Subject: Electronic CIPHER, Issue 31, March 15, 1999 _/_/_/_/ _/_/_/ _/_/_/_/ _/ _/ _/_/_/_/ _/_/_/_/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/_/_/_/ _/_/_/_/ _/_/ _/_/_/_/ _/ _/ _/ _/ _/ _/ _/ _/ _/_/_/_/ _/_/_/ _/ _/ _/ _/_/_/_/ _/ _/ ==================================================================== Newsletter of the IEEE Computer Society's TC on Security and Privacy Electronic Issue 31 March 15, 1999 Paul Syverson, Editor Bob Bruen, Book Review Editor Hilarie Orman, Assoc. Editor Mary Ellen Zurko, Assoc. Editor Anish Mathuria, Reader's Guide ==================================================================== http://www.itd.nrl.navy.mil/ITD/5540/ieee/cipher/ Contents: [4060 lines total] o Letter from the Editor o Letter from Deborah Cooper, IEEE/CS Board of Governors Twentieth Anniversary IEEE Symposium on Security and Privacy Announcement Security and Privacy News Briefs: o LISTWATCH: Items from security-related lists, by Mary Ellen Zurko Highlights are from cypherpunks, dcsb, risks, tbtf, privacy, and CRYPTO-GRAM. o Clinton Administration proposes $1.4 Billion for Computer Security o Willis Ware wins IFIP's Kristian Beckman Award Commentary and Opinion: Book Reviews by Bob Bruen o Internet Besieged Countering Cyberspace Scofflaws edited by Dorothy Denning and Peter Denning o Information Warfare and Security by Dorothy Denning Conference Reports: o Network and Distributed System Security Symposium by Tatyana Ryutov o 2nd Workshop on Research with Security Vulnerability Databases by Mahesh V. Tripunitara o Financial Cryptography by Ryan Lackey, Olin Sibert, and Alex van Someren New Interesting Links on the Web: NSFF Who's Where: recent address changes Calls for Papers Reader's guide to recent security and privacy literature o Conference Papers o Journal and Newsletter articles Calendar List of Computer Security Academic Positions, maintained by Cynthia Irvine Publications for Sale -- S&P and CSFW proceedings available TC officers Information for Subscribers and Contributors ____________________________________________________________________ Letter from the Editor ____________________________________________________________________ Dear Readers, Well it's been way too long since the last issue; although with snow falling outside my window it does not feel all that far from December here in Washington. We are pleased to bring you another issue of the Cipher newsletter. This issue features writeups of the ISOC Symposium on Network and Distributed Security, the Financial Cryptography Conference, and the Workshop on Research with Security Vulnerability Databases. As always, if you have attended or will be attending any such conference in the near future, we urge you to consider contacting us about writing up the experience for Cipher. We also present our regular features: one interesting twist, this is an all Denning issue for the book reviews by Bob Bruen. Those of you who receive this by email will have received the program and call for participation for the twentieth anniversary IEEE Symposium on Security and Privacy. This promises to be an exciting program, with a good look at where we've been, where we are, and where we're headed. And of course, it will feature the usual collection of quality research paper presentations. This will also be a special Symposium in that it will be the last in an unbroken line of convenings at the Claremont in Oakland stretching back to the first one. Get there if you can. As always, our contributors have made this issue what it is. Thank You. Paul Syverson Editor, Cipher ______________________________________________________________________ Letter from Deb Cooper, IEEE CS Board of Governors and Past TCSP Chair ______________________________________________________________________ What's New at the Computer Society The newest offerings from the Computer Society are MDLS (electronic access to 17 Digital Library periodicals), IT Pro and on-line access to IEEE Computer Society conference proceedings. Conference proceedings (including the 1998 S&P Symposium) are currently available on-line at no charge to all Computer Society members and a few proceedings are available to everyone. (http://www.computer.org/conferen/proceed/dlproceed.htm) The premiere issue of IT Pro is currently accessible online to all at http://computer.org/itpro. If you are not already a Computer Society or IEEE member, you can get 1999 Computer Society membership and a subscription to IT Pro at a 30% discount. This offer is not advertised and you must use a special application form to receive the discounted rate. Applications can be requested from gcarter@computer.org. Information about MDLS is available at the Computer Society web site. A major goal this year is to work on volunteer recruiting and making volunteerism more rewarding for participants. To this end, I am asking Cipher readers to send me your thoughts on how the Computer Society can be more responsive to the needs of our community and what could and should be improved. I personally would be interested in any ideas for outreach and student programs. The TCSP continues to be one of the most successful and dynamic Technical Committees of the IEEE Computer Society, due to the contributions of its volunteer members. My thanks to all! Deborah M. Cooper IEEE Computer Society Board of Governors, 1998-2000 Past TCSP Chair d.cooper@computer.org ____________________________________________________________________ Twentieth Anniversary IEEE Symposium on Security and Privacy ____________________________________________________________________ Announcements were mailed to Cipher readers recently. They can also be found on the Web at: or in plain text format at: ____________________________________________________________________ SECURITY AND PRIVACY NEWS BRIEFS ____________________________________________________________________ _______________________________________________________________________ LISTWATCH: items from security-related mailing lists (March 11, 1999) by Mary Ellen Zurko (mzurko@iris.com) _______________________________________________________________________ This issue's highlights are from cypherpunks, dcsb, risks, tbtf, privacy, and CRYPTO-GRAM. Microsoft uses DCE UUIDs to uniquely identify OLE objects. What could be wrong with an engineering decision like that? It has turned into a major privacy problem. GUIDs (which is what they're now called by Microsoft) include the machine's Ethernet address. They're put into Office97 documents, and also reported by the registration wizard that collects the user's name and other demographic information. So, in theory, any document created with Microsoft tools can be traced to its creator. Microsoft's group product manager for Windows said the registration program shouldn't be sending that information without the user's consent (why would a user think to not let it send a GUID?), and that Microsoft technicians would look through the company's databases and expunge information that had already been collected. Phar Lap Software Inc. initially reported the problem. Intel's Pentium III includes a unique serial number that can identify the processor (and perhaps indirectly the user). The stated purpose is to help corporations track and manage their PC inventory, and to provide another level of security for online banking and e-commerce applications. Conversation on this feature keeps going on, and on, in part because it neither seems extrodinarily effective for its stated purpose, nor seems to be something that can be securely turned off to keep it from doing any ancillary damage. Schneier points out that because of the untrusted software that runs on the box, "the only positive usage for processor IDs is the one usage that Intel said they would not do: stolen processor tracking." Discussion on cypherpunks pointed out Ethernet cards and Sun Unix boxes also have serial numbers that are accessible. There was also a bit of debate about how much privacy is already lost and how innocuous this feature is. You can expect to see conversations like this last one for some time to come, in part inspired by Scott McNealy's (Sun CEO) quote: "You have zero privacy anyway. Get over it." In a priceless another quote, David Aucsmith, security architect for chip maker Intel said "This is a new focus for the security community...The actual user of the PC -- someone who can do anything they want -- is the enemy." The Intel Developers Forum he spoke at spawned the rumor that the ID is really there for copy protection. Intel has announced several changes since some threatened boycotts, including moving the default to disabling the ID. Major PC vendors say they will disable the ID in the basic input/output system (BIOS) software. A quotable quote from Gateway's VP of product management & planning: "We know that the BIOS mechanism is completely secure." A cypherpunk pointed out that a trojan could flip the appropriate bit in CMOS, then cause the PC to reboot to enable it. Zero Knowledge Systems published an ActiveX program that bypasses Intel's Pentium Serial Number (PSN) Control Utility . It puts the serial number in a cookie file even when the Intel utility indicates the ID number is turned off. An article on patent problems states that U.S. Patent 5848161 covers the practice of using encryption functions to hide credit card account numbers on the Internet . The White House has a new privcay czar (first chief counselor for privacy), Peter Swire. He says he's going to review federal, private-sector and international privacy issues created by new information technologies. A British government report has given the IT community 3 weeks to come up with an alternative to key escrow. The Department of Trade and Industry's policy had proposed licensing of encryption providers that would require them to hold copies of users' encryption keys for law-enforcement access to electronic communications. Interested parties have indicated the time is too short for meaningful dialog. In more excitment from the UK, news reports had said that hackers had seized control of one of Britain's Defense Ministry's military communications satellites and issued blackmail threats. After a few days of speculation on the veracity of the report, the Ministry dismissed the story as "not true". In a humorous aside, someone tried to anonymously send email to cypherpunks indicating that they had done this sort of thing before. Unfortunately, they cc'ed the list directly, so it came with full headers. Anonymity isn't easy. A sudden (small) spate of announcements came for "infomediaries" who want to provide privacy by managing customers' personal profiles (I'm sure it's only my choice of phrasing that makes this sound like "War is Peace" :-). PersonaXpress by PrivaSeek will provide a free service to maintain, update, and control the type and amount of personal information that marketers and advertisers draw from their customers they browse the Web. Their profiles will be encrypted and stored in Persona Vault. Companies accessing the information will be "screened" then asked to sign a contract "stating that they will adhere to a set of privacy practices". Another venture, Lumeria, will release an open-source version of their system so that other infomediaries can support it. This will also help to build trust, a big issue in this market-to-be. One the same theme as infomediaries, "drkoop.com, a leading consumer healthcare network led by Dr. C. Everett Koop, former U.S. Surgeon General, announced [2/19] it is developing a Web-based personal medical record for consumers. The drkoop.com Personal Medical Record (PMR) will be introduced in the second quarter of 1999 and will be free to all Americans. It will enable consumers to create a lifelong record of their health that is secure and private." Continuing with medical information, somehow private patient information found its way to the search area of the University of Michigan Health System. This was reported anonymously to Lauren Weinstein, PRIVACY Forum Moderator. The data was primarily names, addresses, phone numbers, and patient IDs (which in this case, and contrary to the norm, were *not* equivalent to Social Security Numbers). The problem was fixed rapidly after Lauren reported it. Although the URLs were publicly accessible, U Mich believes that only an insider could have found them. >From Peter G. Neumann and risks: "Sean Trifero was sentenced to one year in prison by a U.S. District Judge for intentionally damaging computer systems (Harvard, Amherst, a Florida ISP, and Alliant Technologies, including planting sniffers and denial-of-service attacks) and unauthorizedly accessing others (Arctic Slope Regional Corp. and Barrows Cable, Alaska), three years subsequent probation, 150 hours of community service, and $31,650 restitution. [Source: PRNewswire, 23 Feb 1999]" Discussion of the UPS signature pads that trap your signature while you write it brought out a story from someone who said that UPS had claimed a suspect delivery had been made and signed for. When they pushed UPS and asked for a copy of the signature, they got it. It was the recipient's name, but it clearly was not in their hand. The theory was the delivery person had signed for it. And now listwatch quotes TBTF reporting on CRYPTO-GRAM (with the URLs to go straight to the source :-): ..The long reach of the NSA US spy agency has been reading other nations' cable traffic as if it were the morning paper Bruce Schneier's CRYPTO-GRAM newsletter [5], always a compelling read for those interested in the technicalities or politics of cryptography, sends word of one of the great hacks of all time. It seems that over 50 years ago the US National Security Agency, in cooperation with its German counterpart, compromised CryptoAG, a Swiss manufacturer of cipher machines and other cryptographic pro- ducts. Its customers were governments, embassies, military units, even the Vatican. The security agencies installed "back doors" in CryptoAG products (which reportedly worked by sending secret decod- ing keys along with each encrypted message) and for at least half a century have been reading the top-secret documents of 120 of the world's governments. Some countries tried to abandon CryptoAG but found their options limited -- the US had sometimes required pur- chase of particular machines as a condition for favors. Pakistan was allegedly granted American military credits with only one pro- viso, that it buy its encryption equipment from CryptoAG. The full, fascinating story ran in Covert Action Quarterly [6]. [5] http://www.counterpane.com/crypto-gram.html [6] http://www.caq.com/CAQ/caq63/caq63madsen.html RSA opened an Australis office, staffing with with well known SSLeay developers. "Australia's Defence Department had awarded Security Dynamics a licence -- thought to be the first of its type in Australia -- to export uncrackable, commercial versions of SSLeay from the Brisbane centre, and Security Dynamics would use the office as its global export centre for SSL technology, bypassing US military bans." Freedom software was announced by Zero Knowledge Systems. It is based on a number of Cypherpunks inspired techologies, including anonymity, nyms, mixing, and traffic analysis defense. The shocker back in January was that the French Government abandoned its effort to control domestic use of encryption. Prime Minister Jospin announced they would abandon most aspects of the encryption legislation adopted in 1996. They anticipation proposed legislation allowing complete freedom in the use of all cryptography, abolishing the requirement to use trusted third parties, and providing instead increase funding for the police, combined with enhanced authority to demand plaintext in the course of an investigation. Recognizing that it would take several months to modify the legislation, he announced that the level for free use of encryption inside France would be raised administratively from the current 40-bit level to 128 bits. Shortly before that announcement, the NSA banned Furbies from the offices in case they could record parts of classified conversations. While there was discussion about whether or not Furbies actually record any new utterances, no one addressed the potential for covert channels based on how Furbies might adapt to time at the NSA... Lonne Allen Jaffe (jaffe@fas.harvard.edu) and others of Harvard University is working on a research paper on the use of ciphers by scientists to prove the authenticity of their work from the 16th century onward. If you have any information on the subject, they'd like to hear it. ____________________________________________________________________ Clinton Administration proposes $1.4 Billion for Computer Security ____________________________________________________________________ According to a report in the January 29 issue of Science, as part of its call for new spending on advanced technology R&D, the Clinton administration is proposing that $1.464 billion be spent on "critical infrastructure protection and computer security," an increase of 40% over what's currently spent in this area. Most of the funding is earmarked for applied research on computer security through the Defense Department, but about $3 million would go toward new computer science scholarships with the goal of creating a "cyber-corps" of electronic network defenders. Congress is likely to approve or even increase the proposed funds, according to Rep. Curt Weldon (R-Penn.), who chairs the House Armed Services Subcommittee on research. ____________________________________________________________________ Willis Ware wins IFIP's Kristian Beckman Award ____________________________________________________________________ The Kristian Beckman Awards Committee of Technical Committee 11 of IFIP, the International Federation For Information Processing, announced on March 9 that the 1999 Kristian Beckman Award is awarded to Dr. Willis Ware of the US. The Kristian Beckman Award was created in honour of Kristian Beckman, the first Chairman of TC 11. The objective of the award is to publicly recognise an individual, not a group or organisation, who has significantly contributed to the development of information security, especially achievements with an international perspective. ____________________________________________________________________ COMMENTARY AND OPINION ____________________________________________________________________ ____________________________________________________________________ Internet Besieged Countering Cyberspace Scofflaws edited by Dorothy Denning and Peter Denning. ACM Press 1998. 