifications ____________________________________________________________________ FIPS 140-1 is the US government standard for cryptographic modules, and largely the de facto industry standard for commercial devices. The standard provides four increasing, qualitative levels of security intended to cover the wide range of potential applications and environments in which cryptographic modules may be employed. The first product certified was an Entrust hardware module in October 1995 at level 1. During the autumn of 1998, several products have been certified at an overall level of 3. These include GTE's SafeKeyper Signer, nCipher's nFast Accelerators, the Chrysalis-ITS LunaCA3 PCMCIA card, the Pitney Bowes PC Meter Crypto Module, and the Litronics Argus/300 Security Adapter. On November 25, IBM's 4758 PCI card crypto coprocessor became the first product certified at level 4. ____________________________________________________________________ Common Criteria News: MRA signed, ISO Adopts CC, more contributed by Gene Troy ____________________________________________________________________ The Common Criteria Project is very active these days, and momentum and consensus continue to build on world-wide adoption of the CC as both de-facto and official International Standard. Several important items of interest have happened recently in CC-land. Read on! (Contact: Gene Troy, NIST, email: criteria@nist.gov) -- CC Mutual Recognition Arrangement (MRA) Signed. On 5 October, as part of the opening ceremonies of the NISSC, senior officials of six of the seven CC Project Sponsoring Organizations signed the MRA, ensuring mutual recognition of CC-based IT security product evaluations conducted in each others' countries. This is an historic event and an important break-through, signaling the culmination of the CC Project. The signatories were: Canada (CSE), France (SCSSI), Germany (GISA/BSI), United Kingdom (CESG), and the United States (NIST and NSA). The Netherlands (NLNCSA) temporarily abstained, as their evaluation program is not yet in place. Read the MRA at: http://niap.nist.gov/ccmra-v1.pdf. -- ISO Adopts CC as Final Draft International Standard (FDIS) 15408. At its meeting in Rio de Janeiro on 26 October, ISO/JTC1 "Security Techniques" Subcommittee 27 adopted the CCv2.0 with some minor editorial changes as the new ISO FDIS 15408. This is the next-to-last step in the CC's process of becoming International Standard 15408. All that remains is a short up-or-down ballot among the ISO National Bodies, which will be completed this winter. The text of the CCv2.0, with the recent ISO editing changes included, is now almost certain to become the exact text of the new IS 15408. This slightly revised CC text is posted at: http://csrc.nist.gov/cc/ccv20/ccv2list.htm. -- NIST Information Technology Lab (ITL) Publishes CC Bulletin. On 24 November, NIST-ITL published a new bulletin, "Common Criteria: Launching the International Standard", that is the most current description of the CC Project. The bulletin provides an introduction and overview of the CC and discusses its US and multi-national implementation. The CC Project's relationship with ISO and its new FDIS 15408 (the CCv20 in ISO lingo) are also described. The bulletin discusses mutual recognition of evaluated products. It also provides some potential scenarios for using the CC. Get the bulletin at http://csrc.nist.gov/cc/info/infolist.htm#papers. -- NIAP Announces CC Application Courses. The joint NIST-NSA National Information Assurance Partnership (NIAP) has developed a series of three courses to help educate IT personnel in the use and application of the CC. These courses are open to the public. Course descriptions and further information are available at: http://niap.nist.gov/announcements/98highlights.html#Classes. There are still openings in the third offering to date of Class #1, "Developing CC Protection Profiles", which will be given December 15-18, 1998 at NIST, Gaithersburg, MD. This four-day class provides introductory information to IT product developers and consumers in the use and application of the CC. Students will get hands-on experience in defining IT security requirements and developing CC Protection Profiles using practical real-world examples. Security Target construction will also be addressed. There is a charge for these classes; group rates and on-site delivery are available. To register or for further information call +1.410.859.4458. Ask for the CC Usage Class Administrator. Other NIAP CC classes, dates and venues will be announced soon, so check out http://niap.nist.gov/event.html#Classes from time to time. ____________________________________________________________________ COMMENTARY AND OPINION ____________________________________________________________________ ____________________________________________________________________ The Happy Hacker by Carolyn Meinel. American Eagle Publications 1998. 260 pages. Index. $29.95. Reviewed by Robert Bruen, Cipher Book Review Editor ____________________________________________________________________ The subtitle of this book is: A Guide to (Mostly) Harmless Computer Hacking, a goal which is met. Very little of what is in the book will turn you into someone breaking into banks. What I liked most about the book is the sense that the old definition of hacking around with computers can found all the way through. Trying out this or that, learning what something means, playing around with features of computers that are not so obvious. Happy Hacker turns out to be quite a good introduction to exploring computers and networks for just about anyone. There are lots of tidbits to try out on your Win95 box. The explanation of port scanning is one of the best I have I seen. Besides a lighthearted approach the description is clear and the examples are meaningful. Ms. Meinel places copious warnings about getting in trouble with your boss, the law and other hackers throughout the book. Just as often she provides hints of fun things to try that will not hurt anyone, but are useful. For example if you wondered why that annoying $MS background page shows up even after you deleted the file, well a second copy is contained in another startup file, so instead of deleting it, replace it using her instructions. This type of hack hurts no one, but is satisfying. Forging email, one of the oldest hacks, is explained along with the well known email spam problem and what you can do about it. She traces out some spam mail to its source as it passes through forgeries by explaining mail headers. This is useful education for folks starting out in the world of the Internet. Professionals may see some of this as obvious, but most people do not, making this a worthwhile purchase if you want to learn a few steps beyond the basics without risking jail. Since the author writes well, the book reads quickly and easily, but I would like to have seen more pages. There are four basic sections, the first eight chapters cover Win95. The second section has seven chapters dealing with Unix and networking. The four chapters in section three are about mail and the last three chapters provide an interesting history of hacking, hacking humor and meeting hackers. The book is priced right and I enjoyed it. As long as your expectations are on target, it is a worthwhile purchase as a good introductory text. I expect most readers would have at least one new trick. You will not find stack smashing or crypto, but you will see how to bypass Win95 passwords as well as see how email is forged. ____________________________________________________________________ Intrusion Detection. Network Security Beyond the Firewall by Terry Escamilla. John Wiley & Sons 1998. 348 pages. Index, Appendix (resource pointers), Bibliography. $39.00 Softcover. ISBN 0-471-29000-9. LoC TK5105.59.E83 Reviewed by Robert Bruen, Cipher Book Review Editor ____________________________________________________________________ This book helps to fill a surprising gap in the security literature, that is to say, entire books about the field of intrusion detection(ID). There seems to be only a few products that exist independently from other security products, and many security products do not include ID. Like much of computer & network security, good intrusion detection is hard. Noticing a major denial of service attack is pretty simple because something does not respond, your PC, your web server, your net or whatever, but knowing for sure that it is a DoS attack and not some other legitimate failure is a bit more difficult. Even harder will be discovering where the attack came from or how it happened to you. For those of us who care about not only about protecting our machines from attacks, but also about making sure that the attacks are stopped, the availability of information and tools is vital. Many of the topics covered are standard, but are seen from a different vantage point. For example, it would be really helpful to tools beyond tripwire that would let you know when someone has entered your system with authorization. There are obvious things to look for, such as password file changes or log changes, assuming your operating system does decent logging. But what about the older system that was was already modified when you decided to install tripwire? You will only know about new changes to files, not about the current use of an old exploit planted earlier without detection. Sometimes it is not possible to do a complete, fresh install of the OS, but you will still want to know about unauthorized activity. There is research into ID at places like Purdue (Gene Spafford) and a few others, but one of the lessons I have taken from the book is just how much more is still to be developed. We need smarter ways to monitor our systems without logging every keystroke. An example of the problem is setting thresholds. How do you know when someone is a legitimate user who either can not type well or has forgotten a password versus someone trying to guess a password? Often three failed attempts shuts down access for a while. In this case, the number three is the threshold. It says nothing about being able to detect an unauthorized access. Is there a a better, smarter approach? Naturally, this trivial example can be extended to larger scale issues, such as port scans of large networks. How can we be alerted to a new problem and then come up with a response beyond simply shutting down the victim, such as quickly getting hold of the source, even if there are multiple hops involved? If you have really godd logging facilities what do you do about analyzing the logs, which few people really enjoy reading, especially when they are large. Interesting paths to follow would include improved statistical techniques and pattern matching. The current state of things is presented well. Given the scope and impact of today's problems, the future looks good for more work in ID. Escamilla provides the background for a good jumping off point. The book is organized well, spends most of the time with Unix, but does address NT, and covers several ID products. I would like to see a more in depth analysis of the products. It would be helpful to learn more about the models used to develop products with needing to buy the products or scan the sales glossies, but perhaps that's another book. There are three main parts divided into twelve chapters. The topics include access control, vulnerability scanners, protocol exploits and building a model of intrusion detection as part of an overall approach to security. I recommend it as a book to broaden the scope of what you should learn about in the security field. ____________________________________________________________________ Stopping Spam by Alan Schwartz and Simson Garfinkel. O'Reilly & Associates 1998. 190 pages. Index. Two appendices. $19.95. Reviewed by Robert Bruen, Cipher Book Review Editor ____________________________________________________________________ Whether you like or dislike unwanted, large volume, sales oriented email, you still have to deal with it. I have always believed it was prudent to understand things even if, or perhaps especially if, I did not like them. Here is a short, easy to read, useful book on understanding and combating spam. The requisite history lesson is present, but it is covered in interesting detail because the legal trail is interesting. Spam has grown in parallel with the net. As the net reached more people, more spammers tried to reach out, but more than that, spammers have become more technically sophisticated over time. As legal remedies have increased in effectiveness to the point that censorship seems to the weapon of choice, spammers work harder to avoid being caught by using the technology. In spite of the brevity of this book, one finds lots of help to fight off spammers by looking at the technology, as well as the through the use of the technical community. Very often ISPs will be quite happy to shut off spammers because of community pressure and because spammers burn up scarce resources. The authors provide a boatload of suggestions to combat the problem which boil down to just a few principals. They also teach quite a bit about how email works that the average user would not think about. For example, there is a simplified introduction to protocols that is well done. The background for cancelmoose was a fun bit of reading as part of the explanation of message canceling. Make no mistake about the position of the authors (spam must die), however if you are thinking about becoming a spammer you might want to read it as well. You will learn how it's done, how people fight it and why people fight it. Perhaps you might change your mind. There are eight chapters. The first four describe spam, its history and the net. The next four are how to chapters for users and sysadmins, which I recommend even if you think you know how to administer an email system. The technical suggestions are worth looking at just in case you might have have missed something along the way. Among the goodies are suggestions for policy making and polite form letters to send to spammers and ISPs. There are many pointers to resources and many practical steps that you can try as you read the book. This book is a good deal for twenty bucks, while making the net a more pleasant place to live. ______________________________________________________________________ Conference Reports ______________________________________________________________________ ______________________________________________________________________ FIRST ADVANCED ENCRYPTION STANDARD (AES) CANDIDATE CONFERENCE Ventura, CA August 20-22, 1998 Report prepared by Edward Roback and Morris Dworkin (NIST) (U.S. Government work not protected by U.S. copyright.) ______________________________________________________________________ 1. Introduction On August 20-22, 1998, two hundred members of the global cryptographic research community gathered in Ventura, CA for the First Advanced Encryption Standard (AES) Candidate Conference (AES1). The conference focused on fifteen cryptographic algorithms being considered for the Federal Government's Advanced Encryption Standard. Sponsored by the National Institute of Standards and Technology's (NIST) Information Technology Laboratory, AES1 provided an opportunity for the submitters of candidate algorithms to brief their proposals and answer initial questions. The purpose of the conference was to introduce participants in the analysis and evaluation process to the various candidate algorithms. This conference served as the formal kick-off of the first AES public evaluation and analysis period ("Round 1"), which runs through April 15, 1999. 2. Background and Context: the Advanced Encryption Standard Development Process Since 1977, NIST's Data Encryption Standard (DES) [1] has been the Federal Government's standard method for encrypting sensitive information. In addition, it has gained wide acceptance in the private sector and has been implemented in a wide variety of banking applications. The algorithm specified in this standard has evolved from solely a U.S. Government algorithm into one that is used globally. However, with recent successful key exhaustive attacks, the useful lifetime of DES is now drawing to a close. Anticipating this eventuality, in 1996 NIST officials began preparing for development of a successor standard. In outlining these plans, NIST sought to construct an open process to engage the cryptographic research community and build confidence in the successor algorithm. On January 2, 1997, NIST announced the initiation of a process to develop the AES [2], which would specify the Advanced Encryption Algorithm (AEA) and serve as an eventual successor to the venerable DES. Basic criteria that candidate algorithms would have to meet were proposed, in addition to required elements in the nomination packages to be submitted to NIST. Over thirty sets of comments were received from U.S. Government agencies, vendors, academia, and individuals. Additionally, NIST sponsored an AES workshop on April 15, 1997 to discuss the comments received and obtain additional feedback to better define the request for candidate algorithms. This input was of great assistance to NIST in preparing its formal call for algorithms and evaluation criteria. On September 12, 1997, NIST published its formal call for algorithms. [3] Candidate algorithms had to meet three basic requirements: 1) implement symmetric (secret) key cryptography, 2) be a block cipher, and 3) support cryptovariable key sizes of 128 bits, 192 bits, and 256 bits with a block size of 128 bits. The algorithm could also support additional key and block sizes. In addition to the above requirements, submitters had to provide the following: 1. Complete written specifications of the algorithm, 2. Statements of the algorithm's estimated computational efficiency, 3. Known answer test values for the algorithm, and code to generate those values, 4. Statement of the algorithm's expected cryptographic strength, 5. Analysis of the algorithm with respect to known attacks, 6. Statement of advantages and limitations of the algorithm, 7. Reference implementation of the algorithm, specified in ANSI C, 8. Optimized implementations specified in Java^TM* and ANSI C, and 9. Signed statements that a) identified any pertinent patents and patent applications and b) provided for the royalty-free use of that intellectual property should the candidate selected be selected for inclusion in the AES. (* Java and Java-based marks are trademarks or registered trademarks of Sun Microsystems, Inc. in the United States and other countries. Mention of commercial products does not constitute endorsement by NIST.) In its call for candidates, NIST made clear that security would be the most important criterion by which algorithms are evaluated, followed by efficiency and other characteristics. In the spirit of DES success, NIST's goal in the AES development effort is to specify an algorithm that will have a lifetime of at least thirty years, that will be used extensively throughout the U.S. Government, and that will be also be available in the private sector, on a royalty-free basis worldwide. Twenty-one algorithms were submitted to NIST by the June 15, 1998 deadline. After review, NIST determined that fifteen of these met the minimum acceptability requirements and were accompanied by a complete submission package. These algorithms were made public by NIST on August 20, 1998 at AES1 for the first evaluation period. At the conference, submitters of the fifteen candidate algorithms were invited to provide briefings on the candidates and answer any initial questions. NIST also announced its request for comments on the candidates, due April 15, 1999. These comments will help NIST narrow the field of candidates