547 pages. Biographies of Contributers Index. $34.95 ISBN 0-201-30820-7. LoC HV6773.I57 Reviewed by Robert Bruen, Cipher Book Review Editor ____________________________________________________________________ This is a fairly hefty book with five major sections containing thirty-four papers by well known members of the security field and few others. It is a good collection of papers that should be read by those interested in the internet and security, but read from the point of view of history. The majority of the papers have published in journals, on the web or given as a speech somewhere, covering the early to mid part of the 1990s. Some of the papers are good technical presentations, such as Woo and Lam's Authentication for Distributed Systems (1992) and Kent's Internet Privacy Enhanced Mail (1993). Others are detailed explanations on practical matters such as Kim and Spafford's Tripwire: A Case Study in Integrity Monitoring and Test Driving SATAN by Doty. Then there are those that I am forced to ponder the reason for inclusion, like a speech by Janet Reno: Law Enforcement in Cyberspace address and the two policy statements for acceptable use at the home universities of the editors. Another excellent group of papers is represented by Cheswick's An Evening with Berferd (1994) which are anecdotal in nature, but very instructive. In general the book is enjoyable, meaningful reading, although given the title and the tone, I feel the editors are pushing their agenda that the world is under a threat so great from the net that only more law enforcement intrusion into our private lives will save us. The editors have made no secret of their support for key escrow, the clipper chip and restrictions of the availability of strong crypto to the masses. There are several papers in the book by the editors covering key recovery systems, encryption policy, etc. that reflect this point of view. Let me offer the editors some advice: The net is the next big step in human communication capability. Human interaction carries problems that began at the first meeting of a couple of humans, so the net is no different in that respect. We are on the verge of a many to many communication mesh that will involve anyone who wishes to be involved, where everyone will have the ability to talk, not just those with great resources. It is one of the greatest mechanisms of freedom and equality since the creation of democracy. Naturally there will be some serious bumps in the road because not everyone is a nice person, but trying to prevent freedom from spreading because of a few pain in the neck hackers is simply not the right choice. And it will not work anyway. The five sections of the book are: 1) The Worldwide Network 2) Internet Security 3) Cryptography 4) Secure Electronic Commerce 5) Law, Policy, and Education The first section was mediocre, the second was the best in the book, also had the most papers (10), the Crypto section had good papers, but only five, limiting an otherwise interesting interesting section. The commerce section was satisfactory in size and scope. The last section has eight papers, little actual content, and certainly one sided, however, with one gem at the very end by Major Gregory White and Captain Gregory Nordstrom covering a course they teach in hacking/security at the Air Force Academy (at least in 1996). It would be worth reading/writing a more detailed account of the course than this short paper provides, as well as the experience over several years of teaching the course. There is a definite shortage of security related courses built into computer science programs of our colleges and universities making this one a member of an small, elite group. Overall, in spite of a few shortcomings, this collection of papers is a book I can recommend for content, style and educational value. There is no requirement to agree with the viewpoints of others to appreciate their contributions to the field. Bringing together this book was one of those contributions. ____________________________________________________________________ Information Warfare and Security by Dorothy Denning. Addison-Wesley. 1999. 522 pages. Bibliography, endnotes and index. Paper $34.95. ISBN 0-201-43303-6. LoC U163.D46. Reviewed by Robert Bruen, Cipher Book Review Editor ____________________________________________________________________ Professor Denning's latest contribution to world of security and privacy is the best resource book on information warfare available. While is difficult to say that any book is exhaustive on such a topic, the work is extensive. The amount of research and preparation shows through in this well organized book. She has brought much more than the usual hacker stories with a successful attempt to offer a theoretical basis for information warfare. The three main divisions are the Introduction, Offensive Information Warfare and Defensive Information Warfare. The introduction is only three chapters starting with the Gulf War, but they give us insights and background for the remainder of the book, which starts with the Gulf War. The theoretical approach for many readers places such a book in the academic environment, but it also gives credibility to an idea that often sounds like Hollywood's idea of the Y2K problem. From the media accounts of 16 year old hackers to serious wartime decoding of enemy battle plans may seem to be a bit of a stretch until one associates the underlying foundations of manipulating the bits with each activity. The difference is only that of extent, not a difference in kind. One analogy would be the difference between a child accidently killing someone while playing with a handgun and soldiers shooting each other on a battlefield. Electrons have been added to the arsenal available to everyone. We need to better understand the impact on humanity because it is sizable. The intrusiveness of the new use of electrons appears in pranks, crime international relations, warfare, finance and the telephones, just to name a few areas. Underneath it all, the effects are felt in anything related to information/knowledge: its creation, storage, modification and communication. This goes the heart of much of the social interaction of people. You do not need to be the head of an army to require important information. A medical emergency makes a phone number a life and death bit of information for the those involved. The net continues to expand daily and will most likely continue to expand until every inch of the planet and nearby planets will be reachable. More and more people are gaining access. These people are not the techies of the 70s and 80s. They are pretty much part of the general population who bring with them all the things that the general population thinks about, except now they have a very powerful means of communicating that was not available. The growth of hackers and crackers is one sign of this, but the use of electrons in physical warfare is another, as is the growth of the surveillance society. Everyone got a video camera in the 90s, now everyone will get a PC with a net connection for the new millennium. The section on offensive information warfare presents the important are of perception management as practiced by the military in war, the media in business and the government in political activities. Perception management takes on a new level of importance in our times because of the new availability of hard to understand technical information and the extensive quantity of this and other information. Those who do not or can not deal with large volumes of information will be subject to misinformation at the click of a mouse. We have already seen its early stages with president's impeachment trial. The problem will only increase in severity over time. In a far reaching sweep of the issues, topics covered include technical information from traffic analysis and cryptography to national security and politics. Another example, identity theft, is something each of us ought to take seriously along with anonymity. A widespread reading of Information Warfare and Security followed by broad based discussions would be helpful to all of us. We should think about the need to educate as many of our fellow citizens as possible before control is lost due to ignorance. The book is organized such that it can be used as a textbook for a college course, a reference book or one that is just good reading. Highly recommended. ______________________________________________________________________ Conference Reports ______________________________________________________________________ ______________________________________________________________________ Network and Distributed System Security Symposium (NDSS '99) San Diego, California February 03 - February 05, 1999. by Tatyana Ryutov (tryutov@isi.edu) ______________________________________________________________________ [Another writeup of this symposium by Mahesh Tripunitara can be found on the Web at (html version) (text version) -Paul] Network and Distributed System Security Symposium was held in San Diego, California, from February 03 - February 05, 1999. The goal of the symposium was to provide a highly interactive and supportive forum for new research in Internet security. The symposium home page is http://info.isoc.org/ndss99. There were over 200 participants representing 18 countries from business, academia, and government with interests in cryptology and computer security. My apologies in advance for not knowing the names of some attendees who I quote below. I missed the first session and parts of some other sessions, so I was not able to describe questions and responses from the audience for the first session and part of what was said in some panel discussions. The first session was "USER AUTHENTICATION AND PUBLIC KEY CRYPTOGRAPHY," run by Jonathan Trostle (Cisco Systems). The first paper was "Secure Password-Based Protocol for Downloading a Private Key" by Radia Perlman (Sun Microsystems Laboratories, United States) and Charlie Kaufman (Iris Associates, United States). The goal of the proposed protocols is to securely download user's environment from the network given only user name and password. These protocols are variants of EKE and SPEKE modified to provide better performance. Additional advantages are resistance to denial of service attacks, stateless servers, and ability to use salt. The related protocols providing similar capabilities were discussed. Some protocols require knowledge of sensitive information (server public key), other protocols were excessively strong for the defined goal, they require more messages or more computation. The next paper was "A Real-World Analysis of Kerberos Password Security" by Thomas Wu (Stanford University, United States). This paper discusses well-known Kerberos vulnerability to off-line dictionary attacks, providing and analyzing the results of an experiment using Internet password cracking package. The input dictionary included precompiled word list, user-specific information and transformations that users often do when selecting passwords, e.g. adding digits as prefixes and suffixes and capitalizing letters. Over 2000 passwords (from a Kerberos realm containing over 25 000 user accounts) were guessed. Analysis of the successfully guessed passwords provides interesting insights into the ways users select their passwords. The author recommended using preauthentication combined with secure remote password protocol (e.g. SRP, SPEKE) and light password strength-checking to protect authentication system from dictionary attacks, rather then requiring enforcement of a harder passwords administrative policy. The first session ended with "Secure Remote Access to an Internal Web Server" by Christian Gilmore, David Kormann, and Aviel D. Rubin (AT&T Labs Research, United States). One goal is to allow access to the internal web server from outside of the firewall without any modification to the internal infrastructure (firewall and internal web server). Another goal is to make the web browsing session to appear the same when users are connecting from behind the firewall. The first goal is achieved using strong authentication based on one-time password scheme on top of SSL. The firewall prohibits initiating connections from outside, so outside connections are handled by a proxy server, which has one component operating behind the firewall and the other one on the outside. The inside component maintains a control connection to the external one. It is used to receive browser requests from outside and forward them to the internal web server. The second goal is addressed by rewriting URLs. New URLs are constructed from the original ones and include some security information. Some limitations of the presented system were pointed out: when URLs (pointing behind the firewall) are dynamically generated by scripts, there is no way to parse and therefore rewrite them which leads to the failure of the request. A panel (session 2), "SECURITY AND THE USER", was moderated by Win Treese (Open Market, Inc., United States). Mary Ellen Zurko (Iris Associates, United States), in her talk "User-centered Security" discussed two approaches to a system design: user-centered and traditional one. She pointed out the conflict between them and suggested some ways to deal with it. First, Mary gave a user-centered perspective, stating that the user should be in control of the system and the system should provide clear interface and correct information. In the case of a problem with the use of the system, it's the system fault, not the user. Then she presented traditional information security perspective, the main purpose of which is protection of organization resources. Cooperation of administrators, programmers and users is required. If there is an error, system is not always the only one to blame. To cope with this problem a user-centered approach to security is required: including a user in the model of the security system, good software engineering techniques (designing an easy, understandable user interface, performing usability tests for security software). Mark Ackerman (University of California at Irvine, United States) presented "Usability and Security" talk. Mark discussed the usability and main aspects of it: social, historical and physical. He tackled the issues of the human factors and human-computer interaction. The following report was kindly given to me by Dr. Peter Neumann (SRI, United States). I am citing it without any modifications. "Peter Neumann (who went last) noted a possibly connection between NDSS and the butterfly theme of Hans's luau: Franz Kafka (Metamorphosis). Security is still in the larval stage, and solutions when they emerge tend to be short-lived. Network and distributed system security is certainly a Kafka-esque nightmare, having metamorphosed into a gigantic army of bugs. PGN stressed the importance of broadening our narrow concerns about security to include reliability and system survivability in the face of various adversities. By addressing the more general problem, we can come up with better solutions. Perhaps most significant, he emphasized the importance of good software engineering practice. (Mary Ellen Zurko later noted the repeated occurrences of buffer overflows over the past many years, as an example of why good software engineering is so important.) PGN considered the fact that system users (e.g., airplane pilots) are often blamed for disasters that were in part attributable to bad system design and bad interface design -- and gave several illustrations. For example, see his Website (http://www.csl.sri.com/~neumann). He observed that system/network admins are also users, and that they are also victimized. He stressed the importance of better user authentication -- going beyond fixed reusable passwords -- and the need for people-tolerant systems. "Fool-proof" is a bad metaphor, because the experts can also mess up. PGN discussed the importance of open-source software as an alternative to bloatware systems with incredibly complicated user interfaces, along with the need to make open-source systems significantly more robust. One of the biggest impediments to security created by closed-source proprietary systems is that intrinsically lousy security cannot be openly assessed and cannot be easily improved by admins and users." The question and answer session touched on analogy between cryptographic key and regular key; digital signature and handwritten one. These notions are very different. How far will the analogy go? What are the aspects of usability to users? Some were concerned with the risk of brining physical world experiences into the Internet world. Someone noted that the analogy is good. Another replied "I do know what is going to happen in a physical world with my key, however I do not know much about my software key: what system it's going to go?" Some expressed a pessimistic view: user is at risk no matter what he does because the system itself is not secure: servers, web interfaces and OS are insecure. Alfred Osborne asked about the real solutions for the users. The answer was: there are no total solutions. Partial solutions include: increasing robustness of the system and ensuring trustworthy software distribution path (authentication, versioning), emphasis on the "open design" versus "hide everything" approach. Hide just implementation details, all other leave open. A participant rose the issue of education of users. There are two steps of getting familiar with a product: (1) product itself (2) security issues. An audience member asked if there should be established a national education standard to include security as a required course. One opinion was: security, reliability and good software design should be widely taught. Another opinion was: security must be embedded throughout entire curriculum, not to be taught separately. A participant pointed out that there will never be established security education of users, even developers. Another participant objected that he has probably forgotten that he was taught some basic security in elementary school. Another remark: people do not forget to lock the doors, they forget to upgrade their doors (or keys). One questioner asked: whom to blame if something goes wrong? There was a variety of answers, including: - everybody except me - blame the on who can fix it, even thought it's not his fault - user is not the one to blame, the fault is resulted from concatenation of different things - system should be "people prove" (fool prove and expert prove) and user friendly Some person observed: network security has some particular characteristics: a rubber who broke into your house will not take everything from your home at once, on the Internet all your staff is gone immediately and it is all over the Internet. Someone asked about liability, to what extend it can be adopted? To what degree insurance should be entering the Internet world? One opinion was: there is a beginning of this. It is not good for insurance, leverage for system developers. One participant joked "if software fails we will give you another copy of the software". Another participant noted that insurance of software is not doable because faults are often the result of human behavior. It's human problem. How can we educate users? Someone suggested certifying users :) In conclusion, the was a question what should we do when return to our work? - use the language without buffer overflow - good toolkit - good attitude toward authentication problem The third session "CRYPTOGRAPHIC PROTOCOLS" was hosted by David Balenson (TIS Labs at Network Associates, United States). The session began with a paper "Experimenting with Shared Generation of RSA Keys" by Michael Malkin, Thomas Wu, and Dan Boneh (Stanford University, United States) The goal of the paper was to investigate practical aspects of distributed shared RSA key generation. This method does not require involvement of a trusted dealer (who introduces a single point of attack). In this scheme K servers generate a modulus N=pq and exponents e and d, where e is public and d is private. The private key d is shared among K servers. The K servers perform private distributed computation to make sure N is the product of two primes, however non of the servers knows the factorization. The key d is never reconstructed at a single location and can be shared in the way to allow "t out of k" threshold signature generation. This is useful to achieve fault tolerance, therefore allowing the servers to issue a certificates without reconstructing the key d. One of the practical drawbacks of this distributed key generation scheme is that it takes more iterations: worst case run time estimation for the algorithm for finding a suitable N is O(n^2) (compare to single user generation O(2n)). The author presented practical optimizations based on distributed sieving and multithreading of key generation. He presented reasonable experimental key generation time measurements: 91 seconds for 1024 bit shared RSA key (3 333mhz PCs, 10Mbps Ethernet); 6 minutes across wide area network. Steve Kent asked if over n/2 participating parties are bad guys, will they be able to get sensitive information. The answer was: the algorithm is secure if over n/2 participants generate key properly. Someone asked: the communication is based on SSL, this means unicast. What are the performance implications of having no broadcast? The reply was: with the large numbers of servers performance is degrading, it does work better with fewer number of parties. The next paper was "Addressing the Problem of Undetected Signature Key Compromise" by Paul C. van Oorschot (Entrust Technologies, Canada) and Mike Just (Carleton University, Canada). Mike Just presented. The purpose of the paper was to study undetected key compromise, motivate others to consider this problem and provide solutions for detecting a compromise and preventing forged signature acceptance. The key idea is using a second level of authentication which results in a signature over the signed message to be returned to the originator of the message by trusted register. This allows the recipient of the signed message to make sure that the message was signed by the legitimate party, thus making possession of the signature key by an attacker insufficient for forging the signature. The main distinction of the proposed scheme is that two independent secrets are maintained by the signing user: one for the original signature and one for the secondary authentication. This provides a second level of protection as well as increases compromise detection likelihood. Detection is based on using a time-dependent counter, which allows detecting of a lack of synchronization between the signer and the trusted register. Preventing acceptance of bogus signatures is achieved by introduction of "cooling off" period: signed messages are not accepted until this period has not expired. This technique supports non-repudiation, since bogus messages would have been detected by the legitimate users and must have been reported. One drawback of the presented scheme is a requirement of on-line trusted third party. Mike noted that this is applicable to high-valued automated transactions. One participant asked: How do I know when the key expired and I should not use it any more, or if someone else started using it? Next was an interesting paper "Practical Approach to Anonymity in Large Scale Electronic Voting Schemes" by Andreu Riera and Joan Borrell (Universitat Autonoma de Barcelona, Spain). Andreu Riera presented. Their work considered how to implement a realistic large scale voting system. Their scheme is based on cooperation of multiple hierarchically arranged electoral authorities. The advantages of this scheme are: single non-anonymous voting session (a widely accepted solution is based on two sessions anonymous and non-anonymous) and no requirements for external mixes. The anonymity is provided by shuffling ballot boxes a number of times. There are restrictions to this approach. The proposed scheme can model all commonly accepted security requirements, except uncoercibility (inability of voters to prove in which way they voted), which require hardware components to be added into the scheme. A participant asked if the scheme was implemented. Andreu replied that they are working on the protocol. Someone asked: authentication of the voter is required, how privacy is maintained? Andreu explained that authentication of the voter private key is required, to assure privacy the blind signature mechanism is used. One questioner pointed out that in commercial voting systems all software is proprietary, they do not allow looking at the code, therefore there are many ways to subvert election, e.g. by means of covert channels. Another question was: Is this complexity practical for real system? Andreu: complexity is inevitable. A member of the audience asked if it is possible to detect who voted twice. Andreu: yes. Another question was about association between a voter and his vote. Andrew pointed out that it was not possible to detect association between a voter and his vote. The last session of the day was a panel "SECURING THE INTERNET'S EXTERIOR ROUTING INFRASTRUCTURE ", hosted by Sue Hares (Merit, United States). Sandra Murphy, TIS Labs at Network Associates, United States) was the first panelist. Sorry, I missed this one. Curtis Villamizer (ANS Communications, United States) talked about improving Internet routing robustness. Curtis pointed out that incorrect routing either malicious or unintended can cause traffic misrouting and routing related outage. Routing attacks not occur because of little impact (short-term denial of service) and high risk to be caught (many sites log routing activity). Curtis discussed authentication schemes used: - IGP protocols use peer to peer MD5 or password-based authentication - IBGP protocols use MD5 or TCP/MD5 authentication - some EBGP peer to peer TCP/MD5 He discussed the following approaches to improve external routing robustness: - information storage (DNS, IRR) - authorization - verification of route announcements (sanity filters applied to EBGP peers, signatures on route origin, signatures at each BGP exchange) In the end of his talk, Curtis discussed signature approaches: origin and full path. Signatures vs. filtering Signatures offer security advantage over filtering. Filters offer better scalability. Use of either one will improve routing robustness. Someone mentioned replay attacks. Curtis: Can incorporate time stamps in signatures, this is a fundamental change. The next question was whether the registry was implemented. Curtis: It's already happened. The third panelist Tony Li (Juniper Networks, Inc., United States) talked about BGP origin authentication. He identified the following problems: - malicious or erroneous injecting prefixes by Autonomous Systems - denial of service attacks - masquerading as another AS - tampering with advertisement He noted that the emphasis of this work was on finding practical solutions. Tony outlined the approach: 1) encode prefixes in DNS --hard part. He presented different encoding rules. 2) use DNSSEC to provide authentication 3) Use BGP look up each prefix in DNS (for performance BGP speakers can cache relevant RR, cache can persists across reboots) If there is a matching AS RR and the origin authenticates, authenticated path is preferred over unauthenticated, even in the case when authenticated path is less-specific. Only authenticated path is announced. Checking for authentication expiration. If there is no authentication information unauthenticated paths are still usable. If there is a matching AS RR and the origin does not authenticate: select a different path, in the case the path was advertised withdraw it. The last panelist was Charles Lynn (BBN Technologies, United States). He talked about Secure Border Gateway protocol. First he outlined the goals: overcome current BGP limitations and to design a dynamic, scalable and deployable protocol. Advantages of the S-BGP are authentication of participating entities (prefix owners, AS number owners, AS administrators participate), authorization of AS for prefix advertisement and use of a route. The design is based on: 1) IPsec to provide authentication, integrity and protection against replay attacks 2) PKI to support secure identification of BGP speakers, Owners of ASes and owners of address blocks 2) Attestations: - Address attestations validate that a destination address was originated by authorized AS. - Route attestations validated that an AS is authorized to use an AS path. 3) Certificates and attestations are used for validation of UPDATES 4) Each UPDATE includes one or more address attestations and a set of route attestations. Charles presented an address, AS and router certificates format and encoding of the attestations. Performance issues were discussed Optimizations were considered; caching validated routes, background validation Of alternate routes, keeping only necessary certificates fields in S-BGP databases, offload generation/signing of rout attestations. Charles concluded that prototype developing is in progress. The talk was quite long and no time was left for questions. The fifth section "POLICY AND TRUST MANAGEMENT" opened next day was run buy Warwick Ford (Verisign, United States). The first paper was "Distributed Policy Management for Java 1.2" by Pekka Nikander and Jonna Partanen (Helsinki University of Technology, Finland) Jonna presented. The main idea is to use SPKI certificates to achieve better scalability and dynamic access control management as alternative to static local permission configuration. Certificates are attached to protection domains, as well as retrieved from distributed certificate repository. The improvements include: ability to dynamically extend granted permissions and introduce new permission types, which may by dynamically derived from SPKI certificates as needed. Jonna presented the security architecture of JDK 1.2. She pointed out drawbacks: permissions associated with a domain must be defined prior loading the classes and assigning protection domains to classes is rigid. She pointed out that this was a default implementation, not the proposed architecture. The prototype implementation was discussed. Mary Zurko asked if the system was implemented. Jonna: not finished yet. Steve Kent asked about certificate revocation problem. Jonna: on-line validity tests, CRLs, not finished yet. A participant asked if everyone was allowed to put certificates in DNS. Jonna: It can be implemented so that to put it on your local DNS and not show it to anyone to ensure privacy. Another question was: Which chain of certificates do you select? Jonna: we have to find a valid chain, our chains are short. Someone asked if there was a way to establish one-time certificates. Jonna: Certificates are meant to be used many times, compromised certificates are revoked. The next paper was "Distributed Execution with Remote Audit" by Fabian Monrose (New York University, United States), Peter Wyckoff (New York University, United States), and Aviel Rubin (AT&T Labs Research, United States). Fabian Monrose presented. This work was concerned with misbehavior of the hosts participating in coarse-grained parallel computations in metacomputing environments. He presented design and Java-specific implementation of audit mechanism to detect such misbehavior. The technique is based on transforming a task into checkable units. For a host to cheat it must corrupt at least one of the units. This is more difficult then corrupting an entire computation by returning an error. The limitation is that proposed scheme detects misbehavior of only cheating hosts (ones who try to minimize resource expendures) with high probability. This is done by means of proof of execution, which is sent by the participating hosts to the verifier. The verifier checks the prove to determine if the component was correctly executed. The hosts that are trying to subvert the computations are not caught. The technique is based on the assumption that the task can be transformed into checkable units that have the similar execution time, which is not always feasible. This requirement limits a set of applications that may benefit from it. A participant asked if the system can be extended to do audit if the machines do not do what they are supposed to do. Fabian replied that there was a particular environment that could support it. Another one asked if workers can trust the manager. Fabian noted that workers are being paid for the performed computation, therefore they have to have some trust. The next paper "An Algebra for Assessing Trust in Certification Chains" by Audun Josang (Telenor R&D, Norway) ended the session. Audun Josang presented an interesting work on algebra for determining trust in certificate chains. It is based on subjective logic, which defines logical operations (with some untraditional "recommendation" and "consensus" operators) for manipulating opinions. Opinion is defined as a triplet consisting of belief, disbelief and uncertainty components. The motivation behind such metrics is belief that trust is not binary. Certificates are accompanied by opinions about key authenticity and recommendation trustworthiness. Authenticity of the public key is based on finding two valid chains: certificate chain and recommendation chain. To avoid undesirable dependencies, the algebra requires recommendations to be based on first-hand evidence only. This simplifies the problem of certificate revocation, since the recommender has the information about every recipient, therefore he is able to inform them about revoked certificate. The notorious VSR programming problem was brought up: how easy will it be for the end users to make use of this approach? Audun agreed that it is not easy, there is no an easy way to express uncertainty. Another question was: Second hand trust is a useful intuition, why prohibit it. Audun pointed out that restriction on the use of first-hand trust only enforces a certain ways for establishing certification paths. Next (sixth) session was a panel "A NETWORK SECURITY RESEARCH AGENDA", run by Fred Schneider (Cornell University, United States). Steven M. Bellovin (AT&T Labs-Research, United States) began his talk by defining the problems that in need to be solved. First, Steven described cryptography issues such as: need for higher speed for public key algorithms; PKI scaling problem and revocation of expired certificates; no one checks certificates; cryptography makes many things harder, e.g. compression, network management tools, QoS techniques. Next Steven touched on buggy software problems (notorious buffer overflows), routing attacks and environmental problems (operational errors often translate into security problems). In the end of his talk Steven outlined the challenges: learn how to use cryptography and write correct code; secure routing infrastructure and make systems powful but easy to use. Next two panels were presented by Steve T. Kent (BBN Technologies/GTE Internetworking, United States) and Roger Needham (Microsoft, United States), sorry did not get these two. Hilarie K. Orman (DARPA, United States) presented her talk "Perspectives on Progress and Directions for Network Security Research". First, Hilarie outlined the progress network security has made: commercial IPSEC, widespread SSL, PGP in products, secure key exchange standards (IEEE, ANSI, ATM, IETF). Then she discussed government (manageable security, flexible policy, risk assessment), industry concerns (performance impacts of security, end-to-end confidentiality clashes with network management, preservation of intellectual property) and new network security concerns (impact of embedded devices on Internet, reliability of the data received from sensing devices with wireless communication, access control and authorization issues). As conclusion, she gave an overview of security research directions: secure group communication and management, secure multicast routing, mapping policy to mechanism across organizations, high-speed networks, cryptography in the optical domain, practical mobile security, integrity of autonomous devices, strong availability guarantees, scientific/engineering basis for risk assessment, strong redundancy guarantees and monitors, smart attack/corruption detection and adaptive and automated response. Questions for panel given were: Is there a research on legislation? Why American model data collection model would not work in Europe? There was some discussion on legislation. In Europe, an agency collecting private data has to: (1) notify everyone that it is collecting data (2) state what it is collecting the data for and (3) report how data was used. In America, private data (e.g customer e-mail) can be sold to someone else without asking or notifying the customer. Other question was "Is it possible to reduce complexity to afford what we are implementing?" The answer was: "The problem is complex, this uderlying complexity does not lead to a simple solution". The seventh session was "NETWORK INFRASTRUCTURE PROTECTION", hosted by Christoph Schuba (Sun Microsystems, United States) The first paper was "PGRIP: PNNI Global Routing Infrastructure Protection" by Sabrina De Capitani di Vimercati (Universita di Milano, Italy), Patrick Lincoln (SRI International, United States) , Livio Ricciulli (SRI International, United States), and Pierangela Samarati (SRI International, United States). Patrick Lincoln presented. The paper was concerned with protecting the routing infrastructure from malicious and unintentional faults by (1) replicating network processing and communication resources and (2) using Byzantine fault tolerant protocols to identify failures. The routing protocols operates in clear, ones failure is detected security enhanced protocols are invoked to fix the problem. Thus the approach relies on cryptography only when absolutely necessary, therefore treating common case more efficiently. PNNI uses a hierarchical organization: nodes are grouped, each group has a leader. The group leaders themselves are grouped at a higher level of hierarchy. Only a subset of nodes, including a group leader in each peer group is equipped with PGRIP. These PGRIP enhanced nodes detect integrity compromises by evaluating changes to the local databases and resolves anomalies. Someone made an observation: if cryptography is optional then you do not know who you are talking to. Next paper was "Client Puzzles: A Cryptographic Countermeasure Against Connection Depletion Attacks" by Ari Juels and John Brainard (RSA Laboratories, United States). Ari Juels presented. This was a very entertaining presentation. The idea is: in the absence of attack the server accepts request indiscriminately. When a connection depletion attack is suspected, the server starts accepting the connection requests selectively. Each client wishing to get service is given a unique puzzle, a cryptographic problem, which must be solved by the client in order to get the requested resources. A client puzzle incorporates time of request, server secret and client request information. Server operates in a stateless fashion: it checks the correctness of the solution, checks that the puzzle has not expired and makes sure that an attacker can not use same solution for multiple allocations. The idea is "nothing comes for free". An attacker has to have a large computational resources to mount an attack. The protocol is very flexible: hardness of puzzles can be dependent on the severity of the attack. The proposed protocol can be used to defend protocols such as TCP and SSL against connection depletion attacks. A disadvantage is that client has to have a software for solving the puzzles. He noted will be interesting for a server to pick up results of the puzzles and do research topic. Someone asked if the server had to maintain state, remember puzzles. Ari: no, server just checks if pre-image is equal to the answer. Someone else risen that an attacker can mount slowing down attacks, causing frustration of legitimate users. Ari: graceful degradation: stronger attack harder puzzles. Another question was if puzzles were cryptographically protected. How can one distinguish between legitimately generated puzzle and modified puzzles? Ari: this issue was not dealt with in the paper. The last (eighth) session was a panel "IPSEC: FRIEND OR FOE", held by Dan Nessett (3Com Corporation, United States). Rodney Thayer (EIS Corporation, United States) presented "Benefits of IPsec" talk. The IPsec was developed by a working groups from different backgrounds (IETF). It is based on modern technology. It provides platform and algorithm independence (cryptographic algorithms can be easily added and delete). Transparent to applications, different privacy and authentication options. IPsec implemented at the Network Layer which provides protection against network layer attacks, all necessary IP packets are protected, allows deployment in gateways, which in turn can provide scaled management of security. Allows network-wide security parameters. Bob Braden (USC/ISI, United States), who is only a simulated foe of IPsec, presented "Arguments Against IPsec" talk. 1) Operation of IPsec at the Network layer harms many things: when used for encryption, IP sec hides the transport layer , this is bad for network management (traffic flow and per-port usage information) and TCP performance enhancements (e.g. ACK snooping and ACK pacing). When used for integrity, it prevents legitimate and useful rewriting of protocol headers. 