to approximately five or fewer for the second round of public evaluation. The public analysis of the candidates will be the subject of the Second AES Candidate Conference (AES2), scheduled for March 22-23, 1999. Following its study of the second round analysis, NIST intends to select one algorithm (or possibly more than one, if warranted) to be proposed for inclusion in the AES. 3. Conference Purpose, AES Development Overview, Announcement of Candidates and Review of Evaluation Criteria Mr. Miles E. Smid, Manager of the Security Technology Group of the Computer Security Division in NIST's Information Technology Laboratory, welcomed the AES1 participants and noted that the primary purpose of the conference was to provide an opportunity for each of the submitters to formally present their candidate algorithms and design philosophy. After sketching the history of the AES development process he noted that NIST received and reviewed twenty- one packages. In each case, NIST checked whether: 1) the legal documents were completed; 2) the submissions were responsive to all requirements; and 3) the given code, when run, passed the "Known Answer Test." Six of the packages were incomplete; thus, fifteen candidates were formally accepted into the AES development process. Mr. Smid noted NIST did not perform any cryptanalysis and, therefore, acceptance by NIST of an algorithm into the process did not signify anything regarding the strength of a candidate. A list of the six incomplete submissions was read to the audience and posted to NIST's AES website. Mr. Smid then formally unveiled the accepted candidates, as follows: Country of Origin Algorithm Submitter(s) Country of Origin Algorithm Submitter(s) Australia LOKI97 Lawrie Brown, Josef Pieprzyk, Jennifer Seberry Belgium RIJNDAEL Joan Daemen, Vincent Rijmen Canada CAST-256 Entrust Technologies, Inc. DEAL Richard Outerbridge, Lars Knudsen Costa Rica FROG TecApro Internacional S.A. France DFC Centre National pour la Recherche Scientifique (CNRS) Germany MAGENTA Deutsche Telekom AG Japan E2 Nippon Telegraph and Telephone Corporation (NTT) Korea CRYPTON Future Systems, Inc. USA HPC Rich Schroeppel MARS IBM RC6^TM RSA Laboratories SAFER+ Cylink Corporation TWOFISH Bruce Schneier, John Kelsey, Doug Whiting, David Wagner, Chris Hall, Niels Ferguson UK, Israel, Norway SERPENT Ross Anderson, Eli Biham, Lars Knudsen Mr. Smid then briefly reviewed the principal goals NIST has for the AES, as discussed above. The AES should be more secure and efficient than Triple DES. He noted that some of the submitters were claiming efficiency performance for their candidate to be greater than that of single DES. Mr. Edward Roback, Computer Specialist in NIST's Computer Security Division, then proceeded to review the AES evaluation criteria, NIST's plans to foster discussion of the candidates, issues regarding submitting formal comments to NIST, and its plans for efficiency testing of the algorithms. When NIST published its call for algorithms, it included a listing of the evaluation criteria by which NIST intends to make the AES selection. This was done for two reasons: 1) to aid the submitters in understanding the qualities important to NIST, and 2) to ensure that the criteria were well understood and available beforehand to avoid any possible questions of bias. There are three major categories to NIST's AES evaluation criteria: security, cost, and algorithm and implementation characteristics. Each of these has sub-components. Security is, of course, the paramount consideration in the AES selection process and encompasses such issues as the relative security of one candidate as compared to the others, and the extent to which the algorithm output is indistinguishable from a random permutation on the input block. Each submitter had to provide NIST with an estimate of the strength of their candidate. Therefore, any attacks demonstrating that the actual security of an algorithm is less than the claimed strength will factor into NIST's AES decision. Cost includes licensing requirements, computational efficiency, memory requirements and flexibility. Each candidate submitter had to sign license agreements provided by NIST identifying any known intellectual property (i.e., patents or patent applications) that may be infringed by the practice of the particular candidate. If such property was identified, the owner of the intellectual property had to agree in writing to allow for its worldwide royalty-free use, should the candidate be included in the AES. (Use of the algorithms for the purposes of AES evaluation also had to be granted.) NIST hopes to address any other intellectual property issues that may arise during the public comment process before selecting the AES algorithm. Computational efficiency (i.e., speed) is also a cost consideration. NIST test the candidate algorithms on a common platform to compare performance characteristics. In the first AES evaluation round, this will focus primarily upon the 128 bit key size, while in the second round (with about fivecandidates), this will be expanded to include the 192 bit and 256 bit key sizes and hardware performance estimates. Memory requirements (e.g., for code, necessary memory, and so forth) will also be measured. While NIST will conduct some of this analysis, it also welcomes the submission of such analysis by other parties. Algorithm and implementation characteristics include flexibility, hardware and software suitability, and additional features offered by a candidate algorithm. For example, an algorithm may support block sizes other than the required 128 bits and key sizes other than the required 128 bits, 192 bits, and 256 bits. Additionally, some candidates may be designed to facilitate efficient implementation on a wider variety of platforms or in diverse applications. For example, the ability to use the AES in 8 bit processor smart cards with strict memory limitations has often been cited by potential users as desirable. Simplicity of design is also a factor. If an algorithm's construction is straightforward and easier to analyze, it will likely have an edge over an unnecessarily complex design. In order to facilitate informal discussion of the candidates and to aid NIST in following the expected on-going analysis, NIST has established electronic discussion pages for each candidate as well as other relevant AES topics (e.g., intellectual property). These are intended to aid interaction among parties evaluating particular algorithms or discussing other aspects of the AES process. It is also intended to provide a focal point for each of the fifteen submitters to monitor public review of their candidates. The groups should also provide a way for evaluators to receive feedback on their ideas prior to submitting official formal public comments to NIST. Mr. Roback encouraged submitters to participate in these discussions at their discretion. NIST also welcomes suggestions for other topical discussion groups. All postings to these discussion groups will be publicly available on-line at < http://www.nist.gov/aes >. Turning to NIST's solicitation of public analysis and comments of the algorithms, Mr. Roback said that NIST seeks comments on all aspects of the candidates. Comments on the algorithms as viewed against the evaluation criteria are anticipated to be the subject of a majority of the public comments. Intellectual property is another area in which comments would be useful to NIST, especially claims of intellectual property that were not known to the submitters. Analysis of the entire field candidates would also be useful (e.g., comparison of all fifteen algorithms against a particular cryptanalytic attack or efficiency testing on a common platform). Finally, NIST is seeking overall recommendations with justifying comments regarding which candidates should be selected as finalists. NIST intends to invite the submitters of particularly useful, novel or insightful comments to brief at AES2. NIST will accept formal public comments through April 15, 1999; however, comments should be received by February 1, 1999 for consideration for the AES2 program. All formal comments will be part of the official public record. E-mail comments will be accepted at "AESFirstRound@nist.gov". In order to have at least one set of comparable efficiency test values for all fifteen candidates, NIST will measure the efficiency of the optimized ANSI C and Java^TM implementations on a IBM-compatible PC/Intel Pentium-pro Processor (200 MHz), with 64 MB RAM. NIST will conduct tests on other platforms with various compilers, as time and resources permit. NIST also intends to test ciphertext for randomness to measure the timings of algorithm setup, key setup, key change, encryption, and decryption, where applicable to each algorithm. Mr. Roback emphasized that NIST is conducting these tests to ensure the existence of at least one set of efficiency measures of the entire field of candidates. Other such measurements, on different platforms, including different computer languages or using different compilers, would be welcomed by NIST. Next, Mr. James Foti, a mathematician with NIST's Security Technology Group, explained the contents of the two CDROMs published by NIST. The first, entitled CD-1: Documentation contains algorithm specifications, supporting documentation, and intellectual property information. It is not subject to U.S. export controls. The second, entitled CD-2: Algorithm Code, contains reference and optimized algorithm code, example values, and all the information contained on CD-1. CD-2 is subject to U.S. export controls and may not be sent outside the U.S. or Canada without an export license. Both disks are available from NIST free of charge. Mr. Foti encouraged interested parties to see NIST's AES web site for ordering information. 4. AES Candidate Algorithm Presentations Each submitter of a candidate algorithm accepted by NIST into the AES development process was invited to present a briefing on their submission and answer questions. The following is a summary of the presentations. The descriptions of the algorithms generally exclude the key schedules, which tend to be complicated. "Addition" refers to addition modulo the integer that corresponds to the size of the data word; moreover, "key addition [subtraction]" means modular addition [subtraction] of a round key to [from] the data word. Similarly, "key XOR" means bitwise exclusive-or of a round subkey with the data word. CAST-256 CAST-256 is an extension of the CAST-128 cipher, using the same three round functions but generalizing the Feistel structure, so that in each round one fourth of the data block updates another fourth of the data block. There are forty-eight rounds, and they are constructed so that decryption is identical to encryption up to the order of the round keys. Each round function uses two types of subkeys, one to which a data block is added, subtracted, or XORed, and another that determines a rotation of the result. That in turn determines outputs of four 8x32 s-boxes which are mixed with addition, subtraction, and XOR. The presenter, Carlisle Adams, sketched the history of the CAST family of algorithms, culminating with the endorsement of CAST-128 by the Government of Canada's Communications Security Establishment. Since CAST-256 uses the same round functions as CAST-128, it inherits ten years of public scrutiny. He described the security contributions of the following features of the round function: the design of the bent-function-based s-boxes, the combination of a "masking" subkey and a rotation subkey, the mixing of operations from two different groups, and the mixing of the order of the group operations. He also cited the advantages of the key schedule and of the generalized Feistel structure, its symmetry, and its extensibility to other block sizes. He acknowledged minor weaknesses in simplified variants of CAST-128, such as a reduced round higher order differential attack, but said that CAST-128, and consequently CAST-256, incorporated safeguards against them. CRYPTON CRYPTON is a substitution-permutation network based on the design of SQUARE. There are two, alternating round functions that consist of substitution using two 8x8 s-boxes, a bit permutation followed by a byte transposition of the data array, and key XOR. There are twelve rounds, preceded by key XOR, and followed by a transformation that makes decryption identical to encryption up to the order of the round keys, which also must be suitably transformed. The two s-boxes were constructed from three 4x4 s-boxes using a three round Feistel structure. The presenter, Chae Hoon Lim, emphasized the security of the algorithm and the efficiency and simplicity of its "fine-grained design." The round function is fully parallelizable, so there are fast implementations in both hardware and software, almost twice as fast as DES, he claimed. He also claimed that the s-boxes were also designed to give efficient hardware implementations, as well as good linear and differential characteristics to resist those attacks and their variations. He discussed the key schedule, citing its speed, claiming that it was designed to avoid known weaknesses, but acknowledging that the designers intended to review and strengthen it. Similarly, the designers intend to construct two variants of one of the given s-boxes and incorporate them into the algorithm. DEAL DEAL (Digital Encryption Algorithm with Larger blocks) is a Feistel network that uses DES as its round function. For 128 bit keys or 192 bit keys there are six rounds; for 256 bit keys there are eight rounds. After the final round, the two halves of the data word are not "unswapped," which introduces a slight asymmetry between encryption and decryption besides the order of the round keys. The key schedule expands the user key by repetition, XORs it with constant offset values, and encrypts it with DES in the Cipher Block Chaining mode under a fixed key. The presenter, Richard Outerbridge, portrayed DEAL as a sensible evolution of the well-studied DES, surpassing the security of triple DES, and avoiding the weaknesses of DES and triple DES. The key schedule was chosen to avoid equivalent keys, related keys, and the complementation property. He emphasized that DEAL could be efficiently implemented on many platforms "almost overnight," because DES has already been extensively deployed. He acknowledged that DEAL is at least as slow as triple DES, especially in its key setup, so DEAL is not suited for constrained environments that require dynamic rekeying. He also acknowledged a recent attack due to Lucks [4]. DFC DFC (Decorrelated Fast Cipher) is a Feistel network with eight rounds. The round function uses multiplication and addition modulo 2^64+13 , reduction modulo 2^64 , and a "confusion" permutation. This permutation uses addition modulo 2^64 and the XOR operation with two fixed constants and another constant that is chosen from a table according to six of the data bits. Decryption is identical to encryption up to the order of the round keys. The presenter, Serge Vaudenay, emphasized that the designers were concerned with using the recently developed technique of "decorrelation" to provide "provable security" against iterated attacks of order 2, according to a certain security model. If this could be achieved, it would imply resistance to several classes of attacks, including linear and differential ones; the designers strategy was to tolerate imperfect decorrelation as long as it could be quantified. He proceeded to explain their particular assumptions and the security results they achieved, forecasting, for example, that exhaustive search of an 80 bit key would require at least several decades. The documentation also cited implementations of DFC on various platforms, claiming a speed rate greater than all commercial implementations of DES. E2 E2 ("Efficient Encryption") is a Feistel network with twelve rounds, preceded by an initial transformation and followed by a final transformation. The initial transformation consists of key XOR, modular multiplication in 32 bit blocks with a round key, and a byte permutation; the final transformation is its inverse. The round function consists of a permutation sandwiched between two keyed substitutions, followed by a byte rotation. The permutation is a linear transformation of data bytes; each keyed substitution consists of key XOR followed by the application of an 8x8 s-box to each byte. The construction of the s-box is based on the composition of a power function in GF(2^8 ) and an affine function in Z/2^8 Z. Decryption is identical to encryption up to the order of the round keys. The presenter, Shiho Moriai, explained the rationale for the design, emphasizing the goals of security, efficiency, and flexibility. She claimed that two substitutions per round allow more speed for a given level of security than one substitution per round, and she spoke at some length about the construction and the properties of the s-box. It was constructed by mixing operations from two different groups, both to provide security against algebraic attacks and to convince the user that there are no trapdoors. She also claimed that the s-box could be efficiently implemented on many platforms, including those with 8 bit processors. She claimed that nine rounds of E2 would provide sufficient security against differential and linear attacks; the extra three rounds therefore constitute "insurance," along with the initial and final transformations, which are intended to resist new, as yet unknown, attacks. FROG Frog is an unconventional substitution-permutation network with eight rounds. The expanded key functions as an "interpreter" to sequentially process each byte of the data block. First, the byte is XORed with a byte of key material, and the result indexes another byte of key material. This byte in turn modifies three bytes of the data block: substituting for the original data byte, XORing with the following data byte, and XORing with a third data byte, which is also determined by key material. There is a complicated procedure for generating the large internal key from the user key. Decryption is the inverse of encryption. The presenter, Dianelos Georgoudis, emphasized that FROG was designed under a different paradigm than conventional ciphers. Because the key determines the computational process, that process is hidden from potential attacker, and the algorithm is difficult to model mathematically. The presenter claimed, for example, that FROG resists linear and differential attacks because the substitutions are initialized with effective random values that are hidden. The other important design principle was simplicity, which, he claimed makes trapdoors and obscure structural flaws unlikely. In fact, the presenter claimed that should FROG be found to resist current methods of attack even though it was not specifically designed to do so, then one would gain confidence that it would resist future attacks, whose nature we cannot now predict. He acknowledged and discussed a recent attack due to Wagner, Ferguson, and Schneier[5]. HPC HPC (Hasty Pudding Cipher) is a set of five subciphers, each covering a range of possible block sizes; the "medium" cipher applies to the 128 bit blocks mandated for the AES. In addition to the expansion of the user key into a lookup table, the cipher features an independent, secondary key, called the "spice," whose use and concealment are optional. The algorithm mixes these two types of key material with the data block in a complicated series of steps involving addition, subtraction, the XOR operation, fixed rotations, and data-dependent rotations. Decryption is the inverse of encryption. The presenter, Rich Schroeppel, emphasized that HPC is an "omni-cipher"; in other words, it is flexible