2) IPsec makes network security difficult: intrusion detection is more limited; the CPU cost of IPsec cryptography makes DoS attacks much easier. 3) IPsec adds complexity to the IP protocol level 4) Application-level security optimization along with having a good side(common IPsec service) has a downside: can not optimize for application requirements. 5) The decision to require IPsec in IPv6 may delay deployment of IPv6 Conclusion: Don't have enough experience with IPsec to say if it's good or bad. Steve Bellovin (AT&T Labs Research, United States) gave an overview of the proposed transport-friendly ESP principals, such as including protocol number in the clear, specification of the size of unencrypted leading portion, addition of padding for boundary alignment and cipher blocksize match. He discussed suggested alternatives SSL and SSL plus AH. The first one will require changes in each application, vulnerable to active DoS attacks and does not handle UDP. Addition of AH will only improve DoS vulnerability, leaving the other two problems. A participant expressed concern with possible configuration difficulties. The replay was: there are only 3 choices: (1) expose everything (2) expose nothing (3) some intermediate A participant asked if we can fix the existing architecture. Someone replyed: we should make administrative domain a part of the architecture Steve Bellovin: technology has changed therefore design Internet differently Bob Braden: the client has changed, commercialization of Internet Rodney Thayer: paradigm itself is changing Someone asked about impact of IPsec on network speed and processing time per packet? Steve Bellovin answered: there is progress in this field, some day they will put it on chips. Another question was: IPsec required for IPv6, will it be required for IPv4? Answer: NO!!! Someone asked about multicast. Answer: we do not know how to do key management for multicast. ______________________________________________________________________ 2nd Workshop on Research with Security Vulnerability Databases Purdue University, Lafayette Indiana January 21 and 22, 1999 by Mahesh V. Tripunitara (mahesh@ipo.att.com) AT&T Labs and CERIAS, Purdue University ______________________________________________________________________ Introduction On January 21 and 22, 1999, the Center for Research and Education in Information Assurance and Security (CERIAS) conducted the 2nd Workshop on Research with Security Vulnerability Databases. This report summarizes the happenings from the workshop. A security vulnerability, or simply, vulnerability, in a system is a characteristic that renders it susceptible to a security compromise. A security vulnerability database catalogues details on such vulnerabilities so that analysis, taxonomy and classification of those vulnerabilities is facilitated. Recently, Ivan Krsul completed his PhD dissertation from Purdue University titled "Software Vulnerability Analysis" that discusses how to build and use such databases effectively. The workshop was a follow-up to the 1st workshop that was held in conjunction with NIST in 1996, and to the dissertation work by Ivan. About 100 people from about 50 organizations attended the workshop. The organizations represented included governmental institutions, such as NIST and NSA, commercial organizations, such as IBM, Cisco and Secure Computing, and educational institutions, such as Iowa State University. The workshop was split into two days. The first day consisted mostly of the presentation of eight papers and a demonstration of the vulnerability database from the Computer Operations Audit and Security Technology (COAST) lab. The eight papers were chosen from submissions of extended abstracts and full papers by a program committee. The papers are available in the proceedings published for the workshop. Ivan Krsul's PhD dissertation is also part of the proceedings. Ivan also submitted a note titled "Experiences in the Development of the COAST Vulnerability Database" to the workshop. Thursday In his welcoming remarks, Prof. Gene Spafford, the Director of CERIAS, spoke about the need to follow up on the important initiatives in the area of vulnerability databases. He indicated that the need for such databases is widespread, and effective use of such databases will revolutionize software engineering. He spoke about the motivation behind the workshop: to bring about a confluence of those that saw the pressing need to establish standards on this front, and establish such databases. The first talk was based on a paper by Dave Bailey, Fred Smith and Bob Abbott, who represent over 100 years of combined information security experience. Their paper is titled "Vulnerability Data: the Case for Sharing." They made the case for sharing of such data by pointing out the benefits from such sharing and the dangers from not sharing. The benefits from sharing are that security flaws, that seem to reappear every few years, can be eliminated, and that software development can be made more rapid by analysis of such flaws. They also discussed the Year 2000 problem as an instantiation of such a flaw and used it as an example to indicate the potential legal issues arising from such security flaws. The second presentation was based on a paper titled "VulDa: A Vulnerability Database" by D. Alessandri and M. Dacier of IBM-Zurich. They spoke about the vulnerability database from IBM and used sample entries from the database to demonstrate how it is populated and used for imparting information on such vulnerabilities and for analysis. They also discussed how the vulnerability database is used in their research in intrusion detection, and the conditions under which they would be willing to share the database with others. The third presentation was based on a paper by Aaron Schwartzbard and Anup K. Ghosh from Reliable Software Technologies titled "Establishing Common Exploit Information for Intrusion Detection." They spoke about data necessary for effective intrusion detection. In doing so, they related vulnerability and attack data to data needed for intrusion detection. They made the case for a common repository for such information, and effective tools and techniques to mine for and analyze data in such a repository. The fourth presentation was based on a paper titled "Mapping Attacks to Vulnerabilities" by Mahesh Tripunitara of Purdue University. He spoke about the problem of relating the vulnerabilities that are exploited, to the attacks that exploit them. He used a formal model for attacks in two examples to discuss the relationship between the set of attacks and the set of vulnerabilities they exploit. It was then time for the lunch break, which gave the participants a good opportunity to informally discuss several of their ideas, interests and intentions in vulnerability databases. The first presentation after lunch was by Thomas Daniels of Purdue University. He gave a demonstration of the COAST vulnerability database, which generated considered interest from the audience. He demonstrated the graphical user interface used to query and enter data into the database. He also picked a few examples to illustrate the fields based on which vulnerability data is stored and discussed tools for analysis of the data in the database. The sixth presentation was based on a paper titled "Towards a Common Enumeration of Vulnerabilities" by David E. Mann and Steven M. Christey from the MITRE Corporation. This presentation also generated considerable interest from the audience. They tackled the problem of dealing with several heterogeneous vulnerability databases and presented the Common Vulnerability Enumeration (CVE) mechanism for sharing of vulnerability data. They related the CVE to current practices on vulnerability data sharing. The seventh presentation was based on a paper titled "Use of a Vulnerability Database for Writing Security Requirements" by Jim Williams of the MITRE Corporation. He presented his efforts in automating the specification of security requirements. The security requirements he spoke about are of the type indicated in the Common Criteria (CC.) He discussed a database that stores mappings from high level organizational security policies and requirements, to detailed attacks, vulnerabilities and countermeasures. The eighth presentation was based on a paper titled "The Proper Usage, Possible Benefits, and Risks of Open Vulnerability Databases" by Pascal Meunier of Purdue University. He discussed an open model for vulnerability databases with vulnerability data being freely shared and added. He then raised several contentious issues relating to such a model. He also presented his notion of the "ideal" open vulnerability database. The final presentation was based on a paper titled "Thoughts on Potential Sources of Error and Bias in Vulnerability Databases" by Ken Olthoff. He focussed on the problem of the possible corruption of vulnerability databases, either accidentally or maliciously. He also discussed some possible countermeasures from such corruption. Friday The first day concluded with the formation of working groups for the second day. Five working groups were established, with the participants in the workshop deciding for themselves which of the working groups each wanted to participate in. Working groups 1 through 4 dealt with various models and architectures for vulnerability databases. Working group 5 looked at issues fundamental to vulnerability databases, immaterial of the model used to construct them. Working group 1 dealt with the "fully available" or "open" model. This is a database that anyone can add to and read from. Copies are allowed to be made freely and the data and copies of the database can be used in whatever manner desired. Working group 2 dealt with the "centralized" model. This involves a database of which there is only one copy and is managed and controlled by a single agency or group. There may be some distribution in the access or update of data in the database, but there is always a "master copy." Working group 3 dealt with the "federated" model. This is a model in which there are several distributed databases, but with some centrality. The databases use a common schema or fields to store data, but the data is not necessarily replicated across all databases. The sharing of data occurs in an organized manner. Working group 4 dealt with the "balkanized" model. It was also called the "status quo" model because there was general agreement that this model indicates what currently exists. The model involves several databases, different both in terms of the data in them and in terms of how the data is organized. Access methods to each database are also different and sharing is not structured. Working group 5 dealt with overall issues for vulnerability databases, such as terminology, classifications, schema and storage. The group also dealt with issues on what data a vulnerability database should include. Each working group met for about 5 hours on the second day, dealing with such issues as ease of access and update in the model, intellectual property rights, access control, fault tolerance, expandability and flexibility, trans-national use, maintenance, location and staffing, scalability and longevity. The issues were dealt with both from a "model" standpoint and an "architecture" standpoint. Towards the end of the day, one person from each group made a presentation based on the respective discussions. Some of the presenters presented an analysis of their model, while others made a case for the model they had worked with. Each of the working groups is currently working on the final reports from the meetings for submission to a body of "main" editors that has the responsibility of consolidating the reports in to a single report. A standards document is in the offing. Concluding Remarks The workshop's goals were to set an agenda for standardization in all aspects related to vulnerability databases and initiate the building of the infrastructure to promote sharing of such data. Based on the enthusiastic participation and from preliminary feedback, the workshop was a success. Follow up work in now being conducted and those interested in involving themselves with the effort are encouraged to contact Prof. Gene Spafford (spaf@cs.purdue.edu.) ______________________________________________________________________ Third International Conference on Financial Cryptography (FC '99) Anguilla, British West Indies, February 22-25 1999 By Ryan Lackey, Olin Sibert, and Alex van Someren ______________________________________________________________________ [This report is my attempt to synthesize reports from all contributors, not always as cleanly as I would have liked. It is not a collaboration between its authors. Thus, all deserve credit for their contributions, but none is necessarily responsible for specific statements. -Paul Syverson] The third annual Financial Cryptography Conference (FC 99) was held in Anguilla in the British West Indies from Monday February 22 through Thursday February 25, 1999. The conference was a rousing success, Attendance was up again with approximately 130 participants from business, academia, and government with interests in cryptology, computer security, and/or the financial industries. There were many new attendees from previously unrepresented venues. For example, Victor Dostov led a contingent from St. Petersburg, Russia to hear from others and to talk about their own PayCash system for anonymous transactions. They are backed financially by Tavrichesky Bank in St. Petersburg, and one can find more information adn a demo of their system at . Once again, the conference took place in the increasingly cramped surroundings of the purpose-built conference facility at the InterIsland Hotel in Anguilla, BWI. Fortunately, the industrial dispute of American Airlines pilots apparently failed to disrupt the arrival of delegates from the United States. However, as is by now traditional, a certain amount of luggage remained sulking in San Juan, Puerto Rico even after its owners had been delivered. All parties did eventually seem to catch up with each other. As usual, the conference delegates were welcomed by the Anguillan Minister of Tourism. He reminded us that Anguilla's offshore tax haven status continues to be an incentive for the conference to be located there. Naturally, financial issues are thematic to the conference itself: sponsor and exhibitor e-Gold brought this home by distributing silver dollars to those who took time to learn more about their service (of which more later). One of the most popular technical themes was anonymous digital money protocols. The basic principles of these schemes, using blind signatures, have not changed significantly in recent times, but improvements were presented which recognised practical necessities. Firstly, that complete anonymity is e-cash schemes is undesirable, due to the possibility of undetectable blackmail or bank robbery, and the needs of the law enforcement agencies to trace money involved in criminal activity. Secondly, that detection of abuse such as double-spending of electronic coins needs to be practical. The conference was sponsored by: E-Gold, gold-backed electronic payment system, www.e-gold.com; Euro RSCG Interactive, web development and marketing, www.eurorscg.com; Hansa Bank, Anguilla offshore bank, www.hansa.net; nCipher, high speed hardware cryptographic accelerators, www.ncipher.com; Offshore Information Services, Anguilla server hosting, www.offshore.com.ai. The remainder of the description focuses on the technical program, consisting of presentations by cryptology and computer security researchers and practitioners. Highlights included the Tuesday "Crypto Predictions" invited talk by Adi Shamir, and the two panels on certificate status (Tuesday) and copyright issues (Wednesday). Speakers are [sometimes] identified by name and affiliation; an asterisk(*) identifies the presenter. As in 1998, the conference was opened by Victor Banks, the Anguillan Minister of Finance, who thanked us for coming and said we were very important to the island, both as an event and as the creators of the concepts on which much of Anguilla's success might be based. Banks spoke of Anguilla's favorable position to attract financial cryptography businesses, due to favorable tax situation, good weather, suitable regulation (including strict financial secrecy laws), and also proposed the idea of a "technology park" within which certain undesirable features of Anguilla, such as the telecommunications monopoly of Cable and Wireless, would be suspended. He apologized for being unable to stay, explaining that there was an election happening on March 4. Monday Morning (22 February) - Technical Program After the opening remarks, the first conference session, "Electronic Commerce", began. This session was chaired by Matt Franklin. The first paper was "Experimenting with Electronic Commerce on the PalmPilot" by Neil Daswani (*) and Dan Boneh (Stanford). Neil described an electronic payment system implemented in a PalmPilot. For these purposes, the PalmPilot is used like a smart card, but has no tamper resistance--so stored value schemes (like Mondex) are problematic. However, the device is implicitly trustworthy (and can interact with the user), so fraud by merchant terminals isn't an issue. The implementation is based on Rivest's PayWord scheme, adjusted to minimize storage and processing requirements; in particular, it uses RSA signatures in one direction (to the PalmPilot) and Elliptic Curve in the other, taking advantage of the superior performance of RSA verification and ECC signing. They had to contend with the Pilot's small memory, slow processor, and other limitations, and in the process benchmarked various cryptographic algorithms on the Pilot platform -- for instance, a 1024-bit RSA keypair generation would take approximately 20 minutes, also rapidly draining the device's batteries. Their design was driven by these limitations to use a hybrid ECC/RSA system, as certain operations in the RSA cryptosystem were substantially faster than in the ECC cryptosystem and vice versa. It also used a hash chain in order to minimize the number of public key operations required. The experimental application was to use a variant of the "Payword" scheme, called PDA-Payword, to purchase goods from a vending machine on the Stanford campus, using a docking system to interface with the pilot at point of sale. Their system only functioned with a single bank and single merchant. Some of the audience questions and suggestions seemed very productive -- online/offline precomputed signatures were suggested as a means of minimizing online computation on the limited Pilot platform, as well as schemes to use a desktop computer for high-speed calculation, downloading partially computed signatures to the Pilot for later use. "Blinding of Credit Card Numbers in the SET Protocol" Hugo Krawcsyk (Technion, IBM Research), presented by Gene Tsudik(*) (USC-ISI) This paper describes a mechanism for blinding customer identity in SET, necessary because customer identity is transmitted in the clear, in the customer's certificate (which is transmitted in the clear because of export considerations). The transaction itself (which is encrypted) carries the actual credit card number, which is matched against the customer ID using an HMAC-based construction that provides both secrecy and unforgeability. These properties are important because credit card numbers are relatively small (20 digits), so it should not be possible to guess valid numbers, or to validate guesses. This talk described in excruciating detail the design process which led to the selection of the SHA-1 HMAC construction as the credit card number blinding function in the SET protocol. SET requires the creation of a cardholder ID which is related to the cardholder's credit card number, but must protect the credit card number itself from evesdropping, as well as protection from exhaustive search of the (small) credit card number space. The function must also be collision resistant. However, linkability across transactions is acceptable. HMAC SHA-1 meets these requirements, and has been selected as the official SET blinding function. After a brief coffee break, the next session commenced -- "Anonymity Control", chaired by Yair Frankel. "Trustee Tokens - Simple and Practical Anonymous Digital Coin Tracing" Ari Juels(*) - RSA Laboratories Ari presented a simplified anonymous coin system, trading off features and trustee flexibility for simplicity of protocol. The scheme requires Alice to send a blank coin and blinding factor to a trustee, who validates the coin, and returns a signed trustee token, which is then used by the bank when issuing the actual coin. The scheme can be extended to prevent the trustee from spending coins, and to allow a single trustee interaction to validate many coins. It is based on Chaumian E-cash, but may be extensible to other schemes as well. Ari believes that the extensions to blinded electronic cash have compromised the initial simplicity and elegance of the design in their pursuit of various features, including tracing of coins. In this system, the user interacts with a trustee during coin withdrawal, providing the issuer of the coins with transcripts, or tokens, of interaction with the trustee which assure the issuer that the trustee can trace coins on demand. This system can be layered on top of many electronic cash schemes, and is relatively efficient. A great deal of efficiency can be realized by the user withdrawing large numbers of trustee tokens instead of going to the trustee before every transaction. In the questions following the presentation, the point was raised that if the user had large numbers of trustee tokens on the user's hard drive, they became an attractive target for theft if the user was forced to withdraw coins. Another audience member was concerned that the trustee could steal coins of the user, which is addressed by using a public key pair rather than the coin itself in the trustee token. Finally, questions of general trustee policy and the requirements to become a trustee were raised -- it is important that malicious users not be able to be their own trustees, but also important that honest users be given a wide enough selection of trustees to assure that the trustees do not collude to spuriously unblind users' coins. "A New Approach for Anonymity Control in Electronic Cash Systems" Tomas Sander(*), Amnon Ta-Shma, International Computer Science Institute, Berkeley This paper's goal is to be able to deter money laundering and related activities by limiting the amount of E-cash that any particular user can have, while still preserving the privacy of legitimate users. This paper is one of the first online electronic cash systems to take advantage of a fundamental observation -- of those activities requiring financial privacy, only those made by criminals involve large amounts of money -- honest users do not particularly want their few large transactions, such as buying real estate, to be highly confidential. Because traditional E-cash is transferrable, laundering is easy--but introducing a "non-transferrability secret" (NTS) that is valuable to the users, and required to effect transfers, motivates user not to engage in inappropriate behaviour. In their system, Sander and Ta-Shmra restrict users to a single account, a maximum monthly withdrawal of US$ 10 000, and incorporate a "non-transferability secret" to prevent a subset of the users from pooling funds for illegal purposes. The system provides guaranteed anonymity for transfers under $10k/month, without having to trust an external trustee, unlike most other "fair electronic cash systems". The scheme is based on Brands' E-cash, because it appears that blind signature schemes may be unable to be usable except by involving escrow agents. A questioner pointed out that laundering can always occur in small denominations spread over a large number of users, perhaps by automated software. Sander and Ta-Shmra concede that their system could be used for small time criminals, but raise the question of exactly how desirable it is to provide the authorities with highly detailed data on small transactions, even technically illegal ones, if the cost is privacy for average users. In the next session, Fraud Management, chaired by David Goldschlag, there was a last minute change of schedule. Yacov Yacobi's talk was delayed until Thursday and replaced by the following. "Dynamic Fault-Robust Cryptosystems for Enterprise Organizational Change Control" Yair Frankel(*) and Moti Young (CertCo) This paper explored handling organizational changes (such as changes in roles and duties, mergers and spinouts, etc.) that require reassignment of cryptographic keys and rules involving keys. "Views" are defined to represent each party's knowledge of the system state and inference rules for making deductions. Fault-tolerant cryptographic primitives, such as revocation, threshold schemes, can be used to accommodate changes. A very interesting question was raised after this presentation: how does one deal with root keys and the very top of the tree during major corporate events such as mergers? There seems to be no clear answer to this question, although there was some handwaving about involving the board of directors. "Assessment of Counterfeit Detection Systems for Smart Card Based E-Cash" K. Ezawa, G. Napiorkowski, M. Kossarski(*) (Mondex International) The authors describe a simulator for the Mondex environment, modeling the behaviour of system participants (consumers, merchants, issuers), as well as the monitoring systems, in the face of attacks. Ledger controls are used (and planned) in the system to detect introduction of counterfeit value, matching total float against transactions. The attack scenario involved 200 days of normal use, followed by 6 days of attack (1 test, 1 full attack, 1 monitoring, and 3 more full attack), and was successfully detected. This presentation was primarily about the Mondex system and Mondex's internal simulators. They have a system which allows Mondex to simulate the injection of counterfeit value into the system, then monitor its dispersion through the system, under various fraud detection mechanisms, to see how fast counterfeit value spreads diffuses through the system and is redeemed. Their model assumes payee cards cannot distinguish between counterfeit and real mondex cash, and takes advantage of the Mondex design feature whereby hardware-enforced value limits are possible on each device. They also have made the decision to maximize Mondex income, rather than making fraud impossible -- if it costs a huge amount of money to compromise a card, and the expected return is less, there are not concerned, calling this simple vandalism. A questioner asked what would be done in response to such an attack, which was answered, roughly, as "we've thought about it, we have rules and procedures, and we'll deal with it if it happens" A point raised in separate discussion after the presentation is that a widespread attack on the Mondex system may be successful, as if one can spend a large amount of money to come up with an efficient way to compromise cards, then compromise a large number of cards, it may be possible to make a net profit. Also, the question of compromising Mondex without compromising the smartcards themselves, by tampering with client software on the user's PC to divert payments covertly to the attacker, was not addressed in the Mondex fraud prevention model. Monday Afternoon (22 February) - Exhibitor Sessions "Governance in DigiGold" Ian Grigg (Systemics, E-Gold) In this exhibitor talk, Ian described the processes that are used by the gold-backed DigiGold banking system. There are three types: static governance, representing the "Ricardian Contract" (which is both human-readable and machine interpretable, and digitally signed) of the bank with its customers; dynamic governance, providing realtime, user-initiated auditing of the bank's operation, and structural governance, which deals with separation of duties, auditing, and limiting the trust placed in bank employees (and is required because cryptography alone cannot stop insider fraud). He presented his seven layer financial cryptography model, and specifically went into his layer five, governance, which is responsible for ensuring the underlying layers (cryptography, software engineering, electronic cash, and accounting) are operating to support the transport of value and the user-level application, and that the transport of value and user-level application are conducted within pre-defined rules. Ian introduced several security features of general applicability which are being implemented for the DigiGold.net system. The first technique is static defense, using cryptographically signed contracts which fully specify the behavior of various parties in the system. In the Ricardo system on which DigiGold.net is built end-users agree to contracts before using a particular currency, and a currency is identified by the cryptographic hash of the currency's own contract, ensuring that the contract cannot be changed without a user's knowledge and acceptance. The second technique is dynamic defense, using realtime auditing. Many auditors involved in electronic commerce have spoken of increased frequency of audits for electronic commerce businesses, and the Ricardo system allows the ultimate evolution of this -- any end user can perform a full audit on the entire system at any time. The final set of techniques is structural protection, including the very important separation of concerns. In the DigiGold system, a multiplicity of parties are involved in well defined roles to ensure that no single party can defraud the system. The e-gold system is used to hold the gold reserves, the server operator is responsible solely for technical operation of the DigiGold server, there is a day to day operations manager responsible for handling normal user transactions, a trusted third party who can generate new money but only send it to the manager, and the legal entity that is DigiGold has a board of direction responsible for ensuring various parts of the system operate correctly. Each of these roles can be subdivided to require multiple individuals, and external auditing can be added to each. An interesting observation was that DigiGold started out using the PGP web-of-trust signature model, then switched to X.509 as an "emerging standard", and now plans to switch back to the PGP model because it works so much more effectively. Questions covered dispute handling (some protection from protocols, maybe use personal hardware devices to limit scope of fraud), understanding the bank's contract (which experts will analyze, and render opinions), and the PGP/X.509 distinction. Locating and Managing Your Intellectual Property Offshore Lynwood Bell(*) (Span/Hansa Group, Hansa Bank) Lyn talked about how business enterprises can be structured to achieve tax advantages by holding assets in Anguilla, and illustrated with two examples: Murex, a pharmaceutical company, and the (unnamed) former owner of the domain name "bingo.com". Murex holds its patents in Anguilla, which means that infringement suits in other countries can only shut down local manufacturing operations, not the whole business, and also raises a significant barrier to suits in general--as well as making the company operate free of corporate taxes. The domain name company is more of a pure tax play: it was able to sell the "bingo.com" name at a huge profit, all untaxed because it was realized in Anguilla. Lyn characterized a few tests for offshore location: Can the valuable asset be moved? Can the work be subcontracted to another location (e.g., Anguilla company contracts to implementers in San Jose)? Can revenues reach the haven (sales good, royalty income bad, typically)? Is the plan defensible? (If the enterprise makes its initial invitation and business offer via an Anguilla-located server, and does acceptance and transfer of title there as well, it's strongly defensible, even if much other activity takes place elsewhere). Lyn Bell distinguished between tax treaty and full tax haven countries, differentiating between Anguilla (which is a tax haven) and Barbados (which is a tax treaty country, at least with Canada). The Span-Hansa group has affiliates in both locations, and Bell described situations in which it would be appropriate for a business to choose one location over the other. The presentation's most insistent point was that it is critical to move one's business offshore before it has real value, whenever possible. Bell presented the example of Microsoft, one of the most highly capitalized corporations in the world; for it to leave the United States would carry an impossible tax burden. He said that for many conference attendees, it should be possible to move intellectual property, such as a new electronic cash system, offshore immediately after it is developed, before it has any real value, and thus avoid taxes on it entirely. He described several potential pitfalls, including the taxes on royalties enforced by many nations. Since many pieces of intellectual property, including software, are licensed on a royalty basis, this is an especially relevant issue. Effectively, royalty streams are taxed by many nations even if the parent entity is offshore. Bell estimates that the Span-Hansa group has been responsible for billions of dollars in deals over the past 10 years. Hansa Bank, and Counsel Ltd (the corporate services affiliate), offered a special deal for conference attendees, establishment of an Anguillan corporation for half the normal price of $1100, or $550, to take advantage of the unique advantages of an Anguillan corporation. Monday's evening event was a cocktail party at the Mariner's hotel on Anguilla, one of the recommended hotels for the conference. After this cocktail party, some attendees went to a local French restaurant for continued discussion of financial cryptography. During that conversation, one of the main problems of internet electronic payment systems was discussed -- how to add value to the system quickly and conveniently for the average user, and how to allow those users to redeem value from the system. Among the diners were Bob Hettinga, founder of the Financial Cryptography conference series, and Paul Guthrie, VP for Research at VISA International. Hettinga suggested (and continued to maintain) that the ATM networks (e.g. Cirrus, Plus) were the best means of doing this, having the electronic cash mint act as a third party ATM, with electronic cash withdrawals and deposits being treated exactly like physical cash. Guthrie, who is familiar with the ATM networks since VISA owns one of them, argued that the ATM networks were unsuitable due to security requirements for PIN entry into only approved tamper-resistant modules, general unavailability of third-party bank deposits on the network as a whole, and other factors. I suggested the ACH network as a possibility, and some electronic cash vendors have taken preliminary steps to use this system, through membership in NACHA. Guthrie also suggested SET, as this would allow credit card transactions to be conducted security over the Internet (also offered by SSL) but would also eliminate chargeback risk for the electronic cash issuer. Additionally, the e-gold payment system was suggested as a repudiation-free source of funding for electronic cash systems, operating in ounces of gold, rather than traditional government currencies. Another interesting topic raised during the discussion was recent investigation by Shamir and Rivest which concludes the EFF's "Deep Crack" massively parallel machine, could be used as the "micromint hash engine" in Rivest's MicroMint micropayment system. This system requires a device capable of searching for a large number of n-way hash collisions, something Deep Crack is capable of doing. TUESDAY Tuesday's session opened with Adi Shamir's invited talk, "Crypto Predictions", chaired by Jacques Stern. "Crypto Predictions" Adi Shamir(*) (Weizmann Institute) Adi started off the Tuesday session with his "Three Laws of Commercial Security": (1) Crypto is bypassed, not broken: improving the crypto isn't very helpful, because it's already by far the strongest link in the chain; (2) There are no secure systems, only varying degrees of insecurity: don't bother adding bells and whistles because complexity is your worse enemy; and (3) To halve the insecurity, expect to double the cost: small early investments help a lot, so it's better to make the system convenient, transparent, and cheap--don't strive for the unreachable airtight goal. By these principles, there are many adequate security designs: paper money, postage stamps, mechanical locks, vending machines, access control, smart cards, and tickets. Some of these systems will be used for many years, regardless of technical advantages of replacement solutions, because they are "good enough": cost to attack is much greater than expected return. He illustrated the notion of "bypass" attacks with some examples: The first example breaks a "Provably correct implementation of unconditionally secure key exchange protocol using quantum cryptography" by sending light back down the optical fiber to read the polarizer angle directly (rather