enough to handle variable spice size, any key size, and, especially, any block size. He said that the algorithm is "forward-looking" in that it runs best on 64-bit architectures, but, conversely, it is "smartcard hostile," and, also, "doesnt favor Pentium." He claimed that the algorithm is fast, but cited the disadvantages of the code length, the dynamic storage size, and the slow primary key setup. He acknowledged that the algorithm is inelegant and therefore hard to analyze, but nevertheless he claimed that HPC has good security. LOKI97 LOKI97 is a based on LOKI89 and LOKI91. It varies the Feistel structure in that, both before and after the round function is applied to half of the data block, key material is added to that half. Therefore, decryption requires corresponding key subtractions as well as the usual reordering of the round keys. The round function consists of a keyed permutation, a fixed expansion function, two s-boxes, one 13x8 and the other 11x8, a fixed permutation, another expansion, this time by key material, followed by another application of the s-boxes. The s-boxes are given by cubing in GF(2^13 ) and GF(2^11 ).Decryption is similar but not identical to encryption. The presenter, Jennifer Seberry, first mentioned some weaknesses of the predecessors to LOKI97, including attacks on reduced round versions, but claimed that the full round versions are secure. She then discussed the design goals: no simple relations, no bad keys, and resistance to linear and differential attacks. She explained the rationale behind the elements of the algorithm. The key features of the round function were the double substitution-permutation layer, the completeness property, and the hiding of the round function achieved by the extra key addition incorporated into the Feistel structure. She cited several advantageous properties of the s-boxes. She discussed a recent attack due to Rijmen and Knudsen [6] and suggested possible changes in the algorithm for dealing with it. MAGENTA MAGENTA (Multifunctional Algorithm for General-purpose Encryption and Network Telecommunication Applications) is a Feistel network without "unswapping" after the final round. For 128 bit and 192 bit keys there are six rounds, and for 256 bit keys there are eight rounds. The round function acts on the bytes of the data concatenated with bytes of the round subkey. The building blocks are a fixed permutation of individual bytes, the XOR operation, and a shuffling of the bytes. The permutation is discrete exponentiation of a fixed primitive element in a given representation of GF( 2^8 ). The round subkeys are simply disjoint 64 bit segments of the key. Because the subkeys are arranged symmetrically, decryption is almost identical to encryption, up to the swapping of the two halves of the data. The presenter, Michael Jacobson, Jr., explained the algorithm and its algebraic properties, emphasizing the simplicity of the design. Discrete exponentiation provides the property of confusion, and he cited the transparency of the technique as an advantage over the use of s-boxes. Diffusion is provided by the shuffle structure, which is based on the fast Fourier transform. He presented analysis of the avalanche properties, other statistical properties, and the linear and differential characteristics of the round function, claiming that there are no practical linear and differential attacks. He also claimed that the algorithm is efficient in both hardware and software; he acknowledged the existence of some weak keys. After the presentation, several attendees of the conference mounted attacks on MAGENTA based on the symmetry of the subkeys [7]. MARS MARS is a cipher with thirty-two modified Feistel rounds structured as follows: key addition, eight rounds of "unkeyed forward mixing," eight rounds of "keyed forward transformation," eight rounds of "keyed backwards transformation," eight rounds of "unkeyed backwards mixing," and key subtraction. In each round, one fourth of the data word updates each of the other three fourths of the data word. The unkeyed rounds use two 8x32 s-boxes, addition, and the XOR operation. In addition to those elements, the keyed rounds use 32 bit key multiplication, data-dependent rotations, and key addition. Decryption is not identical to encryption, although it is similar in structure. The presenter, Shai Halevi, explained the rationale for wrapping the keyed "cryptographic core" with unkeyed mixing: by providing good avalanche of the input bits, the unkeyed rounds are intended to hinder an attacker from stripping away the first and last rounds. He also claimed that this heterogeneous structure would prove resilient against new, as yet undiscovered, attacks. He cited the variety of operations, both known and new, used in the keyed rounds as another protection against future attacks. He discussed the round function of the keyed rounds in more detail, including an analysis of its linear and differential properties. He claimed that MARS offers high resistance to known attacks, better than triple DES, and runs faster than single DES in some implementations. RC6^TM RC6^TM is a parameterized family of encryption ciphers that use a modified Feistel structure; under the parameters given for the AES submission, there are twenty rounds. The data block is partitioned into four 32 bit words. In each round, the second word updates the first word, while, in parallel, the fourth word updates the third word, after which the positions of the four words are rotated. The updating uses a quadratic transformation--requiring a 32 bit modular multiplication and addition--the XOR operation, a data-dependent rotation, and key addition. There is also key addition before the first round and after the last round. The decryption routine is derived from the encryption routine by inverting each step. The presenter, Ron Rivest, emphasized the algorithm's simplicity, speed, and security. He explained in seven steps how the designers of RC6 adapted RC5 to meet the AES submission requirements. An important improvement was to determine the amount of the data-dependent rotations, a main source of the overall security, by the quadratic function; this method is also efficient because 32 bit multiplication is well supported on modern processors. He presented implementation results supporting his claim that RC6 is perhaps the fastest of the candidate algorithms. He cited security analysis of the algorithm, including both its resistance to linear and differential attacks and the security of the key expansion. RIJNDAEL Rijndael is a substitution-linear transformation network with ten, twelve, or fourteen rounds, depending on the key size, and with block sizes of 128 bits, 192 bits, or 256 bits, independently specified. The data block is partitioned into a 4x4, 4x6, or 4x8 array of bytes. The round function consists of three parts: a non-linear layer, a linear mixing layer, and a key XOR layer. There is also key XOR before the first round. The non-linear layer is an 8x8 s-box applied to each byte. The s-box is constructed by considering the byte as an element of GF( 2^8 ), finding its multiplicative inverse, then applying to the corresponding vector an affine transformation over GF(2). The linear layer consists of a shifting of the rows of the array and a mixing of the columns based on maximum distance separable codes. In the last round the column mixing is omitted. The presenter, Joan Daemen, explained the elements of the cipher: for example, he cited the diffusion properties of the linear layer, and he claimed that the s-box would be difficult to model algebraically. Although he discussed its security against a variety of attacks, he focused on the advantages of the algorithm in its implementations. There is no algorithm setup; the key schedule is fast; the code is compact; there is extensive parallelism. Thus, the algorithm runs fast on a wide range of processors, plus, he claimed, it is very flexible in hardware. He particularly mentioned its suitability for smart cards, while acknowledging that executing the inverse cipher could be twice as slow as executing the cipher there. SAFER+ SAFER+ is a substitution-linear transformation network based on the SAFER (Secure and Fast Encryption Routines) family of ciphers. There are eight, twelve, or sixteen rounds, depending on the key size, plus an output transformation after the final round. The round function consists of key-controlled substitution on the sixteen bytes of the data block followed by an invertible linear transformation on the entire data block. The substitution function acts on each individual byte with a combination of key addition, key XOR, and either a fixed permutation or its inverse. The permutation corresponds to discrete exponentiation of a fixed generator in the multiplicative group of integers modulo 257. The linear transformation is generated by a combination of the Pseudo-Hadamard Transform matrix and the "Armenian Shuffle" permutation. The decryption routine is derived from the encryption routine by inverting each step. The presenter, James Massey, explained how SAFER+ is neither a Feistel cipher nor a substitution-permutation cipher, but rather a generalization of the latter, giving the designer more freedom to seek the best properties. SAFER+ replaces the "Hadamard Shuffle" from the original SAFER family with the "Armenian Shuffle"; he claimed that this resulted in faster diffusion and better resistance to differential attacks. Some other advantages he cited were the byte orientation, the scalability of the bytes, the lack of "suspicious-looking" tables, and the mixing of additive groups. He compared C implementations of SAFER+ and DES by the same programmers to argue that the former cipher was much faster on a Pentium platform. He also claimed that SAFER+ with its eight rounds is secure against linear and differential attacks with a margin of safety, acknowledging, however, that there is no proof of complete security. SERPENT Serpent is a substitution-linear transformation network. It has thirty-two rounds, plus an initial and a final permutation to simplify an optimized implementation. The round function consists of key XOR, thirty-two parallel applications of the same 4x4 s-box, and a linear transformation, except in the last round, when another key XOR replaces the linear transformation. The algorithm cycles through eight different s-boxes; thus, each of them is used in four rounds. The decryption routine is the derived from the encryption routine by inverting each step. The presenter, Eli Biham, emphasized that the designers adopted an ultra-conservative philosophy with respect to security, because the AES will need to withstand advances in both engineering and cryptanalysis for many decades. Thus they chose to base Serpent on a combination of s-boxes and linear mappings, a familiar and well-studied combination from its use in DES, and they chose to use twice as many rounds as even their conservative security analysis dictated. In addition to summarizing this analysis, the presenter described how "bitslicing" could be used to implement the algorithm efficiently, so that it would run as fast as DES. TWOFISH Twofish is a slightly modified Feistel network with sixteen rounds. The round function acts on two 32 bit words with four key-dependent 8x8 s-boxes, followed by a fixed 4x4 maximum distance separable matrix over GF( 2^8 ), a pseudo-Hadamard transform, and key addition. The modification to the Feistel structure is the insertion of one-bit rotations before and after the results of the round function are XORed with the other two words of the data block. This introduces a slight asymmetry between encryption and decryption besides the order of the round subkeys. The presenter, Bruce Schneier, explained how each element of the algorithm had to meet the test of "performance driven design." He explained how each element contributed to the security of the cipher, especially the key-dependent s-boxes. He claimed that these have an advantage over fixed s-boxes, which can be studied for weaknesses, although at the cost of longer setup times. He justified why Twofish's process for generating s-boxes, from two fixed permutations and key material, would not yield weak s-boxes. He discussed the performance of the algorithm at length, in both hardware and software implementations. He strongly emphasized the flexibility of Twofish for many environments, citing the possibility of computing the round keys "on the fly" and of pre-computing the s-boxes to varying extents. 5. Wrap-up and Outlook Before adjourning, Mr. Smid expressed NIST's appreciation to each of the submitters and acknowledged the time and effort it took to prepare an algorithm and submission package. He also thanked each for their willingness to make their algorithms available on a royalty-free basis, if selected. He expressed appreciation to the members of the cryptographic community who attended and offered their expertise for the analysis of candidates. By relying on public and private candidate algorithm submissions, soliciting public evaluation of those algorithms, and sharing its own analysis results with the public, NIST hopes to select a single algorithm for the AES that will have a high degree of public confidence from its inception. NIST is proceeding carefully but relatively rapidly, so that U.S. Government agencies will soon have a newer, stronger, and more efficient security technology available for protecting sensitive information for the next thirty years. References [1] United States Department of Commerce, National Institute of Standards and Technology Federal Information Processing Standards Publication 46-2, Data Encryption Standard (DES), December 30, 1993. [2] "Announcing Development of a Federal Information Processing Standard for Advanced Encryption Standard," Federal Register, Volume 62, Number 1, January 2, 1997, pp. 93-94. [3] "Announcing Request for Candidate Algorithm Nominations for the Advanced Encryption Standard (AES)", Federal Register, Volume 62, Number 177, September 12, 1997. pp. 48051-48058. [4] S. Lucks, ``On the Security of the 128-bit Block Cipher DEAL,'' http://th.informatik.uni-mannheim.de/m/lucks/papers/deal.ps.gz, August 20, 1998. [5] D. Wagner, N. Ferguson, and B. Schneier, "Cryptanalysis of Frog," http://www.counterpane.com/frog.html, August 17, 1998. [6] V. Rijmen, L.R. Knudsen, ``Weaknesses in LOKI97," ftp://ftp.esat.kuleuven.ac.be/pub/COSIC/rijmen/loki97.ps.gz, June 15, 1998. [7] E. Biham, A. Biryukov, N. Ferguson, L. Knudsen, B. Schneier, A. Shamir, Cryptanalysis of MAGENTA, http://www.counterpane.com/magenta.html, August 20, 1998. ______________________________________________________________________ Int. Workshop SECURITY AND INTEGRITY OF DATA INTENSIVE APPLICATIONS in conjunction with the 9th Int. Conf. on Database and Expert Systems Applications (DEXA'98) University of Vienna, Austria, 24-28 August, 1998 by T. Mandry, G. Pernul, T. Schlichting (mandry@wi-inf.uni-essen.de) ______________________________________________________________________ The workshop consisted of five sessions - the invited talk session and four regular paper sessions. It was opened by Guenther Pernul (University of Essen, Germay) followed by the invited talk given by Eduardo B. Fernandez (Florida Atlantic University, USA) on "The need for a high-level look at Internet security" Eduardo argued that most of the security of the Internet is based on cryptographic approaches. While valuable, these methods suffer from a basic flaw: they can only be applied at the lower levels of the system, where semantic aspects of the data are not explicit. He stressed that we need to define security policies and mechanisms at a higher level so access can be decided on the basis of semantic restrictions and he outlined how such a high level security model has to look like. The invited talk was very well received by all workshop participants. The first regular paper session was entitled with "Organizational Security Issues" and consisted of four presentations. The paper "Computing Conspiracies" authored by Ph. I. Elsas, P.M. Ott de Vries, and R.P. van de Riet addressed the concept of segregation of duties. The authors complain, that there are no guidelines on how to distinguish a proper policy from an improper one. For this they use a model that allows quantification of and reasoning about audit technical segregation of duties. The approach is based on normative (Soll) and actual (Ist) specifications of a companys circular flow of business values in terms of enriched Petri nets. The paper "Enterprise-Wide Security Administration" by W. Essmayr, E. Kapsammer, R. R. Wagner, G. Pernul and A M. Tjoa gives an overview of OASIS (open architecture security for information systems), which has been designed as an enterprise-wide security system. It contains a trust center to administrate a public key infrastructure and a component for access control. The third presentation "Security moving from Database Systems to ERP systems" by R. van de Riet, W. Janssen and P. de Gruijter also considered the security of enterprise-wide information systems. Traditionally, access control for providing security is done by the operating systems. With the coming of database systems the security rules were defined in the data model and are centrally maintained. Now security is moving from database systems to ERP systems (Enterprice Resource Planning). The paper presents how security is handled by SAP R/3 and compares it with role-based systems. Moreover, the authors show how the specification of security rules can be done using a Work-Flow-Management specification technique. The final presentation of the first session was the paper authored by E. Hildebrandt and G. Saake entitled "User Authentication in Multidatabase Systems". E. Hildebrandt argued that the aspect of security needs more consideration in architectures for multidatabase systems. Especially user authentication is neglected in current architectures. Due to inherent properties of multidatabase systems, like autonomy and heterogeneity, the problem of authentication is more complex than in traditional database systems. The paper discusses the foundations and prerequisites for architectures of authentication in multidatabase systems, presents several approaches developed in the past and compares them with own solutions of the authors. The second paper session was entitled with "Implementation Aspects, Prototype Systems" and was started by a contribution of S. Gritzalis and J. Iliadis who addressed the security problems associated with the JAVA, Safe-Tcl and ActiveX programming languages. Their work is a comparative evaluation of the methods used in these programming languages in order to confront with security issues like system integrity, user privacy, resource availability and user annoyance. The second paper "Avoiding Inference Problem Using Page Level Security Classification" by Y.