than anything to do with the single photons used in the protocol. That is, after the keys are set up, one taps the fiber and sends a strong pulse of light back through the fiber at the original transmitter, then reads the internal reflections from the transmitter itself to determine the earlier polarization configuration of system. Shamir says none of the systems under test today resist this simple attack. The second example fabricates a false "Tamper-proof photo-ID document" by submitting a "photograph" printed in two types of ink: one that fades over time, and one that becomes apparent over time (perhaps after being exposed to strong UV light). This would allow the photograph to be changed after the fact without tampering with the lamination at all. The third example allows cheating on multiple-choice exams by sending morse code through a mobile phone or pager's vibrating indicator--a signal not perceptible to the proctors. Shamir broke with some of the security community by advocating some measure of security through obscurity, at least for systems small enough to attract attention from an attacker themselves. He also advocates a diversity of underlying designs. He was primarily concerned that a flaw would be found in a widely deployed system, such that a "scripted" attack could be mounted on a large number of sites with little marginal cost, and also that deploying a single system widely raises the incentive for attackers to test it. Generally, those in the Internet security community have encouraged widely publishing their designs (unlike the intelligence, finance, and telecommunications industries), such that a maximum number of researchers can test it. Shamir's proposal is something of a departure from this, although his reasons are good. Adi's prediction for E-commerce is that it will continue to expand rapidly, generating both huge stock valuations and many business failures, and will use primarily SSL ("good enough"), not SET, anonymous cash, or other specialized schemes. He predicts that E-Cash (e.g., Mondex) will not be successful short-term as an alternative for cash in physical commerce, but may see success in closed systems such as enterprises, universities, and the military; a key is including E-Cash as part of a multi-application smart card. Micropayments over the Internet, on the other hand, he predicts will begin to be widely used (e.g., the MicroMint system) because they fill a real need, have no export controls, and can be implemented and integrated with today's technology. Adi expects that Smart Cards are headed for a major crisis, largely because of indirect attacks (fault analysis, timing analysis, power analysis, etc.). He described an extension to Kocher's power analysis (joint with Eli Biham) which detects the Hamming weight of individual bytes being written to memory and can therefore be used to solve a series of linear equations to deduce values when bits are related (as they are, for example, in DES key schedule generation). Shamir had an even more grave predition about security on the desktop computer. He said, "I think the PC architecture is basically doomed as a security device. If I were selecting security features for the world's worst security architecture, all of those features are present in the PC." The architecture is completely open, every file can be modified by any program, programs come from unknown sources, etc. The problem is getting worse, and is exacerbated by the overwhelming complexity of operating systems (35 million lines of code in Windows 2000?). The only secure solution seems to be a new class of simple, securable devices. He also recounted an interaction with the Israeli state security apparatus in which they revealed absolutely no investigations were seriously hampered by the use of encryption technology by suspects, due to other weaknesses in overall security, or simply quality investigative work. "PCs are the worst possible platform for secure computation, and the situation is getting worse." He also quoted RFC 602, demonstrating that the problem has been around since the days of the ARPAnet. However, he admitted that this analysis was only of the Microsoft Windows platform, not alternate operating systems for personal computers. He predicts a major relaxation of export controls over the next few years, but an unanticipated consequence of the Y2K bug: it will permit introduction of malicious code into many, many systems, allowing information warfare attacks on those systems months or years later, long after backups are decommissioned or useless. Finally, for cryptographic algorithms, he predicts that the AES process seems like it will yield ciphers "good enough" for any foreseeable application (even 50 years of Moore's Law won't help for 256-bit keys); that multivariate public key schemes will continue to prove unsuccessful; and that factoring-based schemes seem to be OK today, although it's been 10 years since a major factoring breakthrough, and another may come soon. In response to questions, Adi was skeptical about quantum computation ever being practical for real problems, and suggested that elliptic curve and factoring are about equally vulnerable--for especially strong security, one could use both. The next session, Public-Key Certificates, was chaired by Clifford Neuman. "Reasoning About Certification: On Bindings Between Entities and Public Keys" Reto Kohlas(*), Ueli Maurer (ETH) This paper addressed the need for a language and formal semantics to express the relationships between public keys and responsible entities. It's important to formalize the relationship, because simple statements (e.g., "the entity owns the public key", "the entity claims sole ownership of the public key") mean different things, and, worse, are inherently suspect. The important statement seems to be "the entity is liable for statements signed with the key", and the authors introduce the concept of Views (which may differ for different parties, such as the transaction participants versus judges) and inference rules for determining what statements are valid within a view. The model is incomplete: it needs to address attributes, authorization, timestamps, and revocation. A questioner observed that there is a superficial similarity to BAN logic; BAN deals with authentication, which is different from this logic. They presented several interesting statements: sole ownership of a key can generally not be verified or certified; ownership of a key alone is generally acceptable except for situations where the key is used to assume liability, in which case legally binding commitments are needed; and self-certificates imply ownership of the corresponding private key. "Online Certificate Status Checking in Financial Transactions: The Case For Reissuance" Barbara Fox, Brian LaMacchia(*) (Microsoft) The point of this paper is that the response to an online query ("is this certificate still valid?") is really just another certificate, likely with a limited validity period. These certificates are important for high-value transactions, because freshness is increasingly important as transaction value increases. Using certificates, rather than another specialized form of "validity response" also simplifies issuance of receipts (i.e., the certificate) and sale of transactions (because a chain of freshness certificates can be accumulated as the transaction passes from hand to hand). LaMacchia also presented reissuing certificates with short expiration periods rather than using OCSP as a way of minimizing complexity and redesign in existing code. Questioners asked about representing repudiation semantics, and whether it's a good idea to have the CA be making policy decisions about freshness, rather than the certificate user. Another question asked whether XML would be a more convenient representation than X.509; it would, but we have X.509 already. Panel: Certificate Revocation and Validation: One Year Later Mike Mayers (VeriSign) Ambarish Malpani (Valicert) Patrick RIchard (Xcert) Carl Ellison (Intel) The last technical session on Tuesday was a panel following up on the topic introduced at FC '98. There has been good progress: the Online Certificate Status Protocol has moved all the way to an IESG draft, but there are still semantic and technical issues: revocation is, at best, a mechanism for saying "not invalid". Alternative mechanisms (signed LDAP attributes, extended protocols for certificate acquisition, extensions to "delta CRLs") may become important. Legal issues are still unclear (trust model, liability transfer). Ambarish spoke about ValiCert's implementations, and stressed that Validation Authorities (VAs) are inherently different from Certificate Authorities (CAs): their processes are different, response requirements are different. etc. This distinction argues for using different mechanisms (perhaps several) for validation as opposed to issuance; it also provides a framework to charge for use of certificates, rather than issuance. Patrick talked about problems with real-world use of certificates and revocation; the problem is bounded within enterprise environments, and therefore amenable to technical solutions, but harder in the global Internet, which likely cannot be satisfied by a single ubiquitous approach. Internet transactions, in particular, need to determine credit validity--and don't care as much about name bindings. Carl characterized revocation as a performance problem, not a security problem: you choose your techniques based on your requirements. Classical "anti-matter certificates" are easy to understand, but inherently flawed; time-disjoint CRLs are more complex, but have a sound underlying mathematical model, and can be tuned to place the load where it's most appropriate, by adjusting CRL size, lifetime (in fact, using CRLs, it's not clear that an original certificate ever has to be signed). However, this isn't enough: even if there are separate CAs and VAs, it's not the case that they are the parties who can determine whether a certificate is valid for a particular transaction. The real issues are semantics of trust authorization and naming, not revocation. Floor questions included discussion of OCSP versus CRLs, and the tradeoffs between CRL issuance frequency and CRL size. Small, frequent, CRLs are like OCSP; large ones are more of a problem. OCSP can build in decision policies of the VA, rather than relying on the client to decide (but is this always good?), can make the important CA/VA distinction, and can support time synchronization. OCSP can also allow use of a low-assurance identity certificate, validated by a high-assurance VA. Other questions dealt with the proliferation of certificate issuers (e.g., every Windows PC, every PGP instance); this will be an issue, but it's important to distinguish between issuers (signing keys) and parties that accept liability. A final question asked whether there's really a need for fast revocation; in practice, it seems that there aren't many examples, and most of them (e.g., money center banks) already deal with the problem effectively and wouldn't rely on certificate revocation anyway. Alternatively, "If you're going to validate the certificate on every transaction with a trusted party, why bother issuing long-term certificates at all". After lunch, there were no commercial sessions. There was, however, a meeting of the International Financial Cryptography Association, which runs Financial Cryptography the conference. Ron Rivest did not run again, replaced by Adam Shostack, and Lucky Green was reelected. The board of IFCA thus consists of Bob Hettinga, Ray Hirschfeld, Vince Cate, Lucky Green, and Adam Shostack. The question of where to hold Financial Cryptography 00 was also preliminarily discussed, and evaluation forms were handed out. Tuesday's evening event was the conference rump session, chaired by Avi Rubin, replacing Matt Blaze [who was vacationing in New Jersey, rather than sweating it out in Anguilla with the rest of us.-P.S.] A special feature of this year's rump session was a prize offered by E-Gold: USD$350 equivalent in an e-gold account (effectively a little over 1 ounce of physical gold, since E-gold is 100% backed with gold and the price of gold was approximately $290 per troy oz). This prize was for the best rump session presentation, as decided by a panel appointed by Avi. [The most fun talk, which had the advantage of being a temporally distributed presentation, was Avi's movie guide for Crypto geeks. The titles are given here, but it loses alot without the movie posters. -P.S.] The top ten cryptography movies. These were: BreakDES at Tiffany's; 9 1/2 Weeks to Factor RSA; Saving Private Data; Good Will Hunting; The XOR Cyst; My Own Private Key; The China Remainder Syndrome; E T mod n; Feistel Attraction; and There's Something About m-ary arithmetic where m is the Product of Two Large Primes. [N.B. I caught some, but possibly not all, attribution mistakes in the Rump Session writeup -P.S.] Tomas Sander spoke on "Auditable Anonymous Electronic Cash", addressing the problem that the consumer has no recourse (in many E-cash schemes) if the issuer goes bankrupt, using a Merkle tree to establish an auditable correspondence between withdrawals and reserves. Stuart Stubblebine spoke on "Stack and Queue Integrity on Hostile Platforms", describing how to use hash functions and MACs to enable a trusted computer (such as a smart card) to manage large data structures in untrusted storage with O(1) overhead. Kazue Sako, who won the Rump Session award, spoke about a "Digital Lottery Server", an mechanism for using hash functions to make a fair, auditable, and random choice among several participants. She also introduced us to Hanako, Keiko, and Yuko, who are Alice and Bob's Japanese cousins. Specifically, she described a theoretical fair lottery system and implementation of a different lottery system, used in several cases already on the world wide web, originally inspired by a need to sell an event ticket on short notice. Paul Syverson spoke on "Establishing Title for Dynamic Objects", about the difficulty of defining ownership of objects whose title changes over time. He gave a very brief and highly self-referential presentation about dynamic object things and ownership, using the presentation itself as an example of an object which has changed ownership from one party to another. This puzzled the audience while they tried to figure it out. [This was basically a joke---masquerading as a real piece of research---about a bunch of people without a submission to FC constructing one so they could go to the conference. The joke was on me: more than one person came up to me afterwards wanting to know if they could get the paper -P.S.] Josh Jaffe then gave a much more serious presentation, with actual machine-printed slides. The talk was about using power analysis to reverse engineer smartcards, and it showed visuals of the kind of signals recovered from smartcards during the attacks. He also described the mathematical techniques used to recover meaningful data from the apparent mess. Paul Kocher talked about "How not to Fix Single-DES Protocols". He described how a response by banks to the demonstrated weakness in DES's short keyspace, using rapid keychange, can in fact lower security against certain kinds of attacks. He came up with a way of breaking DES in 2 hours on a fast PC given certain assumptions about key change rate. The naive solution of changing DES keys frequently actually makes systems with known plaintext easier to break by exploiting the time-memory tradeoff: 2^40 precomputations to create a table with 2^24 entries enable finding keys with 2^32 effort (at O(2^16) operations per test). Mark Miller described his "E" programming language -- a capabilities system built on the idea that pure objects are equivalent to pure capabilities. The system is the latest in a series of capabilities based adventures, and is proposed as an ideal environment for working on smart contracts, self enforcing documents which can be executed and evaluated by a machine, rather than a lawyer. Ueli Maurer described a result in "General Secure Multiparty Computation from Any Linear Secret Sharing Scheme", which involves a technique for performing the "multiply" operation (as well as "add") in linear schemes that is efficient and operates on any field. This included means of changing users in an existing group and other important administrative features. Rachel Willmer talked about "Smart Cards on the Internet". She asserted smartcards (not just Mondex but smart cashcards in general) will in the future prove good at providing an equivalent for cash on the Internet, sharing many of the same characteristics - low-value, immediate settlement, relatively private, two-way transactions - whereas credit and debit cards cannot do this. Also she noted that in the "real-world" trials, smartcards have proved good at replacing coins, e.g. in parking meters, laundromats -- but not proved as good in transactions already suitable for credit and debit cards. She also brought up the smartcard reader deployment problem, but said these are coming down in price, which should help solve the problem, although not necessarily in the US first. Ian Goldberg talked about the "ZeroKnowledge Anonymity Service", pointing out that "anonymous E-cash" isn't very anonymous when your IP address is being disclosed while making payments on the Web. The ZeroKnowledge product enables efficient IP-level anonymity services for arbitrary higher-level protocols. The system appeared to be a combination of mixmaster remailers, onion routers, crowds, and other systems, commercially packaged. Bryce Wilcox talked about "Using the Rivest and Shamir Interlock Protocol for Half Duplex Communications", describing a scheme based on contingent messages, in which each party anticipates the other party's potential responses, to send inherently one-way communication with the Interlock Protocol. Viktor Dostov spoke on the "PayCash System for Online Payments", addressing the problem that the bank must be trusted (because it can fake double-spending) in a traditional Chaumian E-cash system, using a structure called PayBooks. Adam Shostack spoke on "Towards Eliminating the Middleman in Money Laundering", describing a scheme involving apparently legitimate merchants to enable distribution of illegal goods without involving an explicit money launderer using cryptographic receipts from the store as token currency. Paul Lambert spoke on "An Efficient Public Key Language", a work in progress designed to make efficient public key certificates (especially elliptic curve) with simple semantics, small size (under 50 bytes, total), and no ASN.1. This had applications such as tiny certificates for 2-d barcode postage indicia, using very small signatures, and an application-specific increase in efficiency by eliminating verbose generic headers. Neil Daswani spoke about a cryptographic deletion system. Phil MacKenzie spoke on "Compromivacy", for compromise of privacy. The compromise of privacy is assumed to be potentially worthwhile in this system when a user interacts with a market research organization. This was a scheme for transactions involving personal information by selling the results of a buyer's queries against protected information, with zero-knowledge proofs of validity. Bryce Wilcox spoke on "Traditional PGP for Windows", using the current-day PGP Developer's Kit to build a command-line PGP interface compatible with PGP 5.0 keys and formats; it will be available open source. Paul Syverson announced the oncoming availability of "2nd Generation Onion Routing", which is going through the NRL review process now and is expected to be released as an open source distribution. Someone, who's name we lost gave a presentation describing a new electronic currency, the "negabuck", eliminating fraud and theft by declaring the currency to have negative value, such that no one would want to counterfeit or steal it. While this was intended to be humorous, there actually are practical applications for certain negative-value currencies, such as tax scrip. Marc Briceno gave a status report on the "DigiCash Acquisition Consortium" he has organized, which expects very soon to announce a flexible and opening Vince Cate spoke about "Weaknesses of the Verifone Terminal", observing that the protocols for communicating with a Verifone merchant terminal permit a user to act as an arbitrary merchant, request arbitrary refunds, and other weaknesses; apparently there is no crypto, no authentication, no real security in those interactions. The prize was awarded to Kazui Sako. The panel approved of the Japanese equivalents of Alice, Bob, etc. used in describing her system, and favored her actually-implemented system over some of the more theoretical presentations. Douglas Jackson of e-gold.com walked Sako through the account creation process in front of the audience and then transfered $350 in e-gold to her. The prize for best rump session presentation was in fact so popular that some with accepted papers in the formal sessions were considering withdrawing their own papers from the formal session to enter in the rump session in order to have a chance at the prize, proving that financial cryptographers are often motivated by financial considerations as much as purely academic ones. It would not be a surprise if such a prize were offered in the future. WEDNESDAY The first session on Wednesday, Steganography, was chaired by Yacov Yacobi. Nicko van Someren presented work with Adi Shamir detailing new means of efficiently searching large volumes of data for cryptographic data. They took advantage of several special features of cryptographic data (encrypted data as well as keys) -- the number theoretic properties of RSA keys, the locally-high entropy in symmetric keys and encrypted data, and simple high-speed tests, including visual pattern-recognition. They presented a "lunchtime attack" where one could successfully recover a hidden key from a user's hard drive while the user is away for lunch, as well as schemes to recover keys used in copy protection and license control from program binaries themselves. An important result of this is new reason for software publishers to not depend upon compiled-in keys in user-readable software for software licensing or security purposes. Previously, it seemed that hiding a key in the bulk of a large program might be enough defense, but the visuals shown in this presentation clearly identified regions of high-entropy key data in even a large program, and the analytical tests were even more powerful. The final talk in this session was presented by Markus Breitbach. It was work with Hideki Imai, "On channel capacity and modulation in watermarking of digital still images". The talk differentiated between reversible and irreversible image transformations, and singled out jamming attacks as a major potential problem to overcome, drawing parallels to military communications systems. A binary alphabet was shown to be the most efficient in terms of channel capacity. The next session was Content Distribution, chaired by Berry Schoenmakers. The presentation talk in this section was presented by Avisha Wool, work with Abdalla and Shavitt, "Towards making broadcast encryption practical". They described solutions for symmetric key encrypted broadcasts, such as satellite television, with minimal requirements for key storage, with the useful feature of being able to target a particular subset of a subscriber base for a particular broadcast. They made the fundamental observation that it is usually ok to allow some free riders to view a broadcast, as long the number of free riders can be bounded, and the chances of a given user viewing a broadcast without paying are acceptably low. They use a system which is a hierarchical tree of keys, with users belonging to multiple groups of increasing generality, such that when enough of a subtree is filled with users, the parent key is used instead. They did mathematical analyses of various group sizes, modifications to the basic scheme, and concluded that eliminating large groups and adding more partially-overlapping small groups would improve the average efficiency of the scheme. The last academic paper presented on Wednesday was David Goldschlag's "Conditional access concepts and principles", joint work with David Kravitz. He detailed the business case for divx-style access control on media, the security rationale for closed systems in conditional access control (such as the non-standard storage format of Divx discs), and the risk analysis that is undertaken before deploying such a system. Two kinds of video decryption technology, the external smartcard which returns keys used in satellite systems, and the all-in-one key/decrypt module used in Divx, were presented, and various strengths and weaknesses of each were explained. The main point in this presentation was in some ways parallel to the Mondex fraud-modeling presentation given earlier -- Conditional Access technology (often confusingly called "CA" technology, unrelated to Certificate Authorities) works best when the goal is to prevent economic benefit to the attacker, rather than making all attacks infeasible. According to Goldschlag, the legitimate content distributor has an advantage over pirates in distribution technology, so as long as the conditional access scheme is sufficient to prevent the pirate from leveraging the legitimate provider's infrastructure, requiring the pirate to get into the business of content distribution himself, it is successful. The point was raised later that compressed audio distribution (i.e. mp3) is already evolved to the point where legitimate providers have little competitive advantage over pirates, and others suggested that even video is not far from this point. In his presentation, Goldschlag said content redistribution is a major problem. Finally, Joan Feigenbaum chaired a panel, "Fair use, intellectual property, and the information economy", comprised of: Erin Sawyer (Cooley Godward LLP); Jon Amster (replacing Ed Fish); Dan Boneh (Stanford); Brian LaMacchia (Microsoft); David Goldschlag (DivX); and Jon Callas (Network Associates). The topics of copyright protection and the rights of consumer and producer were the focus of this lively panel discussion. The forthcoming US Digital Millenium Act attracted attention for its attempt to give legal status to content protection mechanisms. Concern was expressed that this would outlaw legitimate research into such things as smartcard security, and that providers may use technical means to enforce restrictions which the law could not. This led on to 'fair use' of copyright material, which is a right under UK law but not under US, and the possibilities that this may be denied in future. It was suggested that, in future, media would be licensed to the user rather than sold - some panel members expressed fears that this may be used to prevent analysis and criticism of the product and this was a denial of free speech. It was also suggested that consumers would be resistant to distribution arrangements which were more restrictive that those currently available, and that this would lead to growth in Internet sales outside of conventional channels. Specific presentations went as follows: Callas, who previously testified in Congress about the potentially chilling effect of anti-circumvention legislation on security research, described the compromise reached with the government by which one can safely undertake security research without the consent of the product's manufacturer -- one should ask the manufacturer for permission, but a response is not required (it is unclear how this is different from simple notification), and the results should be made available to the manufacturer. Goldschlag made a case for the "first sale doctrine" not applying to the DivX conditional access DVD system. He also cited the Japanese music market, where first sale does seem to apply, and redistribution is consequently rampant. CDs in the Japanese market cost approximately 80% more than in the US market as a result. Sawyer described the "Uniform Commercial Code 2b", a massive effort by the legal community to take into account current and future changes in the business environment. Sawyer disagrees with the effort's attempt to have the legal community anticipate commercial reality, instead suggesting that business should develop practices which should then be reviewed by the legal community and incorporated into the law after the fact. LaMacchia spoke about the fair use defense, the future potential for machine-interpretable and enforceable contracts (often called "smart contracts" and discussed in the capabilities community), and also emphasized that layering contract law, such as in conditional access systes, on top of copyright protections on the underlying media is a potentially bad idea. Boneh made the case that it might not be bad for business, just different, if copyright and access control are changed by new technology. Amster asserted that copyright and contract law must coexist, as copyright is required to ascribe value to information and make it property, and contract law can be used to restrict access to property. He also didn't feel fair use should become a codified right, as it is now a defense after the fact, and it might be acceptable now if even that fair use went away. When the question of technological enhancements allowing finer-grained access control came up, Sawyer said contract also provides finer-grained access control than copyright, and Goldschlag said that this control might actually improve things for consumers -- middlemen will now have the ability to individually price things for different kinds of consumers, in the way that videocassettes sold to rental firms sell for more than those sold to private individuals. Callas was afraid of copyright as a potential right to monopoly. LaMacchia was also concerned that the license terms under which users license content may prohibit later commentary by the user on that work, either legally or technically (by preventing cutting and pasting). Finally, the confrontation between technical ability and the legal system was brought up numerous times, from Bob Hettinga's assertion that in a world with strong cryptography and realtime auction markets, copyright is effectively unenforceable, to Paul Kocher's question of how the world can deal with countries with unusually favorable laws, such as Anguilla. Jon Callas described how he "signs" electronic software licenses -- verbally saying "I accept, with my modifications", and Sawyer said those who have technical capabilities to provide or limit access to content "should use it, and force changes in the legal system". One thing seems clear -- how technology will interact with the legal system's copyright and contract law is still an open question. After lunch, there were commercial exhibition sessions. First was "Key provisioning, protection and processing -- scaleable hardware crypto solutions", given by Alex van Someren of nCipher. nCipher's hardware uses both physical and logical means to protect keys during the distribution process, ensuring that hardware tamper-resistant key control is exercised at all times, while also providing means for backup of keys and replacement of failed hardware. The blue LED's on the front of nCipher accelerators do not play a major security role, but they are very attractive. Next was "Who the hell is EuroRSCG Interactive", given by Paul Dinnissen of EURO RSCG Interactive. The company, formed by the merger of a technical services firm and a Dutch marketing firm, was introduced. On Wednesday evening, a party was held by e-gold on Anguilla's "crypto hill", a local concentration of cryptographers. At the event, e-gold promoted their payment system, including offering to redeem the 1 oz silver american eagle coins it distributed earlier to every attendee for e-gold on the spot. However, most elected to keep the coins and those who opened their e-gold accounts usually used USD currency -- shiny metal triumphed over electrons, even in this crowd. During the party, various electronic cash systems were discussed, including the potential for issuing electronic currencies backed by commoditized services, rather than physical assets or government debt. The topic of how to add and remove money from an online system was again a popular topic, and the presence of a large number of physical precious metal coins reinforced the difficulty in converting such assets into online instruments in an efficient way. THURSDAY Thuesday's first session was Anonymity Mechanisms, chaired by Ari Juels. The first presentation, given by Stuart Schechter, was of research with Todd Parnell and Alex Hartemink, "Anonymous authentication of membership in dynamic groups". This introduced the concept of "verifiably common secret encoding", descibed how it would be useful to allow users to identify themselves to a publisher as a subscriber without revealing additional identity information, and then developed an implementation of the verifiably common secret encoding. This construction used a vector of separately encoded values, and thus is linear in the number of members in the group. They suggested various means for partitioning large groups, although this does sacrifice privacy. The main differences between this scheme and other schemes are that it allows addition and deletion of members, unlike group signature schemes, and it allows removal of users at any time, rather than during a forcible audit of the entire system, as is required by the blinded token based schemes. After the presentation, Syverson (the developer of the token based proposal for dynamic group membership authentication) asserted that the weaknesses cited in this presentation did not necessarily apply to a well-implemented token-based authentication system. Gene Tsudik next presented a review of the current state of group signatures in "Some open issues and new directions in group signatures", joint work with Giuseppe Ateniese. This paper described the current state of group signatures in academic literature and also proposed new applications, with the intent of getting group signatures adopted in some actual production system (until now, they've primarily been an academic curiosity). Interesting subtopics such as multi-group signatures and subgroup signatures were discussed in detail, including sample constructions based on the Camenisch and Stadler 97 scheme. After a brief coffee break, the next session began -- Auctions and Markets, chaired by Clifford Neuman. The first presentation was "Anonymous investing: Hiding the identities of stockholders", by MacKenzie and Sorensen. The system was based on certified anonymous public keys and trustee-revocable anonymity, and used an objected called an "eshare" to allow both revocably anonymous transfer as well as voting and divided collection, unlike simple electronic cash tokens. In order to allow taxation of dividends, they introduce the concept of dividend tax scrip, a kind of "negative currency" which flows in a direction opposite to value to assure tax compliance. They did mention the potential pitfalls of anonymous investing, including rampant insider trading, extortion, and money laundering. There system provided some protection in the form of tracing certain transactions after the fact, but in the questions after the presentations, it became clear that the threats are very hard to completely defeat. Additionally, during the question session a scheme was suggested to allow divided and voting without any changes to underlying cash systems, simply using reissue of a new token, much like a bond minus a coupon, after a vote or dividend. The next presentation was "Fair on-line auctions without special trusted parties", by Stubblebine and Syverson, presented by Paul Syverson. The presentation began with an interactive auction with the audience as bidders, demonstrating various attacks on an auction by a malicious auctioneer in collusion with a bidder. They described a system structured such that no rational participant, including the auctioneer, has incentive to cheat, and there is no requirement for special third parties to ensure this, although an external timestamping service/notary and external certified email delivery service are greatly beneficial. Their system does not require the use of a distributed threshold computation auctioneer, unlike most fair auction schemes, as they believe such a scheme can only effectively be used by large organizations, rather than individual small auctioneers. They focused on the English auction scheme, although they did introduce other kinds of auctions briefly in introduction. The system uses aggregated notarized bid histories and hash chains to minimize computational complexity in a fast-paced auction. Given recent interest in online auctions (using trusted auctioneer systems primarily) and investigations into fraud, the concept of cryptographically secure auctions is highly relevant. The next session was Distributed Crypto, chaired by Joan Feigenbaum. Due to earlier substitution, Yacov Yacobi's talk, "E-cash systems with randomized audit" occured at this time. In it, Yacobi developed a quantitative model of risk for both coin and balance based wallets when coins are checked on-line for validity with a probability from 0 to 1. Yacobi described a plane (audit rate vs. breaking cost) such that system designers could explore a soundness curve, defined by where breaking cost exceeds expected theft. Important results included dramatically higher security risks in balance wallets than coin wallets, given randomized audit and imperfect tamper-resistance, an optimial multi-spending of fraudulent coins being shown to be double spending a given coin. The final academic paper of Financial Cryptography 99 was presented by Joy Mueller, "Improved magic-ink signatures using hints", joint research with Markus Jakobsson. Despite two power failures during the talk (the state-owned electric utility on Anguilla went down, blacking out the whole island for over an hour, as is common) and failed attempts to run the overhead off an UPS, the presentation continued. In the presentation, two improvements to magic ink DSS signatures were proposed. Magic ink DSS signatures could be used for signing electronic cash, and have several useful properties over regular signatures. The improvements presented in this session were intended to dramatically reduce the cost of tracing, as well as to introduce a method for detecting the presence of forged currency in the system. An interesting technique used to avoid secret sharing and multiparty computation was to perform operations on encrypted data. During the presentation, Mueller presented a chart of various signature schemes used for electronic cash, and it was apparent that only the magic ink signatures using hints provided protection from certain attacks on the mint itself. Finally, there was another commercial