-C. Oh and S. B. Navathe contains a technique of how to avoid the inference problems involving the directories and catalogs in multilevel secure database management systems. The paper summarizes the previous efforts and proposes a solution without having a large decrease of the performance. The final presentation in this session was a paper on "A Prototype Model for Data Warehouse Security Based on Metadata" by N. Katic, G. Quirchmayr, J. Schiefer, M. Stolba and A M. Tjoa. It provides an overview of security relevant aspects of existing OLAP/Data Warehouse solutions - an issue which has been not considered sufficiently in practice and which is only beginning to be discussed in the research community. Distributed systems and data warehouse environments have many security requirements in common but a data warehouse by nature is an open, accessible system to support managerial decision-making. Restricted access to the data warehouse may lead to unsuitable information. The next session was a session on "Security for Structured Documents". The first paper "An abstract authorization system for the internet" by E. B. Fernandez and K. R. Nair pointed out that cryptography is mainly used to control the secrecy and authentication but cannot handle different types of access by different users, access to portions of documents, and other content based restrictions. The authors present an authorization model for hypertext documents based on the access matrix. Different types of documents are classified, these documents are modeled using object-oriented approaches, and access policies are defined that specify access to those types of documents. The second paper of the session by U. Kohl, J. Lotspiech and St. Nusser focused on the "Security for the Digital Library". It has the subtitle "Protecting Documents rather than Channels" and describes the mechanisms necessary to put a security architecture for digital libraries in place. They include protection of the content, feasibility of payment and assertion of copy- and usage rights. The paper also deals with the concepts of secure containers using the IBM Cryptolope technology as an example. The third paper presented in this session was "Towards Access Control for Logical Document Structures". It is jointly authored by F. Dridi and G. Neumann. The authors focus on the ease of administration to allow users to share information in a controlled way. For this a dual abstraction is presented where roles are used to abstract from subjects and security levels are used to abstract from objects. A lattice is used to define a partial order over the classifications of the documents. The concluding session was on "Privacy, Workflow, and Security Mediation". It was started by a presentation of G. Wiederhold who talked about joint work with M. Bilello on "Protecting Inappropriate Release of Data from Realistic Databases". He argued that when collaboration with external customer is required common tools for authentication, authorization, and secure transmission are inadequat. The approach used to overcome these problems in the TIHI/SAW projects at Stanford University is to add a release filter. By driving the filtering primitives through simple rules they allow a security officer to manage the institution policy and thus to balance manual effort and complexity. The next talk was abaout a paper by L. C. J. Dreyer and M. S. Olivier who described the "Dynamic Aspects of the InfoPriv Model" for information privacy. In this paper the authors are concerned with the actual information flow as well as the change of the privacy policy over time. The static aspects of the information involved in a flow between entities are represented in a can-flow graph. The dynamic aspects are divided into two categories: dynamic information flow and dynamic evolution of static aspects. An algorithm is presented that extends the can-flow graph without introducing unauthorized information flow. The closing talk at the workshop was a paper jointly authored by M.S. Olivier, R. P. van de Riet and E. Gudes on "Specifying Application-level Security in Workflow Systems". It addresses the problem that the activities in a workflow possibly may only be performed by authorized subjects. In order to enforce such requirements, the authors divided the security mechanisms in three levels. Level 1 contains the controlled access to the underlying data objects. Level 2 is responsible that access is limited to the time that the activity is being performed. Finally, application-oriented security requirements are referred to in level 3. The paper assumes that level 1 and level 2 mechanisms are in place and focuses on level 3 security mechanisms. The 13 papers presented at the workshop were selected by the program committee: E. Bertino, E. B. Fernandez, D. Gritzalis, S. Jajodia, S. Katsikas, G. Neumann, G. Pernul (chair), P. Samarati, R. Sandhu, A. Spalka, and V. Varadharajan. All papers are published in the Proc. of the 9th Int. Workshop on Database and Expert Systems Applications (R. Wagner, ed.). IEEE Computer Society, 1998. ISBN: 0-8186-8353-8 (IEEE order number: PR08353). There will be a continuation of the DEXA security workshop in 1999 (DEXA'99 is at the University of Firenze, Italy, Aug. 30 - Sept. 3, 1999). The general theme of the workshop will be "Security and Electronic Commerce". Submission deadline is end of February 1999 and the CfP is available at: http://www.wi-inf.uni-essen.de/~dexa99ws/ ______________________________________________________________________ 5th ACM Conference on Computer and Communications Security (CCS5) San Francisco, California, Nov 3--5, 1998 ______________________________________________________________________ The fifth ACM Conference on Computer and Communications Security was held at Fairmont Hotel in San Francisco, CA from Nov 2 to Nov 5. There were four tutorials on the first day: Cryptography -- Theory and Applications by Dan Boneh (Stanford University), Programming Languages and Security by Martin Abadi (Compaq Systems Research Center) and George Necula (Carnegie Mellon University), Authentication Protocol Verification and Analysis by Jon Millen (SRI International) and Emerging models in electronic commerce by Doug Tygar (UC. Berkeley). From Tuesday to Thursday, seventeen papers were presented. There were also several panels and invited talks. The notes taken from the conference are as follows. It was a very successful conference. [The following writeup gives the invited talks and panel discussion first, followed by the contributed papers --Eds.] ****Key Notes**** ``Risks and challenges in computer-communication infrastructures'' *Peter Neumann Peter Neumann is in Computer Science since 1953 - before most of the audience was even born. He is well known as the moderator of the Risk forum (http://catless.ncl.ac.uk/Risks/). His home page can be found at: http://www.csl.sri.com/~Neumann. On November 2nd, 1988, the Internet worm (a.k.a. Morris worm) almost brought the entire Internet to a halt. Today, 10 years later, we are still suffering from the same problems. On the day of the talk, the newspaper reported that there was a sniffer in Stanford University's main mail server which was active for one month, sniffing passwords and emails. Ken Thompson published a paper 20 years ago which treated a similar scenario. The Y2K problem is a serious threat today. Multics took care of the problem a long time ago by reserving 70 bits for date fields. For a long time it was believed that Xenon was a very stable element and could not react. Today NASA uses Xenon ions to propel the latest space probe with previously unmatched power. The problem is that research does not find its way into the commercial world. Today PC operating systems are a disaster, networking code is full of errors ... Customers have become software testers ... The number of breakins is steadily increasing as the Internet continues to grow. High school students of Cloverdale (?) high broke into the Pentagon's computers. But nothing happens after this incident. People still use constant passwords. But systems even fail without breakins. Yesterday's vulnerabilities stay today's. (?) We need a notion of ``Generalized dependence'' which enables acceptance operation despite faults, failures, errors and misbehavior or misuse of underlying mechanisms. Moore, Shannon and von Neumann showed earlier how to build a reliable system out of unreliable components. Today our systems are unreliable: in 1980 the Arpanet collapsed because a single node failure contaminated the entire network. A similar flaw caused the 1990 AT&T collapse. In 1998 we had the Frame Relay outage. We saw cell phone outages, Internet black holes, etc. Six experts testified that the Internet can be brought down in 30 minutes. The PCCI report http://www.pccip.gov and http://www.ciao.gov shows that all infrastructure is vulnerable. The conclusion is that we have not learned much in this century, what does the ghost of the future look like? We can see two options: Jawbone vendors that do not produce secure software (JavaSoft has done a very good job and is an exception), but this did not have success. The second option: Open source software, but the government has chosen proprietary software. Single vendor solutions are not good, it would be better to take best code of each vendor. Legacy code implies ``lowest common denominator''. Proprietary software further has no interest to cooperate with other systems, making it therefore impossible to get away from it. What we need is robust open source: meaningfully secure, meaningfully reliable, meaningfully robust and meaningfully survivable. Examples of proprietary software deployment is the US Navy battle cruiser Yorktown (which is using NT): 2.5 hours dead in the water because of a division by 0 error! What did we learn in all these years? Windows NT has 48 million lines of code, 7 million lines of test code, but where is the security perimeter? In addition users download web-ware that was pulled down from any Internet site. How can we trust such a system? How can we assure that code we download is robust? We should have components which are known to be robust, we need evaluation centers and put cryptographic enclosure around software to ensure integrity. We should change software from WORA (write once run anywhere) to WOVORA (write once, verify once, run anywhere). There is a lot of good research in Java security (e.g. Dan Wallach, George Necula): Will it find its way to the commercial world? Eric Raymond's halloween document: http://www.tuxedo.org/~esr/halloween.html. (Microsoft claims: ``Open Source Movement is evil'') But we need to support Open Source development. To cite JFK: ``Ask not what the computer communications infrastructure can do for you, ask what you can do for computer communications infrastructure!'' Question: There's little incentive for corporations to have robustness, reliability. How can we do the evaluation of systems which are not yet obsolete? Answer: For big systems, there's no hope to evaluate. The orange book did not handle system composition. The army, navy has interests in this, McArthur has funded Richard Stallman to do research. Mike Reiter asked: The security of planes, nuclear power plants, etc. use different approaches to security - how is this problem different? Answer: We need a plurality of approaches. Other comments: Should not the first step be to define security, robustness, etc? One of the biggest problem is that there is no conception about security. Isn't the reason that the rate of innovation was so high that the robustness, etc could not keep up? Other features are more important. ***Panel on Anonymity on the Internet***** Paul Syverson was the organizer and chair of the panel. Panelists were Avi Rubin (AT&T Labs - Research), Christina Allen (Electric Communities), Susan Landau (UMass Amherst), Chris Painter (US Dept. of Justice) and David Wagner (UC Berkeley). Paul started with a brief introduction of Anonymity on the Internet. The main concern is about medical data as well as financial and behavioral data about individuals. Whether this data should remain private, and even further, should it allow any association to an individual? The questions that the panelists were asked to answer were: - What are the responsibilities of an ASP (anonymity service provider)? - Should ASP's be regulated? Or even illegal? Or should they keep logs? Avi Rubin was the first speaker. Together with Mike Reiter, they did research on CROWDS, a system to bring anonymity for web traffic. The infrastructure and technology needs to be in place before policy and regulations (technology and policy need to go hand-in-hand). For anybody, it is possible to go to a cyber cafe, use hotmail, set up a phony pre-paid account at an ISP, forge e-mail, spoof IP, etc. to be anonymous. Other methods are to use mixes (hide information and traffic patterns between sender and receiver), Onion-routing (NRL), Babel, ISDN (ppw (?)), Rewebber (gw (?)). Using the Anonymizer, which is a proxy-based scheme for web anonymity, is another system to be anonymous, but the anonymizer can keep information about the clients. LPWA (GGMM) Lucent Pseudonymous (?). Crowds is effective in keeping the privacy of its members because the aggregate of members acts on behalf of an individual member of the crowd. Avi ended his presentation with a comparison of methods (low tech, mixes, proxy, crowds) where the attackers were traffic analysis and collusion attacks. Christina Allen ``Context-sensitive approaches to managing Internet anonymity'' Christan Allen is from Electric Communities. She said that ``The real question was how to create Internet contexts amenable to the social, commercial, entertainment and the myriad other activities that people seek online, and how to protect these contexts from abuses. One approach is to imagine a wealth of Internet contexts, each of which is designed around the idea of reciprocal credentials.'' Susan Landau: ``The Right to Anonymity in an Internet World''. Susan Landau is from University of Massachusetts, and co-authored the book ``Privacy on the Line'' with Whitfield Diffie. Speech, commercial transactions and browsing are three flavors of anonymity. Americans today live in a world very different from that of the past. It is not possible any more to walk out into the field to hold a private discussion with commerce partners. Technology of miniature tape recorders, videos, or communication equipment make anonymity guarantees difficult. Whatever the US policy for anonymity will be, Internet users can use anonymity services which are located in countries that do not regulate it. Speech: Since the first days of the republic, anonymity was fundamental in US political speech. But anonymous political speech was not always protected. The Supreme Court ruled multiple times for anonymous speech. Anonymity is very important because it allows the diffusion of unpopular ideas. In some cases people got killed for expressing their opinion. Today the Court relies on the importance of free speech in a democracy. Compulsory disclosure may deter free expression. Commercial transactions: We won't see anonymity in this context. The Police needs to trace transactions to fight drug money. The bank secrecy act in 1970 requires banks to keep records of transactions, and to release those upon subpoena. Browsing: Since browsing is similar to reading, and the right to read anonymously was protected multiple times by the Supreme Court, browsing anonymously should also be protected. Unfortunately technology threatens the right to read anonymously since content providers or ISP's can trace what users read. With the continuing replacement of printed text with on-line information, the right to read anonymously could be severely damaged. Conclusion: Anonymity is new. It only started when we had large cities. France still prohibits it. It's not supposed to be protected except when people push it. Anonymous speech and anonymous reading (browsing) are appropriate and necessary to the functioning of a democratic society. Chris Painter There is currently no official Department of Justice policy on ``Anonymity on the Internet.'' On one hand law enforcement needs to find out the originators of messages, i.e. racist mail, or terrorist threats. But on the other hand there are legitimate reasons, including the promotion of free speech, for anonymous communication. Law enforcement can require ISP's to maintain records for up to 90 days and disclose that information, provided that certain legal requirements are met. ASP's can also be hold social liability for providing anonymous service. But the marketplace will drive the issues. When users want anonymity, they will get it. David Wagner, ``Policy for online anonymity providers'' Anonymity is not an end goal, but a technique to achieve privacy. Anonymity service providers should aim for full disclosure of their privacy policies and procedures. There are two key axes for policy analysis of anonymity services. The first axe is for the different purpose of the services, ``good for the society'' or ``good for an individual''; the second axe characterizes services based on ``push'' vs ``pull'' technique. The anonymity providers should also consider when and where to apply anonymity and where to apply it in the protocol stack. Retention policy is also very important -- don't keep potentially damaging information around any longer than absolutely necessary. The abuse of anonymous service is always a problem. General discussion: - It's trivial to cut big transactions into small transactions with today's technology. So the policy that keeps records for transactions over 100 dollars doesn't work any more. - Escrowed implies less security. - Mondex card provides anonymity. - Bellovin: More privacy is leaked by individual who fill in forms ``paper trail''. Laws prevent information from being sold - Avi: we need seemless anonymity. If tools are very easy to use then people will use it. - Christina: Identity information system (many user names, passwords) - Paul: Onion routing processes 10^6 web connections every month, the demand is present - the market is not huge, but it is present. Onion routing gets connections from 20000 different IP addresses. - Daw: Product from zero-knowledge-systems coming out soon. - We have many decisions to take in designing public systems which affect privacy greatly. But the public does not know how to answer these questions, we need to help them out. - Today, private information is known to people who we don't know. It used to be different. For example, 500 years ago, goods were paid in sacks of gold. - How much demand is there for anonymity? Susan: minority groups, women with breast cancer. - Few people actually need anonymity, but it is important to know that anonymity is available when we really need it. ***Invited talk : The development of public key cryptography*** *Martin Hellman Hellman said that he always wanted to be different from anyone else. Crypto used depended on the secrecy of the algorithm such as the Caesar cipher. A truly secure scheme must be public and only depend on the secrecy of the keys. Crypto was a branch of Information theory, together with compression and error correction. There were two famous papers by Claude Shannon 1948 (49?). One of the papers were written in 45 but the NSA declassified it in 49. Information theory owns its birth to security. Random encoding argument makes sense in crypto - that's how Shannon came up with his counterintuitive argument that the best error correction is also a random one. Shannons's paper was given to Martin Hellman by Peter Elias at MIT. In fall 1974 Diffie came to visit him at Stanford, from a recommendation of Allan Conheim at IBM, because Hellman and Diffie gave a very similar talk individually at IBM Yorktown. They immediately started discussing about the work and enjoyed working together. They wanted to start a cryptographic complexity class, based on one-way hash functions, as a simplest crypto entity. Trapdoors are present in all crypto entities (it's like a quiz which is very difficult, but with a hint it becomes very simple.). It would be nice to have a trapdoor cipher. ``tumbling around in the dark and the muse of cryptography was whispering into their ear.'' Merkle at Berkeley developed the first public key crypto algorithm: Merkle's puzzle PKD. Hellman said that Diffie Hellman system should be called Diffie Hellman Merkle system. They looked at factoring for one-way function, but they did not find how to create the public-key cryptosystem. They also looked at the discrete logarithm problem. They came up with the Pohlig-Hellman system which is based on the discrete logarithm. There were times that they were really close to the RSA scheme, ``it's like we were dancing around it... But we missed it.'' Later, they came up with the Diffie-Hellman key exchange. Conclusion: the invention was a random walk, they could not see every golden nugget. `` Only a fool would still jump up and down the 100th time when he thinks he finds the solution even though he has failed 99 times before.'' You got to be a fool to do research (Otherwise you would stop after people have told you off many times). Somebody from the audience asked about ElGamal. ElGamal was Hellman's graduate student. Hellman said he was busy with other things at that time. ElGamal came up with the algorithm by himself. Mike Reiter asked what the next hard problems are that we could use to create the next public key crypto since the quantum computing might break the factoring difficulty. Hellman answered that the Puzzle method, KDC in conjunction with public key crypto might be promising. Has any work been done by the spooks before them? Hellman said he was told that other people have discovered the same before him. But he thought that there are two universes, the classified and unclassified. If a piece of work was done in the classified universe before him , it should just be a footnote in the unclassified world. ***Invited Talk: Trust in cyberspace? A research roadmap*** *Fred Schneider Trust in Cyberspace is a new report from the National Research Council committee. More information about the report can be found at the following URL: http://www2.nas.edu/cstbweb National Academy Press prints ``Trust in Cyberspace'', the ISBN number is 0-309-06558-5 and the book can be ordered online at: www.nap.edu/bookstore/enter.cgi Systems should work correctly despite environmental disruption, human user and operator error, hostile attacks, design and implementation errors. This is a holistic and multidimensional problem. Today's systems are not trustworthy. Use of known techniques would improve the situation. But ``better'' is probably not good enough. We need new research to attack the problem. The report is a research agenda, two major information systems were investigated: the telephone network and the Internet. The PTN's trustworthiness is eroding: new services might involve database look-ups, and new equipment is programmable, proprietary and involves authorization. The Internet Trustworthiness is evolving: IPsec helps, but continuing sources of vulnerability require new research (routing protocols: stability vs reconfiguration, cooperation in presence of mutual distrust, scaling is important). Developing Trustworthy NIS (Networked Information System) software is central. The necessary characteristics are: substantial legacy content, agglomeration, COTS. We face the usual difficulties plus: information about system internals is unknown, and analysis of dependencies in large-scale systems is difficult. We need to address the assurance (testing, formal verification), and properties of a whole from properties of parts. New security research is needed. New policies to enforce: availability (including denial of service), integrity, and application-level security. New structures to manage: foreign code, extensible software systems, black-box components (ie. COTS), and security enhancers (firewalls, etc). New problems to solve: network-wide authentication, faster authentication/integrity mechanisms. New security options include fine-grained access control and research on crypto: improving the key-management infrastructure to allow revocation, scale, recovery from key compromise, name space management, better interfaces for users and system admins. Intrusion detection is a cat-and-mouse game. Security models: move vulnerabilities around to where they do the least harm. An important research direction is to investigate on how to build trustworthy systems from untrustworthy components. The issues are: replication for reliability, diversity for resisting attacks, monitoring for both reliability and security, promising new algorithmic approaches are self-stabilization and emergent behavior, and an architecture/placement for trustworthiness functionality. We need to think in the economic and public policy context. Economic factors do play a role, since we need to manage the risk. Security risks are more difficult to identify and quantify than those that arise for reliability. Should we migrate from risk avoidance to risk management? The market isn't working: consumers prefer functionality, nobody can assess trustworthiness. We need to convey product trustworthiness, but no model will be complete. Questions and comments by the audience: - Intrusion detection: addition to signature techniques, using statistical models could help. - Regulatory: less and less regulated would be better, for instance having auctions for power. - How could we create diversity? It's not economically practical. *****Contributed Papers***** -- Communication Complexity of Group Key Distribution *Klaus Becker, Uta Wille A contributory group key distribution system is one that interactively establishes a group key such that -- no user is required to hold secret information before entering the protocol, -- each group member makes an independent contribution to the group key. Based on the ``gossip problem'' presented in the 70's, the paper derived the theoretical lower bounds on the total number of messages, exchanges and rounds required for contributory group key distribution systems with or without broadcasts. Then the author uses Diffie-Hellman based schemes to demonstrate that the lower bounds in the theorems can be attained. Somebody in the audience gave the comment that the Diffie-Hellman based protocols are similar to the divide-and-conquer parallel algorithms. -- Key Management for Encrypted Broadcast *Avishai Wool In applications such as direct broadcast digital TV networks, transmissions need to be encrypted. A set-top terminal (STT) at the user end stores the decryption keys and access control data and does the decryption. The STT is connected to the telephone network and has a 4-8KByte memory, which severely limits the complexity of the key distribution algorithm used. The reviewed existing schemes are the bit-vector scheme and the block-by-block scheme. The author proposed two new schemes, the extended-header scheme and V-space scheme. The extended-header scheme has the design tradeoff between the bandwidth allocated to header transmission and the delay a user would incur when switching channels. The V-space scheme doesn't add any headers. But it has limitation of the possible packages due to the mathematical propertiy of the scheme. But the author demonstrated how to use the natural hierarchy of the programs to get around this limitation (``It's not a bug, it's a feature!''). Some people in audience commented that this scheme can't work for very short term keys and it could be vulnerable to collusion attacks. -- Authenticated Group Key Agreement and Friends *Giuseppe Ateniese, Michael Steiner and Gene Tsudik The scheme is used for dynamic peer groups (DPGs). DPGs are usually small in size and have frequent membership changes. The scheme provides a practical and secure authenticated key agreement protocol which is based on Diffie-Hellman key agreement. The security properties of the protocols such as perfect forward secrecy, and contributory authentication are proved in the paper. -- The Design, Implementation and Operation of an Email Pseudonym Server *David Mazieres and M. Frans Kaashoek Attacks on servers that provide anonymity generally fall into two categories: attempts to expose anonymous users and attempts to silence them. nym.alias.net is a server providing untraceable email aliases and has been running for two years. Based on the experience with nym, the paper enumerates many kinds of abuse of the system and distilled several principles for designing, implementing and operating anonymous servers. Nym uses the anonymous remailer network as a mix-net: It forwards mail received for a nym to its final destination through a series of independently operated remailers. Only by compromising multiple remailers can one uncover the full path taken by such a message. To use nym, one only needs a copy of PGP. Nym is also reliable due to careful software engineering and redundancy. One abuse was that somebody used nym to post child pornography. But the FBI didn't shut down nym because of this. Nym survived many different attacks such as mail bombs, accounts flooding, etc. Nym is still running with 2,000 to 3,000 active accounts. -- History-Based Access Control for Mobile Code *Guy Edjlali, Anurag Acharya, Vipin Chaudhary A history-based access-control mechanism was presented. what a program is allowed to do depends on its own identity and behavior and the currently used discriminators such as the location it was downloaded from or the identity of its author/provider. The paper described the design and implementation of Deeds, a history-based access-control mechanism for Java. The access control policy could be something like it is forbidden to open a socket after opening a file. Different policies can be used for different applications such as editor, browser. This scheme can potentially expand the set of programs that can be executed without compromising security or ease of use. Some comments were given: what's the granularity of the policy? who defines the policy? Some policy says if you ever opened a file you can't open a socket. This might be unrealistic. Some improvements can be done on hashing efficiency. How about covert channel? One solution is to only let one program. But of course this is not a good solution. -- A Specification of Java Loading and Bytecode Verification *Allen Goldberg The paper uses data flow analysis to verify type-correctness and the use of typing contexts to insure global type consistency in the context of a lazy strategy for class loading. The paper formalizes the JVM bytecode verifier as an instance of a generic data flow architecture. Specware is a system available from Kestrel Institute which can generate provably-correct code from specifications. The author is using Specware to generate an implementation for the JVM byte code verifier. The paper also gives a good overview of the Java Virtual Machine and the Java type system. -- A New Public Key Cryptosystem Based on Higher Residues *David Naccache and Jacques Stern A new scheme based on the hardness of computing higher residues modulo a composite RSA integer was presented. The scheme has two versions: deterministic and probabilistic. The probabilistic version has an homomorphic encryption property whose expansion rate is better than previously proposed schemes. The scheme is slower than RSA but still practical. The homomorphic property could lead to interesting applications such as watermarking. The authors offered an interesting cash reward for decryption of at least 50% of a ciphertext. The ciphertext challenge is included in the paper. -- An Efficient Non-Interactive Statistical Zero-Knowledge Proof System for Quasi-Safe Prime Products *Rosario Gennaro, Daniele Micciancio and Tal Rabin An odd prime P = 2q + 1 is called safe if q is prime. A quasi-safe prime is an odd prime P = 2q + 1 such that q = s^m is an odd prime power. A number N is a quasi-safe prime product if N = PQ where P = 2p^n + 1, Q = 2q^m + 1, p and q are distinct odd primes. In the abstract of the paper, it says ``We present the first simple and efficient zero-knowledge proof that an alleged RSA modulus is of the correct form. ... Our proof systems achieve higher security and better efficiency than all previously known ones. ... We demonstrate the applicability of quasi-safe primes by showing how they can be effectively used in the context of RSA based undeniable signatures to enforce the use of keys of a certain format.'' -- Communication-efficient anonymous group identification *Alfredo De Santis, Giovanni Di Crescenzo and Giuseppe Persiano The paper gave a formal definition of a group identification scheme, an anonymous group identification scheme and a perfect zero-knowledge group identification scheme. An identification scheme was presented based on the problem of quadratic residuosity modulo Blum integers. Communication complexity of this scheme was proven to be O(m+n), where m is the size of the group and n is the security parameter. The scheme was also shown to be perfect zero-knowledge. The paper also showed that the scheme can be easily extended for efficient anonymous identification for groups of at least t users. Paul Syverson commented that this scheme doesn't prevent collusions, i.e. group members can give the secret to their friends very easily. He referred to a previous work, unlinkable serial transactions (http://www.research.att.com/~stubblebine), which can solve this problem. -- A Security Architecture for Computational Grids *Ian Foster, Carl Kesselman, Gene Tsudik and Steven Tuecke ``The Globus project is developing basic software infrastructure for computations that integrate geographically distributed computational and information resources. Globus concepts are being tested on a global scale by participants in the Globus Ubiquitous Supercomputing Testbed Organization (GUSTO). GUSTO currently spans over forty institutions and includes some of the largest computers in the world. Globus is a joint project of Argonne National Laboratory and the University of Southern California's Information Sciences Institute.'' See http://www.globus.org To provide security in a global grid computing environment, there are several obstacles, such as the user population and the resource pool are large and dynamic, different systems have different local security policies and implementations. The talk presented the security requirements for the security policies and finally their architecture and implementation. The scheme doesn't require the use of bulk encryption for exportability concerns. The whole system is currently actively running. -- Design of a high-performance ATM firewall *Jun Xu and Mukesh Singhal It's difficult to design an efficient packet-filtering firewall in an ATM network because of the potentially large SAR (Segmentation and Reassembly) overhead. Previous work, StorageTek's ATLAS has the limitation that it does not accept IP packets with large IP option fields and it requires manual configuration to add TCP/IP rules for new PVCs (Permanent Virtual Connection). The paper presented a hardware design of a high-performance switch-based ATM firewall architecture. It introduces a new concept, Firewalling Quality of Service which can achieve a nice tradeoff between performance and security. A method LCH (last cell hostage) is used to reduce the policy cache miss latency, where only the last cell is kept when a policy cache miss occurs. One person in the audience asked why we need this while we have IPSec. A short answer is that they are for different purposes, i.e. a firewall can give you centralized access control. -- A practical secure random bit generator *Elizabeth Shriver The idea is to use the local disk in a computer to generate random bits. No additional hardware or user interaction is needed. The randomness comes from the rotation of the disk, which speed is inherently unpredictable due to chaotic air turbulences inside the disk. The actual method of measuring the exact rotation speed turns out to be quite tricky. In short, the first and the last cluster on a track are read to determine the time for one rotation. One big problem remains: how many bits of randomness can we extract? The paper presents a theoretical argument and derives that 5 highly random bits per minute can be generated. In another mode which is less secure, 577 bits per minute are generated. More information can be found at the following URL: http://www.bell-labs.com/user/shriver/random.html The following questions were asked: - Is the source of input bits independent? Could we hash the random bits to get even more randomness? - What about other disk drives? The same method is applicable, but other disks had slower rotation speeds and would therefore create fewer random bits in the same time period. - Random number tests pass pseudo random tests, but true random sources do not pass the tests, so why should we trust these tests? - The real world needs a LOT of random bits? Yes, future work should result in a faster method. -- A probabilistic poly-time framework for protocol analysis *P.Lincoln, J.Mitchell, M.Mitchell and A.Scedrov The paper developed a framework for analyzing security protocols in which protocol adversaries may be arbitrary probabilistic polynomial-time processes. ``In this framework, protocols are written in a form of process calculus where security may be expressed in terms of observational equivalence, a standard relation from programming language theory that involves quantifying over possible environments that might interact with the protocol. Using an asymptotic notion of probabilistic equivalence, we relate observational equivalence to polynomial-time statistical tests and discuss some example protocols to illustrate the potential of this approach.'' Most of the current formal protocol analysis are based on a model which uses two assumptions: perfect cryptography and a nondeterministic adversary. This approach established an analysis framework that can be used to explore interactions between protocols and cryptographic primitives and also allowed more other attacks that the adversary can do while the standard model doesn't allow. This approach adopts the spi calculus that was proposed by M. Abadi and A. Gordon. -- Public-key cryptography and password protocols *Shai Halevi and Hugo Krawczyk Password authentication schemes should resist to eavesdropping, replay, man-in-the-middle and off-line password-guessing attacks. It's shown that the security of the password authentication protocols strongly depends on the choice of the public key encryption functions. For example, semantic security is not sufficient (An encryption scheme is said to be semantically secure if, given a ciphertext c and a plaintext p, it is infeasible to determine whether or not c is an encryption of p.). The paper presented a Diffie-Hellman based protocol which provides features such as two-way authentication, authenticated key exchange, resistance to server compromise and user anonymity. The paper also introduced a notion of public passwords, a digest of the server's public key. Finally, the paper proved a theoretic result, showing that the use of public key techniques is unavoidable in password protocols that provide defense against off-line guessing attacks. A person in the audience asked whether it's possible to design a scheme which authenticates the server's public key during the protocol without user interaction? The speaker said that there might be a proof that this is not possible, but he was not sure. -- Cryptanalysis of Microsoft's Point-to-Point Tunneling Protocol (PPTP) *Bruce Schneier and Mudge The Point-to-Point Tunneling Protocol (PPTP) is used to secure PPP connections over TCP/IP links. The paper analyzed the NT implementation of PPTP and showed how to break both the challenge/response authentication protocol (MS-CHAP) and the RC4 encryption protocol (MPPE). The speaker said ``Buzzword compliant'' is not enough: you have to implement protocols properly. One weakness of the implementation is that it uses the Lan Manager Hash function which makes the dictionary attack very easy. Many other weak points are shown in the paper. The speaker also pointed out that peer review is necessary for good design and implementation. Peter Neumann also commented that proprietary software suffers from the lack of peer review. A researcher from Microsoft commented that Microsoft is designing new protocols, (?) EAPTLS-Internet draft. -- How to Prove Where You Are: Tracking the Location of Customer Equipment *Eran Gabber and Avishai Wool The speaker pointed out that it's important to monitor the location of customer equipment in the direct broadcasting satellite industry (DBS) because the service providers would like to prevent unauthorized movement of a customer's set top terminal (STT) from a home to a public venue, or across an international border, due to various financial, copyright and political issues. The paper presented one existing scheme and three new schemes for detecting the movement of an STT using the existing (or emerging) communication infrastructure. One scheme uses ANI and CND (Caller ID), the second one uses GPS, the third one uses the cellular phone's enhanced 911 (E911) service, and the forth one uses the time-difference-of-arrival of the satellite's broadcast. The paper compared the difference of accuracy, additional features, cost and vulnerability among the four schemes. The four schemes all suffer from different attacks. The problem is still an open question. Susan Landau pointed out that even though E911 is an emerging infrastructure, it's not necessary that it can be used for this purpose. Actually there could be some policy about using E911 due to privacy issues and other reasons. Doug Tygar pointed out that the forth scheme suffers from one exact attack as the existing one which uses CND because the signals could be relayed. Another person noted that STTs are also used in RVs. The speaker answered that there will be an additional policy for the STTs in RVs. Another person also pointed out that another easy attack for the forth scheme by just changing the altitude of the SSTs. The speaker agreed with this point. -- Temporal Sequence Learning and Data Reduction for Anomaly Detection *Terran Lane and Carla E. Brodley The anomaly detection problem can be formulated as one of learning to characterize the behaviors of an individual, system or network in terms of temporal sequences of discrete data. The paper used an approach based on instance based learning (IBL) techniques. One difficult problem is that the base data is discrete, unordered, which makes the existing techniques such as spectral analysis inapplicable. The paper showed a new greedy clustering technique. The scheme was tested on 8 people for 6 months. A person in the audience commented that large systems have a huge number of users so we need much better accuracy and much lower false identification rate. Another question that was raised was whether we can take advantage of the shell semantics? The answer was yes, there are many possibilities to gather more information. ________________________________________________________________________ Conference announcements ________________________________________________________________________ DCCA. Dependable Computing for Critical Applications is dedicated to advancing the theory and practice of dependable computing for critical applications. DCCA differs from other conferences on related topics in encouraging participation across all fields that contribute to dependable computing, and in its format as a working conference that provides ample time for discussion; these attributes provide for a stimulating meeting that facilitates cross-fertilization of ideas and interaction between researchers and practitioners. DCCA is being held at the Fairmont Hotel in San Jose, CA on January 6 through 8, 1999. Full registration details can be found at http://www.conjelco.com/dcca/ and full program details can be found at http://www.csl.sri.com/dcca List of Accepted Papers ----------------------- o The Taxonomy of Design Faults in COTS Microprocessors by Algirdas Avizienis and Yutao He of UCLA, USA o Assessment of COTS Microkernels by Fault Injection by J.-C. Fabre, F. Salles, M. Rodriguez-Moreno, and J. Arlat of LAAS, France o Minimalist Recovery Techniques for Single Event Effects in Spaceborne Microcontrollers by Douglas W. Caldwell and David A. Rennels of UCLA, USA o Building Fault-Tolerant Hardware Clocks from COTS Components by Christof Fetzer and Flaviu Cristian of UCSD, USA o A methodology for proving control systems with Lustre and PVS by S. Bensalem, P. Caspi, C. Parent-Vigouroux, and C. Dumas, D. Pilaud, VERIMAG, France o Prototyping and Formal Requirement Validation of GPRS: A Mobile Data Packet Radio Service for GSM by Luigi Logrippo, Laurent Andriantsiferana, and Brahim Ghribi of University of Ottawa, Canada o Formal Description and Validation for an Integrity Policy Supporting Multiple Levels of Criticality by A. Fantechi, S. Gnesi, and L. Semini of Universit} di Firenze, Italy o Proteus: A Flexible Infrastructure to Implement Adaptive Fault Tolerance in AQuA by Chetan Sabnis, Michel Cukier, Jennifer Ren, William H. Sanders, David E. Bakken, and David Karr of University of Illinois and BBN, USA o Improving Performance of Atomic Broadcast Protocols Using the Newsmonger Technique by Shivakant Mishra and Sudha M. Kuntur of University of Wyoming, USA o The Transparent Implementation of Fault Tolerance in the Time-Triggered Architecture by Hermann Kopetz and Dietmar Millinger of TU Vienna, Austria o Formal Verification for Time-Triggered Clock Synchronization by Holger Pfeifer, Detlef Schwier, and Friedrich W. von Henke of University of Ulm, Germany o PADRE: A Protocol For Asymmetric Duplex Redundancy by Didier Essame, Jean Arlat, and David Powell of LAAS, France o Experimental Validation of High-Speed Fault-Tolerant Systems Using Physical Fault Injection by R. J. MartLnez, P. J. Gil, G. MartLn, C. PHrez, and J.J. Serrano of the University and Politecnica of Valencia, Spain o A Model of Cooperative Noninterference for Integrated Modular Avionics by Ben L. Di Vito of ViGYAN/NASA Langley, USA o Invariant Performance: A Statement of Task Isolation Useful for Embedded Application Integration by Matthew M. Wilding, David S. Hardin, and David A. Greve of Collins Commercial Avionics, USA o A Model of Non-Interference for Integrating Mixed-Criticality Software Components by Bruno Dutertre and Victoria Stavridou of SRI International, USA o Dependability Modeling and Evaluation of Phased Mission Systems: a DSPN Approach by Ivan Mura, Andrea Bondavalpi, Xinyu Zang, and Kishor Trivedi of University of Pisa and CNUCE/CNR, Italy, and Duke University, USA o Dependability Evaluation using a Multi-Criteria Decision Analysis Procedure by Divya Prasad and John McDermid of the University of York, UK o Probabilistic Scheduling Guarantees for Fault-Tolerant Real-Time Systems by A. Burns, S. Punnekkat, L. Strigini and D. R. Wright of the University of York and City University, UK o Fault Detection for Byzantine Quorum Systems by Evelyn Pierce, Lorenzo Alvisi, Dahlia Malkhi, and Michael Reiter of University of Texas at Austin, and Bell Laboratories, USA FC99, the third international conference on Financial Cryptography, will be held February 22-25, 1999, in Anguilla, British West Indies. FC99 aims to bring together persons involved in both the financial and data security fields to foster cooperation and exchange of ideas. The conference is organized by the International Financial Cryptography Association (IFCA). Additional information, including an online registration form, is available at http://fc99.ai/. In addition to the accepted papers listed below, the program will include an invited presentation by Adi Shamir (Weizmann Institute, Israel), a panel discussion on online certificate checking led by Michael Myers (VeriSign, U.S.A.), and a panel discussion on fair use, intellectual property, and the information economy led by Joan Feigenbaum (AT&T Labs, U.S.A.) Papers accepted for presentation at FC99 ---------------------------------------- o Experimenting with electronic commerce on the PalmPilot Neil Daswani, Dan Boneh (Stanford, U.S.A.) o Blinding of credit card numbers in the SET protocol Hugo Krawczyk (Technion, Israel) o Trustee tokens: Simple and practical anonymous digital coin tracing Ari Juels (RSA Laboratories, U.S.A.) o A new approach for anonymity control in electronic cash systems Tomas Sander, Amnon Ta-Shma (ICSI, U.S.A.) o E-cash systems with randomized audit Yacov Yacobi (Microsoft Research, U.S.A.) o Assessment of counterfeit transaction detection systems for smart card based ecash Kazuo Ezawa, Gregory Napiorkowski, Mariusz Kossarski (Mondex International, U.S.A.) o Reasoning about public-key certification: On bindings between entities and public keys Reto Kohlas, Ueli Maurer (ETH, Switzerland) o Online certificate status checking in financial transactions: The case for re-issuance Barbara Fox, Brian LaMacchia (Microsoft, U.S.A.) o Playing `hide and seek' with stored keys Adi Shamir (Weizmann Institute, Israel), Nicko van Someren (nCipher, England) o On channel capacity and modulation in watermarking of digital still images Markus Breitbach, Hideki Imai (University of Tokyo, Japan) o Towards making broadcast encryption practical Michel Abdalla (U.C. San Diego), Yuval Shavitt and Avishai Wool (Bell Labs, U.S.A.) o Conditional access concepts and principles David Kravitz and David Goldschlag (Divx, U.S.A.) o Anonymous authentication of membership in dynamic groups Stuart Schecter (Harvard), Todd Parnell, Alexander Hartemink (MIT, U.S.A.) o Some open issues and new directions in group signatures Giuseppe Ateniese (Universita di Genova, Italy), Gene Tsudik (USC ISI, U.S.A.) o Anonymous investing: Hiding the identities of stockholders Philip MacKenzie (Bell Labs, U.S.A.), Jeffrey Sorensen (IBM Research, U.S.A.) o Fair on-line auctions without special trusted parties Stuart Stubblebine (AT&T Labs, U.S.A.), Paul Syverson (Naval Research Lab, U.S.A.) o "Dynamic Fault"-robust cryptosystems meet organizational needs for dynamic control Yair Frankel and Moti Yung (CertCo, U.S.A.) o Improved magic ink signatures using hints Markus Jakobsson (Bell Labs, U.S.A.), Joy Muller (Gutenberg University, Germany) ________________________________________________________________________ New Reports available via FTP and WWW ________________________________________________________________________ o http://www.atip.or.jp/public/atip.reports.98/atip98.096.html ASIAN TECHNOLOGY INFORMATION PROGRAM (ATIP) REPORT: ATIP98.096 : Encryption: US & Japan ABSTRACT: Cryptography (encryption) is a key component of the emerging "ecommerce" marketplace with both important technology and policy aspects. The US is shaping the structure of the encryption discussion, followed closely by the EU. Japan is taking a peripheral role and hoping to contribute strong technologies and products, but not currently attempting to shape policy. This report discusses and compares current US and Japan policy efforts and summarizes the availability of several Japanese encryption products. KEYWORDS: Electronic Commerce, Computer Software/Hardware, Government Policy on Science & Technology COUNTRY: Japan o http://www.eskimo.com/~weidai Wei Dai's PipeNet 1.1 "I've discovered some attacks against the original PipeNet design. The new protocol, PipeNet 1.1, should fix the weaknesses. PipeNet 1.1 uses layered sequence numbers and MACs. This prevents a collusion between a receiver and a subset of switches from tracing the caller by modifying or swaping packets and then watching for garbage. Also available there is a description of b-money, a new protocol for monetary exchange and contract enforcement for pseudonyms." o http://crec.bus.utexas.edu/workshop/ecdraft.html "NSF Workshop Report: Research Priorities in Electronic Commerce A draft of the NSF-sponsored Workshop on Research Priorities in Electronic Commerce is now ready for your comments and suggestions." o http://www.defenselink.mil/admin/dod_web_policy_12071998.pdf New US Dept. of Defense Web Site Policy ________________________________________________________________________ New Interesting Links on the Web ________________________________________________________________________ o http://www.iacr.org/newsletter/ Homepage of the new electronic version of the IACR (International Association for Cryptologic Research) newsletter. o http://www.fitug.de/news/wa/ Web page giving the list of "dual-use goods and technologies" of the Wassenaar Arrangement on export control. o http://www.wassenaar.org/ Home page for the Wassenaar Arrangement. Links to documents, list of dual-use goods and technologies (RTF and Word6.0 formats only), links to related sites for signatory nations, more. o http://www.softprot.demon.co.uk "The British Computer Society Software Protection Specialist Group is compiling a web page (http://www.softprot.demon.co.uk) to cite developments in the field of software protection. If you are interested in participating please submit up to 100 word summaries of your publications (and others which are relevant) with citations to other references and links to other work. Your name email/web site will also be quoted. Please also indicate the section it should be listed under eg: Steganography; Cryptography etc." ________________________________________________________________________ Who's Where: recent address changes ________________________________________________________________________ S Johann Bezuidenhoudt Mobile Telephone Networks MTN South Africa Private Bag 9955 Sandton 2146 South Africa e-mail: johann.bezuidenhoudt@saiee.org.za Tel: +27 83 200 3000 Christian Cachin IBM Zurich Research Laboratory Saumerstrasse 4 CH-8803 Rueschlikon Switzerland email: cachin@acm.org tel: +41-1-724-8989 fax: +41-1-724-8953 Dan Wallach Rice University Department of Computer Science Duncan Hall 3121 6100 Main Street Houston, TX 77005 USA Tel: +1-713-737-6155 Fax: +1-713-285-5930 E-Mail: dwallach@cs.rice.edu Web: http://www.cs.rice.edu/~dwallach Tom Van Vleck TransIlluminant San Francisco E-mail: thvv@multicians.org (No phone or office address available at post time.) _______________________________________________________________________ Calls for Papers (full list on Web) ________________________________________________________________________ CONFERENCES Listed earliest deadline first. See also Cipher Calendar. NATO Symposium: Protecting NATO Information Systems in the 21st Century October 25-27, 1999, Naval Research Laboratory, Washington, D.C. (Papers due March 31, 1999). This Symposium will deal with the common NATO interest in information defense. Abstracts and papers are sought of several kinds: Survey, tutorial, and operational papers that expose relevant issues or practices of operational and information assurance. Papers addressing either technology areas or measures taken to protect particular NATO and NATO allied information systems and networks are appropriate. Papers describing current research results in relevant technology areas. Papers projecting requirements and solutions for protecting information in future, 21st century NATO computer systems and networks. Topics of interest include, but are not limited to: Information Warfare threats to NATO and NATO allied information systems and infrastructures. Vulnerabilities of COTS components. Authentication in mobile and distributed systems. Emissions security, including "Soft TEMPEST". Security analysis of crypto and communication protocols. Information system survivability and architecture. Co-ordinated threat analysis, incident detection, and response. Maintaining data origin in NATO and NATO allied information systems. Role of Information Warfare and Information Protection in future military conflicts. Abstracts of up to 350 words in either English or French are due by e-mail (ascii preferred) by 15 DECEMBER 1998. U.S. authors should e-mail abstracts to Landwehr@itd.nrl.navy.mil; non-U.S. authors should follow submission guidelines found in the full call for papers available at: www.baesema.co.uk/rfp/rfp.htm or send e-mail to gouaya@agard.nato.int requesting the full call for papers. The conference is being organized under the auspices of the Information Systems Technology Panel of NATO's Research and Technology Organization. IMACS-IEEE'99, Special Session on Applied Coding, Cryptology and Security. July 4-8, 1999. (One page abstracts due January 4, 1999, Full papers due February 25, 1999). www.softlab.ntua.gr/~mastor/CSCC99.htm Prospective authors are invited to submit original papers in any of the following subject categories: Implementation of coding schemes and cryptosystems Applied Cryptanalytic and Decoding Techniques Network Security and Encryption Security for Web technologies and applications Post Conference Publications will be published in books of The World Scientific Publishing Company. Contact Details for the Special Session: Dr. Nineta Polemi Institute of Communications & Computer Systems(ICCS) National Technical University of Athens (NTUA) e-mail: polemi@softlab.ece.ntua.gr URL: http://secgroup.iccs.ntua.gr/ MobiCom'99, The Fifth Annual International Conference on Mobile Computing and Networking, Seattle, Washington, USA, August 15-19, 1999. (papers, tutorial and panel proposals: January 15, 1999) Technical papers describing previously unpublished, original, completed research, not currently under review by another conference or journal, are solicited on topics related to mobile computing. (Please see the call-for-papers web site for detailed areas of interest along with submission instructions). Additionally, MobiCom solicits short papers (8 pages max.) for the new "Next Century Challenges" session, along with proposals for tutorials and panel sessions. Information can be found at www.acm.org/sigmobile/, or you can contact the Program Co-Chairs, Tomasz Imielinski, imielins@cs.rutgers.edu, Tel: +1 732 445-3546, Fax: +1 732 445-1003; and Martha Steenstrup, msteenst@bbn.com; Tel: +1 617 873-3912, Fax: +1 617 873-6091; or the Local Chair, Randy Granovetter, randygr@microsoft.com, Tel: +1 425 703-7446, Fax: + 1 425 936-7329. WISE1 1st World Conference on Information Security Education, June 17-19, 1999, Stockholm, Sweden. (Submissions due: January 30, 1999 Extended Deadline). IFIP Working Group 11.8 (IT Security Education) invites you to contribute to their activities by submitting papers and panel suggestions for the first world conference, to be held at the Department of Computer and System Sciences (DSV), Stockholm University. Potential topics include teaching (and assessment) of computer security education for audiences in academia, industry, the military, and IT professionals. Please see the conference web page at www.dsv.su.se/WISE1/cfp.htm for a detailed list of topics and for instructions for submitting an original paper. Workshop on User Identification and Privacy Protection - Applications in Public Administration and Electronic Commerce June 14-15, 1999, Stockholm, Sweden. (Submissions due January 30, 1999). The workshop will focus on legal, social, technical and organisational aspects of information infrastructures and of new applications particularly in the area of Electronic Commerce and Public Administration. Invited topics include, but are not limited to the following: Digital Signature Schemes: Public Key Infrastructures Implementation of Pseudonyms TTP Certification / Regulation Liability of TTPs Law Enforcement Implications / Activities Applications in Public Administration or Electronic Commerce Protection of Privacy and Confidentiality in the GII IT Misuse and Risks Confidentiality vs. Identification of Communication Partners Anonymity: A right to ?, Legislation, Implications (e.g.,potential misuse) Technical solutions: Privacy Enhancing Technologies State Regulations vs. Self-Regulation Cryptographic Policies and Crypto Debate Applications in Public Administration or Electronic Commerce We especially welcome the submission of general papers discussing these topics or application-oriented papers focusing on problems and solutions for the application areas Public Administration and Electronic Commerce. Authors are requested to submit either an extended abstract (4-5 pages) or a full paper (up to 15 pages). Each paper must have an abstract and a list of keywords. Papers or extended abstracts must be written and presented in English and should be sent to: Dr. Simone Fischer-H=FCbner; Department of Computer and Systems Sciences (DSV); Stockholm University / KTH; Electrum 230; S- 164 40 Kista; Tel.: +46 -8-161606; Fax: +46-8-703 90 25; Email: simone@dsv.su.se The conference web page is at www.dsv.su.se/IFIP-WG-9.6/Cfp-ws85-96.htm. AES'99, Second Advanced Encryption Standard (AES) Candidate Conference, Hotel Quirinale, Rome, Italy, March 22-23, 1999. (submissions due: February 1, 1999). This conference is for an international audience consisting of cryptographers and other interested parties, who wish to participate in the evaluation and analysis of the fifteen candidate algorithms for the Advanced Encryption Standard (AES). This conference is being held immediately preceding the Fast Software Encryption Workshop 1999 (FSE6) scheduled for March 24-26, 1999 at the same venue. The format is Primarily panel presentations and discussion by experts who have analyzed the candidate algorithms for security, efficiency, and other characteristics. Audience members and algorithm submitters will have an opportunity to question the panel regarding their findings. Simply put, the purpose of this conference will be to help answer the question: "Which algorithms merit selection for Round 2 and why?" Registration Contact: Lori Phillips Buckland, NIST, Building 101, Room B116, Gaithersburg, MD 20899-0001, phone: 301/975-4513, fax: 301/948-2067, email: Lori Phillips. Technical Contact: Miles Smid, NIST, Building 820, Room 426, Gaithersburg, MD 20899-0001, phone: 301/975-2938, fax: 301/948-1233, email: Miles Smid; or Jim Foti, NIST Building 820, Room 426, Gaithersburg, MD 20899-0001, phone: 301/975-5237, fax: 301/948-1233, email: Jim Foti. More information can be found on the conference web page at csrc.nist.gov/encryption/aes/round1/conf2/aes2cfp.htm. CRYPTO'99 Nineteenth Annual IACR Crypto Conference, Santa Barbara, California, USA, August 15-19, 1999. (submissions due February 8, 1999). Original papers on all technical aspects of cryptology are solicited for submission to Crypto'99. Authors are strongly encouraged to submit their papers electronically (see www.iacr.org/conferences/c99/submit.html for details). Other information, including contacts and a procedure for submitting a paper through FAX or mail, is given on the conference web page at www.iacr.org. FM99 FM99 Mini-track on Security, Toulouse, France, September 20-24, 1999. (Submission due February 14, 1999). The FM99 Mini-track on Security is concerned with the role of formal methods in the development of secure systems. The FM99 security mini-track will be a unique opportunity for people interested in computer security to exchange their views with researchers and members of the industrial community developing new formal methods or applying them to other critical system properties. The security mini-track is seeking both technical papers and industrial experience reports dealing with the application and development of formal methods for secure systems. All papers submitted in response to this specific mini-track Call for Paper should be sent to and reach Dr James Woodcock by February 14, 1999 (notification of acceptance is May 14,1999). The cover sheet must include the SECURITY key-word. Please refer to the general technical symposium Call for Paper for applicable paper evaluation criteria and submission rules. Mini-track contacts: P Bieber, P Y A Ryan IFIP 13th IFIP WG11.3 Working Conference on Database Security, Seattle, Washington, USA, July 26-28, 1999. (papers are panel proposals due: February 15, 1999). The conference provides a forum for presenting original unpublished research results, practical experiences, and innovative ideas in database security. Papers and panel proposals are solicited. Submit PostScript version of papers up to 5000 words and panel proposals by February 15, 1999 to Vijay Atluri (atluri@andromeda.rutgers.edu), MS/IS Department, Rutgers University, 180 University Ave., Newark, NJ 07102, USA. Details on IFIP WG11.3 and the conference available at www.cs.rpi.edu/ifip/. 8th USENIX Security Symposium, JW Marriott Hotel, Washington, D.C. , USA, August 23-26, 1999. (submissions due: March 9, 1999). The USENIX Security Symposium brings together researchers, practitioners, system administrators, system programmers, and others interested in the latest advances in security and applications of cryptography. If you are working in any practical aspects of security or applications of cryptography, the program committee would like to urge you to submit a paper by March 9, 1999. This symposium will last for four days. Two days of tutorials will be followed by two days of technical sessions including refereed papers, invited talks, works-in-progress, and panel discussions. More information can be found on the conference web page at www.usenix.org/events/sec99/. IICIS99, Third Annual IFIP TC-11 WG 11.5 Working Conference on INTEGRITY and INTERNAL CONTROL in INFORMATION SYSTEMS: Strategic views on the need for control, Amsterdam, The Netherlands G November 18-19, 1999. (sumbissions due: April 1, 1999). Confidentiality, integrity and availability are high-level objectives of IT security. IFIP TC-11 Working Group 11.5 has been charged with exploring the area of the integrity objective within IT security and the relationship between integrity in information systems and the overall internal control systems that are established in organizations to support corporate governance codes. The goals for this conference are to find an answer to the following questions: what precisely do business managers need to have confidence in the integrity of their information systems and their data; what is the status quo of research and development in this area; where are the gaps between business needs on the one hand and research and development on the other and what needs to be done to bridge these gaps. We solicit papers describing original ideas and research results on foundations and applications related to the subject of integrity and internal control in information systems. Also business cases are explicitly solicited. A complete list of topics of interest along with instructions for authors can be found on the conference web page at www.ifip.tu-graz.ac.at/TC11/CONF/IICIS99 or you may contact Leon Strous, tel.: +31 20 5242748 / +31 492 548636 (also fax), e-mail: strous@iaehv.nl. HASE'99, Fourth IEEE Symposium on High Assurance Systems Engineering, Washington, DC Metropolitan Area, USA, November 17-19, 1999. (Papers due: April 7, 1999). The HASE Symposium is a forum for discussion of systems engineering issues specifically for high-assurance systems. The focus this year is on embedded systems, although submissions will be welcomed in all areas related to high assurance issues. Submissions are due April 7, 1999, to Catherine Meadows, Program Chair, meadows@itd.nrl.navy.mil. More information may be found at www.eng.umd.edu/hase99. ICICS'99 The Second International Conference on Information and Communication Security, Sydney, Australia, November 1999. (Papers due: May 1, 1999). Original papers may present theory, techniques, applications and practical experiences on a variety of topics including: * Access control * Authentication * Electronic commerce * Applied cryptography * Viruses and worms * Distributed system security * Database security * Security policy * Key management * Mobile system security * Auditing and accounting * Network security * Security protocols * Secure operating systems * Security architectures & models * Security management * Secure intelligent agents * Software Protection * Security evaluation & certification * Smartcards and PDAS Detailed submission instructions can be found on the conference web page at icics99.cit.nepean.uws.edu.au/. IHW'99 Third International Workshop on Information Hiding, Dresden, Germany, Sept. 29 - Oct. 1, 1999. (submissions due: June 1, 1999) Many researchers are interested in hiding information or in stopping other people doing this. Current research themes include copyright marking of digital objects, covert channels in computer systems, detection of hidden information, subliminal channels in cryptographic protocols, low-probability-of-intercept communications, and various kinds of anonymity services ranging from steganography through location security to digital elections. Interested parties are invited to submit papers on research and practice which are related to these areas of interest. Submissions can be made electronically (pdf or postscript) or in paper form; in the latter case, send eight copies. Papers should not exceed fifteen pages in length and adhere to the guidelines of the LNCS series www.springer.de/comp/lncs/instruct/typeinst.pdf. Addresses for submission: pfitza@inf.tu-dresden.de, Andreas Pfitzmann, Dresden University of Technology, Computer Science Department, D 01062 Dresden, Germany JOURNALS Special Issues of Journals and Handbooks: listed earliest deadline first. IEEE Communications Magazine Feature Topic Issue on The Provision of Communication Services over Hybrid Networks (publication: July 1999). Guest Editors: Jean-Pierre Hubaux and David Nagel. (submissions due: January 5, 1999). This Feature Topic Issue is devoted to the architecture and provision of services over hybrid networks. Topics of interest include: Creation of hybrid services Deployment of hybrid services Operation and management of hybrid services Validation of hybrid services Middleware for hybrid services Network planning and dimensioning New hybrid services: access to Internet services from cellular terminals, access to the PSTN from a mobile IP phone, hybrid call centers,... Traffic control and performance issues related to hybrid services Security of hybrid services Billing of hybrid services Hybrid services involving other access networks (cable, ATM, WLANs,...) Mobility-related services Terminals for hybrid services Computer Telephony Integration services Partial replacement of telecom equipment by Internet technology for the control and/or transport of voice services Dependability and scalability of hybrid services Tutorial and survey papers will be considered for acceptance. Research papers will be considered as well, provided that they are understandable and informative for non specialists of the area covered by this issue. Although the Feature Topic Issue is essentially devoted to technical aspects, prospective authors are also encouraged to address economic and/or regulatory questions. Authors are requested to send e-mail by January 5 to both guest editors (see below), giving a URL where the guest-editors can review the article, preferably in HTML format with GIF artwork (postscript or pdf format is also accepted). Potential authors may wish to consult the author information and guidelines, which are given at pubs.comsoc.org/ci1/. Note: there is currently a call for papers for a joint Feature Topic Issue of Internet IEEE Network and IEEE Internet magazines on Internet telephony, to be edited by Henning Schulzrinne. There are some commonalities between the two Feature Topic Issues. However, the focus of each of them is different, and appropriate coordination efforts will be made to avoid overlaps. Guest Editors: Jean-Pierre Hubaux, Swiss Fed. Inst. of Technology, Lausanne, On leave at the Univ. of California, Berkeley, until January 9, 1999, EECS Dept, 267 Cory Hall, Berkeley,CA 94720, USA, tel: + 1-510-642-9719, fax: + 1-510-642-2845, hubaux@diva.EECS.Berkeley.EDU. And: David Nagel, President, AT&T Labs, AT&T Labs, 295 North Maple Avenue, Basking Ridge, NJ 07920, USA, tel: +1-908-221-2903, dnagel@att.com. A special issue of IEEE Computer, A baseline on security strategies for the emerging broadband environment. Guest Editors: Dr. Patrick Dowd, and Dr. John McHenry. (submissions due: January 15, 1999). This special issue will focus attention on the integration of networking and endpoint security. It will pull together both IP and ATM networking security strategies and examine methods that will allow homes and offices to safely explore the opportunities provided by a "connected" environment. Topics including the emerging broadband networking environment, IP and ATM security, integrated security strategies, and security analysis are of particular interest. Only electronic submissions (postscript, Adobe Acrobat, MS Word, or Framemaker) will be considered - paper copies will not be accepted. Please contact one of the guest editors if you have any questions. GUEST EDITORS: Dr. Patrick W. Dowd, University of Maryland, Department of Electrical Engineering, A.V. Williams Building, College Park, MD 20742, and Dr. John McHenry, U.S. Department of Defense, National Security Agency, Suite 6512, Ft Meade, MD 20755-6512. A special issue of IEEE Transactions on Software Engineering, Special Issue on Current Trends in Exception Handling, (abstracts due: February 15, 1999; papers: March 1, 1999). This special issue invites papers with focus on research results, experience reports, and brief survey/tutorials on emerging research challenges related to exception handling in (but not limited to) the following areas: Models and paradigms for exception handling Language facilities for exception handling: Functional languages; Procedural languages; OO languages Exception mechanisms and their applications Application specific problems: Asynchronous systems and concurrent programming; Mobile code execution in distributed systems; Real-time and safety critical systems; Databases and transaction management systems; Distributed collaboration systems; Fault-tolerant computing; Security in high confidence systems; Interactive systems; Operating systems and middleware Validation of exception handling: Reasoning about exceptions and their handling in specific application areas; (General) testing techniques for exceptions and their handling Case studies and experiences in large-scale systems An electronic version of the abstract should be sent to A. Romanovsky at: alexander.romanovsky@ncl.ac.uk Full submissions should be forwarded to one of the guest editors (electronic submissions are encouraged). More information can be found at www.cs.ncl.ac.uk/people/alexander.romanovsky/home.formal/se.html. A special issue of IEEE Journal on Selected Areas in Communications (JSAC) Special Issue on Network Security. Publication date: January, 2000. Guest Editors: Hilarie Orman, Ueli Maurer, Stephen Kent, and Stephen Bellovin. (submissions due: February 5, 1999). This special issue of JSAC will be devoted to recent research results that describe or forecast significant changes in the feasibility of delivering security solutions (such as major improvements in cryptographic efficiency), or describe progress in areas that have been especially difficult, or are relevant to newer technologies, such as optical or mobile wireless communication. Of special interest are papers that relate their results to use on the Internet today or to use on next generation networks. Papers are solicited in the following areas: Cryptography-based network systems, such as secure private networks and transactional security; Public-key infrastructures; Applying new cryptographic methods to network communication; New cryptographic protocols supporting secure network systems; Anonymous communication; Recent cryptographic theory advances; Optical network security; Mobile wireless network security; Formal analysis of network security systems; Trends in network-based attacks; Secure group communication; Policy expression and enforcement. Papers in strongly related areas, especially those involving novel technologies, are also encouraged. Manuscripts to be considered for submission should be sent by email to Hilarie Orman (ho@cs.arizona.edu) by February 5, 1999. The manuscripts must be in Postscript, viewable in ghostscript, or six copies can be sent by mail; contact Hilarie Orman well prior to the deadline for the mailing address. Please note the IEEE formatting requirements; information for authors can be found at: gump.bellcore.com:5000/Guidelines/info.html The JSAC home page is at gump.bellcore.com:5000. ACM Transactions on Software Engineering and Methodology Special issue on Software Engineering and Security. Guest Editors: Premkumar Devanbu (UC Davis) and Stuart Stubblebine (AT&T Labs--Research) (submissions due: April 1, 1999). Software system security issues are no longer only of primary concern to military, government or infrastructure systems. Every palmtop, desktop and TV set-top box contains or will soon contain networked software. This software must preserve desired security properties (authenticity, privacy, integrity) of activities ranging from electronic commerce, electronic messaging, and browsing. In addition, software is no longer a monolithic shrink-wrapped product created by a single development organization with a well-defined software process. Instead, it is composed of components constructed by many different vendors following different practices. Indeed, software may even contain with the need for vendors to protect their proprietary information. The issue of providing assurance without full disclosure has been studied in security research, and needs to be applied to this problem. The specific issues of interest and instructions for authors can be found at www.research.att.com/~stubblebine/tosem.html. ________________________________________________________________________ Reader's Guide to Current Technical Literature in Security and Privacy Part 1: Conference Papers ________________________________________________________________________ MA'98 - 2nd International Workshop on Mobile Agents, Stuttgart, Germany, September 9 - 11, 1998 [Security-related papers only] o Mobile Agents and Intellectual Property Protection. S. Belmon and B. Yee o Ensuring the Integrity of Agent-Based Computations by Short Proofs. I. Biehl and S. Wetzel o Protecting the Computation Results of Free-roaming Agents. G. Karjoth, N. Asokan and C. Gulcu ACM Multimedia'98 - The 6th ACM International Multimedia Conference, Bristol, UK, September 12-16, 1998. [Security-related papers only] o Content-Based Watermarking of Images. M. Kankanhalli, Rajmohan, and K. Ramakrishnan o Robust MPEG Video Watermarking Technologies J. Dittmann, M. Stabenau, and R. Steinmetz o A Fast MPEG Video Encryption Algorithm. Ch. Shi and B. Bhargava o Protecting VoD the Easier Way. C. Griwodz, O. Merkel, J. Dittmann and R. Steinmetz IC3N'98 - 7th International Conference on Computer Communications and Networks, Louisiana, USA, October 12-15,1998. [Security-related papers only] o On the Vulnerability and Protection of OSPF Routing Protocol. F. Wang and S. Felix Wu o Enhance Network Security with Dynamic Packet Filter. H. Julkunen and C. Chow o An Evolutionary Approach to Multilaterally Secure Services in ISDN/IN. R. Sailer o System Survey : Building an Authenticity Profile (S) J.-J. Bascou o Analysis of A Non Repudiation Authentication Protocol For Personal Communication Systems. J. Stach and E. Park SRDS'98 - 17th IEEE Symposium on Reliable Distributed Systems, West Lafayette, IN, USA, October 21-22, 1998. [Security-related papers only] o Secure and Scalable Replication in Phalanx. D. Malkhi and M. Reiter o Safe and Efficient Active Network Programming. S. Thibault, C. Consel and G. Muller o A Security Auction-like Negotiation Protocol for Agent-based Internet Trading. X. Yi, X.Wang, and K. Lam o Design and Verification of a Secure Electronic Auction Protocol. S. Subramanian 5th ACM Conference on Computer and Communications Security, San Francisco, USA, November 2-5, 1998. o Communication complexity of group key distribution. K. Becker and U. Wille o Key management for encrypted broadcast. A. Wool o Authenticated group key agreement and related protocols. G. Ateniese, M. Steiner, and G. Tsudik o The design, implementation and operation of an email pseudonym server. D. Mazieres and M. Frans Kaashoek o History-based access-control for mobile code. G. Edjlali, A. Acharya, and V. Chaudhary o A specification of Java loading and bytecode verification. A. Goldberg o A new public key cryptosystem based on higher residues. D. Naccache and J. Stern, o An efficient non-interactive statistical zero-knowledge proof system for quasi-safe prime products. R. Gennaro, D. Micciancio, and T. Rabin o Communication-efficient anonymous group identification. A. De Santis, G. Crescenzo, and G. Persiano o A security architecture for computational grids. I. Foster, C. Kesselman, G. Tsudik, and S. Tuecke o Design of a high-performance ATM firewall. J. Xu and M. Singhal o A practical secure physical random bit generator. M. Jakobsson, E. Shriver, B. Hillyer, and A. Juels o A probabilistic poly-time framework for protocol analysis. P. Lincoln, J. Mitchell, M. Mitchell, and A. Scedrov o On using public-key cryptography in password protocols. S. Halevi and H. Krawczyk o Cryptanalysis of Microsoft's point-to-point tunneling protocol. B. Schneier and Mudge o How to prove where you are. E. Gabber and A. Wool o Temporal sequence learning and data reduction for anomaly detection. T. Lane and C. Brodley _______________________________________________________________________ Reader's Guide to Current Technical Literature in Security and Privacy Part 2: Journal and Newsletter Articles, Book Chapters by Anish Mathuria _______________________________________________________________________ IEEE Network, Vol. 12, No. 3 (May/June 1998): o D. Scott Alexander, W. Arbaugh, M. Hicks, P. Kakkar, A. Kermoytis, J. Moore, C. Gunther, S. Nettles and J. Smith. The SwitchWare Active Network Architecture. pp. 29-36. o D. Scott Alexander, W. Arbaugh, A. Keromytis and J. Smith. A Secure Active Network Environment Architecture: Realization in SwitchWare. pp. 37-45. Information Processing Letters, Vol. 66, No. 6 (June 1998): o T.-M. Hsieh, Y.-S. Yeh, Y.-C. Hsieh and C.-C. Wang. A homophonic DES. pp. 317-320. Computer Communications, Vol. 21, No. 7 (June 1998): o B. Soh and S. Young. Distributed computing: an experimental investigation of a malicious denial-of-service applet. pp. 670-674. Computer Communications, Vol. 21, No. 13 (September 1998): o R. Hunt. Internet/Intranet firewall security - policy, architecture and transaction services. pp. 1107-1123. o R.-J. Hwang and C.-C. Chang. An on-line secret sharing scheme for multi-secrets. pp. 1170-1176. IEEE Transactions on Parallel and Distributed Systems, Vol. 9, No. 9 (September 1998): o M. Naor and A. Wool. Access Control and Signatures via Quorum Secret Sharing. pp. 909-922. IEEE Transactions on Software Engineering, Vol. 24, No. 9 (September 1998): o S. Schneider. Verifying Authentication Protocols in CSP. pp. 741-758. IEEE Transactions on Information Theory, Vol. 44, No. 5 (September 1998): o D. Boneh and J. Shaw. Collusion-Secure Fingerprinting for Digital Data. pp. 1897-1905. Information and Computation, Vol. 146, No. 1 (October 1998): o C. Blundo, A. De Santis, A. Herzberg, S. Kutten, U. Vaccaro and M. Yung. Perfectly Secure Key Distribution for Dynamic Conferences. pp. 1-23. Theory and Practice of Object Systems, Vol. 4, No. 3 (1998): o E. Bertino, E. Ferrari and P. Samarati. Mandatory Security and Object-Oriented Systems: A Multilevel Entity Model and Its Mapping onto a Single-Level Object Model. pp. 183-204. IEEE Communications Magazine, Vol. 36, No. 10 (October 1998): o D. Alexander, W. Arbaugh, A. Keromytis and J. Smith. Safety and Security of Programmable Network Infrastructures. pp. 84-86, 91-92. IEICE Transactions on Information and Systems, Vol. E81-D, No. 10 (October 1998): o T.-J. Son, K.-Y. Whang, W.-Y. Kim and I.-Y. Song. A Conflict Detection Mechanism for Authorization Using Intention Types in Object-Oriented Database Systems. pp. 1053-1063. IEEE Transactions on Computers, Vol. 47, No. 10 (October 1998): o M. Kuhn. Cipher Instruction Search Attack on the Bus-Encryption Security Microcontroller DS5002FP. pp. 1153-1157. Information Processing Letters, Vol. 68, No. 3 (November 1998) o C. Padro. Robust vector space secret sharing schemes. pp. 107-112. Dr. Dobb's Journal, Vol. 23, No. 12 (December 1998): o A. Ramanujapuram and P. Ram. Digital Content & Intellectual Property Rights. pp. 20-27. o B. Schneier. The Twofish Encryption Algorithm. pp. 30-38. o J. Daemen and C. Clapp. The Panama Cryptographic Function. pp. 42-49. o T. Aslam. Protocols for E-Commerce. pp. 52-58. o P. Trout. Domain Usage Tracking for Windows NT. pp. 60-65. o E. Conklin. Smart Cards and the Open Terminal Architecture. pp. 70-80. o B. Preneel, V. Rijmen and A. Bosselaers. Principles and Performance of Crytographic Algorithms. pp. 126-131. IEEE Computer, Vol. 31, No. 12 (December 1998): o C. Irvine, S.-K. Chin, and D. Frincke. Integrating Security into the Curriculum. pp. 25-30. ________________________________________________________________________ Calendar ________________________________________________________________________ ==================================================================== See Calls for Papers section for details on many of these listings. ==================================================================== "CWP" indicates there is a hyperlink to a conference web page on the Cipher Web pages. (In many cases there is such a link even though mention is not made of it here, to save space.) Dates Event, Location Point of Contact/ more information ----- --------------- ---------------------------------- 12/18/98-12/19/98: ICICS '98, Seoul, Korea; CWP 1/ 4/99- 1/ 6/99: WECS '99, Pacific Grove, California CWP 1/ 5/99- 1/ 8/99: ECT of HICSS-32. Maui, Hawaii CWP 1/ 5/99: IEEE Communications Mag, Hybrid Networks, submissions due 1/ 6/99- 1/ 8/99: DCCA-7 at San Jose, California; CWP 2/ 3/99- 2/ 5/99: NDSS '99, San Diego, California; CWP 2/ 5/99: JSAC Special Issue on Network Security, subs due to ho@cs.arizona.edu 2/14/99: FM '99, Toulouse, France, CWP, security mini-track submissions due 2/15/99: TSEEH, Journal Web page 2/15/99: IFIP WG11.3, Seattle, WA; CWP Subs due - atluri@andromeda.rutgers.edu 2/22/99- 2/25/99: FC '99, CWP 3/ 1/99- 3/ 3/99: PKC 99, Kanto Japan, CWP 3/22/99- 3/23/99: Second AES, Rome, Italy CWP 3/24/99- 3/26/99: FSE 6, Rome, Italy CWP 3/27/99- 3/30/99: ICEIS '99, Setubal, Portugal CWP 4/11/99- 4/12/99: USENIX IDS; Santa Clara, California CWP 5/ 2/99- 5/ 6/99: Eurocrypt '99, Prague, Czech Republic, CWP 5/ 9/99- 5/12/99: IEEE S&P 99; Oakland, CA; CWP 5/11/99- 5/14/99: 11th CITSS, Ottawa; no e-mail address available 6/ 1/99: WIH '99, Dresden, Germany; Submissions to pfitza@inf.tu; [*] 6/ 5/99: WSS '99, Austin, Texas CWP 6/21/99- 6/23/99: ICATM '99. Colmar, France CWP 7/ 6/99- 7/ 8/99: ISCC '99. Sharm El Sheikh, Red Sea, Egypt CWP 7/26/99- 7/28/99: IFIP WG11.3, Newark, NJ CWP 8/15/99- 8/19/99: MobiCom 99. Seattle, Washington CWP 8/15/99- 8/19/99: Crypto '99, Santa Barbara, California, CWP 8/23/99- 8/26/99: 8th USENIX Security Symposium, Washington D.C.; CWP 9/20/99- 9/24/99: FM '99, Toulouse, France CWP 9/29/99-10/ 1/99: WIH '99, Dresden, Germany 9/22/99- 9/24/99: NSPW '99, Ontario, Canada 4/30/00- 5/ 3/00: IEEE S&P 00; Oakland no e-mail address available 5/16/00- 5/19/00: 12th CITSS, Ottawa; no e-mail address available Key: * ACISP = Australasian Conference on Information Security and Privacy * ACSAC = Annual Computer Security Applications Conference * AES = Advanced Encryption Standard Candidate Conference Second AES * CCS = ACM Conference on Computer and Communications Security * CCSS = Annual Canadian Computer Security Symposium (see CITSS) * CITSS = Canadian Information Technology Security Symposium * CFP = Conference on Computers, Freedom, and Privacy * CRYPTO = IACR Annual CRYPTO Conference * CSFW = Computer Security Foundations Workshop CSFW 11 * DCCA = Dependable Computing for Critical Applications * DOCSec = Second Workshop on Distributed Object Computing Security * ECC = Workshop on Elliptic Curve Cryptography * ECT = Electronic Commerce Technologies Track of HICSS-32 * ECDLP = Workshop on the Elliptic Curve Discrete Logarithm Problem ECDLP * ESORICS = European Symposium on Research in Computer Security * EUROCRYPT = IACR Annual CRYPTO workshop in Europe * FC = IFCA Annual Financial Cryptography Conference * FM = World Congress on Formal Methods * FSE = Fast Software Encryption Workshop * HASE = High-Assurance Systems Engineering Workshop * HICSS-32 = 32nd Hawaii International Conference on System Sciences * IEEE S&P = IEEE Symposium on Security and Privacy * ICATM = International IEEE Conference on ATM * ICEIS = International Conference on Enterprise Information Systems ICEIS '99 * ICICS = International Conference on Information and Communications Security * IFIP/SEC = International Conference on Information Security (IFIP TC11) * IFIP WG11.3 = IFIP WG11.3 11th Working Conference on Database Security * INET = Internet Society Annual Conference * ISCC = IEEE Symposium on Computers and Communications * JCS = Journal of Computer Security * MOBICOM = Mobile Computing and Networking * NCISSE = National Colloquium for Information Systems Security Education * NISS = National Information Systems Security Conference * NSPW = New Security Paradigms Workshop NSPW * PKC = Practice and Theory in Public Key Cryptography * RAID = Workshop on the Recent Advances in Intrusion Detection * RBAC = ACM Workshop on Role-based Access Control * SAC = Workshop on Selected Areas of Cryptography * SETA = Sequences and their Applications * NDSS = Symp. on Network and Distributed System Security (Internet Society) * TSEEH = IEEE Trans. on Soft. Eng. Special Issue on Exception Handling * USENIX IDS = USENIX Workshop on Intrusion Detection and Network Monitoring * USENIX Sec = USENIX Security Symposium * WDAG = Workshop on Distributed Algorithms (now DISC) * WECS = Workshop on Education in Computer Security * WFMSP = Workshop on Formal Methods and Security Protocols * WIH = Workshop on Information Hiding * WSLSDS = Workshop on Security in Large-Scale Distributed Systems * WSS = Workshop on Self-Stabilizing Systems ________________________________________________________________________ Listing of Academic (Teaching and Research) Positions in Computer Security maintained by Cynthia Irvine ________________________________________________________________________ * Swiss Federal Institute of Technology, Lausanne (EPFL), Communications System Section Assistant, Associate, or Full Professor in Security of Communication and Information Systems Date closed: January 9, 1999 http://sscwww.epfl.ch * Dept. of Electrical and Computer Engineering, Iowa State University, Ames, Iowa Assistant, Associate, or Full Professor in Computer Engineering (special interest in networks and security) Date closed: December 15, 1997, or until filled http://vulcan.ee.iastate.edu/~davis/job-ad.html * Naval Postgraduate School Center for INFOSEC Studies and Research, Monterey, CA, Visiting Professor, (9/98) http://www.cs.nps.navy.mil/research/cisr/jobs/npscisr_prof_ad.html * Department of Computer Science, Florida State University, Talahassee, FL Tenure-track positions. (6/99) http://www.cs.fsu.edu/~lacher/jobs.html This job listing is maintained as a service to the academic community. If you have an academic position in computer security and would like to have in it included on the Cipher web page and e-mail issues, send the following information : Institution, City, State, Position title, date position announcement closes, and URL of position description to: irvine@cs.nps.navy.mil ________________________________________________________________________ How to become <> a member of the IEEE Computer Society's TC on Security and Privacy ________________________________________________________________________ You do NOT have to join either IEEE or the IEEE Computer Society to join the TC, and there is no cost to join the TC. All you need to do is fill out an application form and mail or fax it to the IEEE Computer Society. A copy of the form is included below (to simplify things, only the TC on Security and Privacy is included, and is marked for you) Members of the IEEE Computer Society may join the TC via an https link. The full and complete form is available on the IEEE Computer Society's Web Server by following the application form hyperlink at the URL: http://computer.org/tcsignup/ IF YOU USE THE FORM BELOW, PLEASE NOTE THAT THE IT IS TO BE RETURNED (BY MAIL OR FAX) TO THE IEEE COMPUTER SOCIETY, >>NOT<< TO CIPHER. --------- IEEE Computer Society Technical Committee Membership Application ----------------------------------------------------------- Please print clearly or type. ----------------------------------------------------------- Last Name First Name Middle Initial ___________________________________________________________ Company/Organization ___________________________________________________________ Office Street Address (Please use street addresses over P.O.) ___________________________________________________________ City State ___________________________________________________________ Country Postal Code ___________________________________________________________ Office Phone Fax ___________________________________________________________ Email Address (Internet accessible) ___________________________________________________________ Home Address (optional) ___________________________________________________________ Home Phone ___________________________________________________________ [ ] I am a member of the Computer Society IMPORTANT: IEEE Member/Affiliate/Computer Society Number: ____________________ [ ] I am not a member of the Computer Society* Please Note: In some TCs only current Computer Society members are eligible to receive Technical Committee newsletters. Please select up to four Technical Committees/Technical Councils of interest. TECHNICAL COMMITTEES [ X ] T27 Security and Privacy Please Return Form To: IEEE Computer Society 1730 Massachusetts Ave, NW Washington, DC 20036-1992 Phone: (202) 371-0101 FAX: (202) 728-9614 ________________________________________________________________________ TC Publications for Sale ________________________________________________________________________ o Proceedings of the 1998 IEEE CS Symposium on Security and Privacy Copies are available directly from the TC on Security and Privacy for $25 per copy. This price includes domestic shipping and handling. For overseas delivery: -- by surface mail, please add $5 per order (3 volumes or fewer) -- by air mail, please add $10 per volume If you would like to place an order, please specify * how many issues you would like, and * where to send them, and * the shipping method (air or surface) for overseas orders. For mail orders, please send a check in US dollars, payable to the IEEE Symposium on Security and Privacy to: Brian J. Loe Treasurer, IEEE TC on Security and Privacy Secure Computing Corp. 2675 Long Lake Rd. Roseville, MN 55113 U S A For electronic orders, in addition to the information above, please send the following credit card information to loe@securecomputing.com: - the name of the cardholder, - type of card (VISA, Mastercard, American Express, and Diner's Club are accepted) - credit card number, and - the expiration date. For security, please use the following PGP public key to encrypt any information that you're not comfortable sending as cleartext. You may also order some back issues from IEEE CS Press at http://www.computer.org/cspress/catalog/proc9.htm. o Proceedings of the Computer Security Foundations Workshops (2 through 11, excluding 4) The most recent Computer Security Foundation Workshop (CSFW11) took place the 9th through 11th of June in Rockport, Massachusetts USA. Topics included formal specification of security protocols, protocol engineering, distributed systems, information flow, and security policies. Copies of the proceedings are available from the publications chair for $25 each. Copies of all earlier proceedings (except the first and fourth) are also available at $10. Checks payable to "Joshua Guttman for CSFW" may be sent to: Joshua Guttman, MS A150 The MITRE Corporation 202 Burlington Rd. Bedford, MA 01730-1420 USA guttman@mitre.org ________________________________________________________________________ TC Officer Roster ________________________________________________________________________ Chair: Past Chair: Charles P. Pfleeger Deborah Cooper Arca Systems, Inc. P.O. Box 17753 8229 Boone Blvd, Suite 750 Arlington, VA 22216 Vienna VA 22182-2623 (703) 908-9312 (voice and fax) (703) 734-5611 (voice) d.cooper@computer.org (703) 790-0385 (fax) c.pfleeger@computer.org Vice Chair: Chair, Subcommittee on Academic Affairs: Thomas A. Berson Prof. Cynthia Irvine Anagram Laboratories U.S. Naval Postgraduate School P.O. Box 791 Computer Science Department Palo Alto, CA 94301 Code CS/IC (650) 324-0100 (voice) Monterey CA 93943-5118 berson@anagram.com (408) 656-2461 (voice) irvine@cs.nps.navy.mil Newsletter Co-editors: Paul Syverson Avi Rubin Code 5543 AT&T Labs - Research Naval Research Laboratory Room B282 Washington, DC 20375-5337 180 Park Ave. (202) 404-7931 (voice) Florham Park NJ 07932-0971 (202) 404-7942 (fax) (973) 360-8356 (voice) syverson@itd.nrl.navy.mil (973) 360-8809 (fax) rubin@research.att.com Chair, Subcommittee on Standards: Chair, Subcomm. on Security Conferences: David Aucsmith Michael Reiter Intel Corporation AT&T Labs - Research JF2-74 Room A269 2111 N.E. 25th Ave 180 Park Ave Hillsboro OR 97124 Florham Park NJ 07932-0971 (503) 264-5562 (voice) (973) 360-8349 (voice) (503) 264-6225 (fax) (973) 360-8809 (fax) awk@ibeam.intel.com reiter@research.att.com ________________________________________________________________________ Information for Subscribers and Contributors ________________________________________________________________________ SUBSCRIPTIONS: Two options: 1. To receive the full ascii CIPHER issues as e-mail, send e-mail to (which is NOT automated) with subject line "subscribe". 2. To receive a short e-mail note announcing when a new issue of CIPHER is available for Web browsing send e-mail to (which is NOT automated) with subject line "subscribe postcard". To remove yourself from the subscription list, send e-mail to cipher-request@itd.nrl.navy.mil with subject line "unsubscribe". Those with access to hypertext browsers may prefer to read Cipher that way. It can be found at URL http://www.itd.nrl.navy.mil/ITD/5540/ieee/cipher CONTRIBUTIONS: to are invited. Cipher is a NEWSletter, not a bulletin board or forum. It has a fixed set of departments, defined by the Table of Contents. Please indicate in the subject line for which department your contribution is intended. For Calendar entries, please include a URL and/or e-mail address for the point-of-contact. For Calls for Papers, please submit a one paragraph summary. See this and past issues for examples. ALL CONTRIBUTIONS CONSIDERED AS PERSONAL COMMENTS; USUAL DISCLAIMERS APPLY. All reuses of Cipher material should respect stated copyright notices, and should cite the sources explicitly; as a courtesy, publications using Cipher material should obtain permission from the contributors. BACK ISSUES: There is an archive that includes each copy distributed so far, in ascii, in files you can download at URL http://www.itd.nrl.navy.mil/ITD/5540/ieee/cipher/cipher-archive.html =========end of Electronic Cipher Issue #30, 18 December 1998============