exhibition session. The first presentation was by Sutcliffe Hodge, acting manager of Cable and Wireless Anguilla, on the "Evolution of Internet services in Anguilla". In this presentation, he expressed the willingness of Cable and Wireless to work with business that wanted to set up operations on Anguilla. He refused to mention price, which is approximately US$ 30k/month for a t1 circuit or over US$2/minute for voice calls, but did mention an example of someone who wanted multiple t3 service for an Internet business on Anguilla who they talked down to t1 service (and eventually went to Canada instead). This was a particularly interesting presentation since many have throughout the conference expressed desire to move to Anguilla and set up companies, if only the telecommunications situation were improved, and Victor Banks, in his opening remarks, alluded to dissatisfaction with the telecommunications situation on Anguilla. This presentation was similar to last year's talk by David Chaum, widely considered to have held up progress in electronic cash by refusing to license core patents on blinding technology which have only relatively recently been circumvented, in that the audience was rather "vocal" in expressing opinions. During the presentation, Hodge suggested that Cable and Wireless did not in fact have a monopoly on Anguilla, since instead of making phone calls, one could instead choose to spend the money on ice cream or other entertainment. He then said "and I eat a lot of ice cream", with a clear implication as to the cost of telecommunications services on Anguilla. When again asked by an audience member why Cable and Wireless has a legal monopoly, Hodge brought in the large sunk cost of the phone switch on Anguilla, with capacity for 20 000 on an island of 10 000, and said that if another company entered the market, they would both lose money. He had no answer when someone suggested this natural monopoly could then stand on its own without government monopoly. The next presentation was about ACORN. ACORN is Anguilla's Commercial Online Registration Network, and it was presented by John Lawrence, of Anguilla's Financial Services Department. It is a system to allow registered corporate agents, of which there are 19 on Anguilla, to enter corporate registrations from anywhere in the world. This would allow US businesses to serve as Anguillan corporate registries, increasing the attractiveness of Anguillan corporations to foreigners. A particularly interesting and tangential point raised during the ACORN presentation is the state of digital signature law on Anguilla. Since they are accepted in working with the corporate registry, it is possible that they would be considered valid signatures on other documents as well, potentially between private parties on Anguilla. This would make Anguilla even more attractive for financial cryptography companies. The final presentation was of SAXAS, the Secure Account Exchange Arbitration System, developed by Secure Accounts, Ltd. on Anguilla. It was presented by Vince Cate, including a demonstration of working software. The system consists of a Java application which keeps track of three components of a contract -- the holder, the owner, and the backer, which are roughly equivalent to a clearing agent, the end-user, and the underwriter in traditional electronic cash protocols. The SAXAS system is an accounting engine, operating without blinding of any kind and thus not covered by patents, which uses secure digital signatures to transfer arbitrary instruments among parties located across the network (i.e. peer to peer transfers). The system also includes a gateway interface to link to external payment systems, a means to create online markets in various currencies, and non-repudiation of transactions. Financial Cryptography 99 concluded, leaving Anguilla for at least another year. Several Financial Cryptography companies have set up operations on Anguilla as a result of things learned during the conferences, including Secure Accounts, c2 networks, InterTrust, and others. ________________________________________________________________________ New Interesting Links on the Web ________________________________________________________________________ o http://www.nsff.org The Network Security Framework Forum (NSFF) was created to foster dialog amongst Government agencies and Industry regarding solutions to network security problems. The ultimate objectives are to agree on a framework for network security solutions that meet users needs and to foster the development and use of solutions that are compatible with the framework. ________________________________________________________________________ Who's Where: recent address changes ________________________________________________________________________ Stuart G. Stubblebine CertCo, LLC 55 Broad St. - Suite 22 New York, NY 10004, USA. Email: stubblebine@certco.com, stubblebine@cs.columbia.edu Web page: www.cs.columbia.edu/~stu D. Elliott Bell EDS Information Assurance COE A2S-C60 13600 EDS Drive Herndon VA 20171 703-736-4059 FAX-733-3501 email: dbell01@eds.com Ted Lee System Security Engineering Team Crusader United Defense, L.P. 4800 East River Rd. Fridley, MN 55421 612-572-5902 email: Ted_Lee@UDLP.COM or TMP@MR.Net _______________________________________________________________________ Calls for Papers ________________________________________________________________________ CONFERENCES Listed earliest deadline first. See also Cipher Calendar. * 8th USENIX Security Symposium, JW Marriott Hotel, Washington, D.C. , USA, August 23-26, 1999. (submissions due: March 16, 1999). The USENIX Security Symposium brings together researchers, practitioners, system administrators, system programmers, and others interested in the latest advances in security and applications of cryptography. If you are working in any practical aspects of security or applications of cryptography, the program committee would like to urge you to submit a paper by March 9, 1999. This symposium will last for four days. Two days of tutorials will be followed by two days of technical sessions including refereed papers, invited talks, works-in-progress, and panel discussions. More information can be found on the conference web page at www.usenix.org/events/sec99/. * CMS'99 Communications and Multimedia Security, International Federation for Information Processing, Joint working conference IFIP TC6 and TC11, Katholieke Universiteit Leuven, Belgium, September 20-21, 1999. (submissions due: March 15, 1999). CMS '99 is the fourth in a series of international conferences which aim at reviewing state-of-the-art issues as well as practical experiences and new trends in the areas of communications and multimedia systems security. Topics of interest include, but are not limited to: *communications systems security *mobile communications security *Internet, intranet and extranet security *security of mobile code *multimedia systems security *applied cryptography *electronic commerce and digital signatures *security in distributed systems *secure teleworking, telecooperation, *legal, social and ethical aspects telemedicine of communication systems security *standards for communication and multimedia systems security Authors are strongly encouraged to submit their papers electronically. For detailed instructions on submitting a paper, please see the conference web page at www.esat.kuleuven.ac.be/cosic/cms99/, or contact: Prof. Bart Preneel, Program Committee Chair CMS'99, Katholieke Universiteit Leuven, Dept. Electrical Engineering-ESAT/COSIC, K. Mercierlaan 94, B-3001 Heverlee, BELGIUM. Email: cms99@esat.kuleuven.ac.be, Tel +32 16 32 10 50, Fax: +32 16 32 19 86. * WET-ICE'99, Fourth International Workshop on Enterprise Security, Stanford University, California, USA, June 16-18, 1999. (Papers and panel proposals due: March 21, 1999). This workshop will focus on the problems and challenges relating to enterprise security in inter-organizational systems. We aim to bring together principal players from both the internetwork and the enterprise security community and will provide plenty of time for discussion. Topics include: INTERNET SECURITY(security protocols for the Internet, the work and efforts of IETF security groups, global key infrastructures), DISTRIBUTION (distributed database security, secure transactions, inter- and intra-organizational security, security of collaborative applications), SECURE INFRASTRUCTURES (secure applications and environments, object-oriented and CORBA security, secure enterprise infrastructures, security algorithms, public key infrastructures), and SECURITY MANAGEMENT (role-based access control, enterprise security policies, security in workflow processes). Instructions for authors can be found on the conference web page at www.ida.liu.se/conferences/WETICE/SECWK/. * WFMSP'99, 1999 Workshop on Formal Methods and Security Protocols, Trento, Italy, July 5, 1999 (part of FLOC'99). (submissions due: March 26, 1999). Topics of interest include descriptive techniques (specification languages, models, logics) and analysis techniques (model checking, theorem proving, and their combination), as applied to protocols for authentication, fair exchange, electronic commerce, electronic auctions, etc. The program will consist of a keynote lecture by Catherine Meadows (NRL), technical sessions, and a panel discussion. Extended abstracts (about 5-10 pages) explaining recent research results or work in progress should be mailed electronically to both organizers, nch@research.bell-labs.com and Edmund.Clarke@cs.cmu.edu, to be received by March 26, 1999. Submissions should be formatted as a PostScript file in USLetter size. See www.cs.bell-labs.com/who/nch/fmsp99/ for more information. * NSPW'99, New Security Paradigms Workshop 1999, Caledon Hills, Ontario, Canada, September 22-24 1999. (submissions due: hardcopy by March 26, 1999 or electronic copy by April 2, 1999). For seven years, the New Security Paradigms Workshop has provided a productive and highly interactive forum in which innovative new approaches (and some radical older approaches) to computer security have been offered, explored, refined, and published. In order to preserve the small, intimate nature of the workshop, participation is limited to authors of accepted papers and conference organizers. Because these are new paradigms, we cannot predict what subjects will be covered. Any paper that presents a significant shift in thinking about difficult security issues will be welcomed. To participate, please submit (a) a 5-10 page position paper or discussion topic proposal, (b) a justification for including your paper in NSPW'99, and (c) who will attend to present the paper. Send information to to both Program Chairs -- Steven J. Greenwald (sjg6@gate.net) and Cristina Serban (cserban@att.com) -- by Friday, April 2, 1999 (hardcopy submissions must be received by Friday, March 26, 1999). More information will be available on a workshop web page. * IICIS99, Third Annual IFIP TC-11 WG 11.5 Working Conference on Integrity and Internal Control in Information Systems: Strategic views on the need for control, Amsterdam, The Netherlands G November 18-19, 1999. (submissions due: April 1, 1999). Confidentiality, integrity and availability are high-level objectives of IT security. IFIP TC-11 Working Group 11.5 has been charged with exploring the area of the integrity objective within IT security and the relationship between integrity in information systems and the overall internal control systems that are established in organizations to support corporate governance codes. The goals for this conference are to find an answer to the following questions: what precisely do business managers need to have confidence in the integrity of their information systems and their data; what is the status quo of research and development in this area; where are the gaps between business needs on the one hand and research and development on the other and what needs to be done to bridge these gaps. We solicit papers describing original ideas and research results on foundations and applications related to the subject of integrity and internal control in information systems. Also business cases are explicitly solicited. A complete list of topics of interest along with instructions for authors can be found on the conference web page at www.ifip.tu-graz.ac.at/TC11/CONF/IICIS99 or you may contact Leon Strous, tel.: +31 20 5242748 / +31 492 548636 (also fax), e-mail: strous@iaehv.nl. * HASE'99, Fourth IEEE Symposium on High Assurance Systems Engineering, Washington, DC Metropolitan Area, USA, November 17-19, 1999. (Papers due: April 7, 1999). The HASE Symposium is a forum for discussion of systems engineering issues specifically for high-assurance systems. The focus this year is on embedded systems, although submissions will be welcomed in all areas related to high assurance issues. Submissions are due April 7, 1999, to Catherine Meadows, Program Chair, meadows@itd.nrl.navy.mil. More information may be found at www.eng.umd.edu/hase99. * DISC'99, 13th International Symposium on DIStributed Computing, Bratislava, Slovak Republic, September 27-29, 1999. (Papers due: April 9, 1999; "Brief Announcements" due May 10, 1999.). DISC was formerly known as WDAG. The name change, which took effect in 1998, reflects the expansion from a workshop to a symposium and from distributed algorithms to all aspects of distributed computing. Original contributions to theory, design, analysis, implementation, or application of distributed systems and networks are solicited. Topics of interest include, but are not limited to: o distributed algorithms and their complexity o fault-tolerance of distributed systems o consistency conditions, concurrency control, and synchronization o multiprocessor/cluster architectures and algorithms o cryptographic and security protocols for distributed systems o distributed operating systems o distributed computing issues on the internet and the web o distributed systems management o distributed applications, such as databases, mobile agents, and electronic commerce o communication network architectures and protocols o specification, semantics, and verification of distributed systems In addition to regular papers, Brief Announcements are also solicited this year. Ongoing work for which full papers are not ready yet or recent results published elsewhere are suitable for submission as brief announcements. It is hoped that researchers will use the brief announcement track to quickly draw the attention of the community to their experiences, insights and results from ongoing distributed computing projects. Detailed submission instructions can be found on the conference web page at www.disc99.sk/. Authors unable to submit via the web should contact the program chair, Prasad Jayanti, by email at prasad@cs.dartmouth.edu to receive instructions. * SAC'99, Sixth Annual Workshop on Selected Areas in Cryptography, Queen's University, Kingston, Ontario, Canada, August 9-10, 1999. (Submissions due: April 30, 1999). Original papers related to the following themes are solicited. o Design and Analysis of Symmetric Key Cryptosystems o Efficient Implementations of Cryptographic Systems o Cryptographic Solutions for Web/Internet Security The Proceedings will be published by Springer-Verlag in the Lecture Notes in Computer Science (LNCS) series. Detailed instructions for submitting papers are available at www.engr.mun.ca/~sac99/cfp. As well, general information on the Workshop will be available on the SAC '99 web page at www.engr.mun.ca/~sac99. Email inquiries may be directed to sac99@engr.mun.ca. * CCS'99 6th ACM Conference on Computer and Communications Security,Kent Ridge Digital Labs, Singapore, November 1-4, 1999. (Submissions due: April 30, 1999). The ACM Conference on Computer and Communications Security (CCS) is a premier forum for the presentation of new research results and the identification of future research directions in the area of computer and communications security. Papers offering research contributions in any aspect of computer security are solicited for submission to CCS'99. Accepted papers will be presented at the conference and published by the ACM in a conference proceedings. Outstanding papers will be invited for submission to ACM Transactions on Information and System Security (TISSEC). For more details, please see the conference web page at www.isi.edu/ccs99/. * CHES'99 Workshop on Cryptographic Hardware and Embedded Systems, Worcester Polytechnic Institute, Worcester, Massachusetts, USA, August 12-13, 1999 (preceds CRYPTO'99). (Papers due: April 30, 1999). The focus of this workshop is on all aspects of cryptographic hardware and embedded system design. We hope that the workshop will help to fill the gap between the cryptography research community and the application areas of cryptography. The topics of interest include but are not limited to: * Computer architectures for * Architectures for smart public-key cryptosystems cards * Computer architectures for * Tamper resistance for smart secret-key cryptosystems cards * Reconfigurable computing and * Tamper resistance on the applications in cryptography chip and board level * Cryptographic processors and co-processors * Fast network encryption * Modular and Galois field * Efficient algorithms for arithmetic architectures embedded processors * Special-purpose hardware for * True and pseudo random cryptanalysis number generators Please see the conference web site at ece.WPI.EDU/Research/crypt/ches for additional information and submission instructions. * ICICS'99 The Second International Conference on Information and Communication Security, Sydney, Australia, November 1999. (Papers due: May 1, 1999). Original papers may present theory, techniques, applications and practical experiences on a variety of topics including: * Access control * Authentication * Electronic commerce * Applied cryptography * Viruses and worms * Distributed system security * Database security * Security policy * Key management * Mobile system security * Auditing and accounting * Network security * Security protocols * Secure operating systems * Security architectures & models * Security management * Secure intelligent agents * Software Protection * Security evaluation & certification * Smartcards and PDAS Detailed submission instructions can be found on the conference web page at icics99.cit.nepean.uws.edu.au/. * IDA Information Domain Workshop, Alexandria, VA USA, August 5-6, 1999. (submissions due: May 8, 1999). The intent of this workshop is to bring together computer system security architects, researchers, and users interested in exploring the use and implementation of information domains. The goal is to enhance our understanding of the potential for security within a shared-resource environment, as offered by information domains. We seek descriptions of work on the definition, implementation, and real-world application of information domains. We are especially interested in work-in-progress, including prototypes. Case studies and experience papers are also of interest. This will be a two-day workshop consisting of work-in-progress reports and discussion. An electronic proceedings will be published at the conclusion. Topics of interest include, but are not limited to: o Information Domain architecture descriptions o Expression of enterprise-level policy using information domains o Implementation of information domains o Associations between incarnations of a domain on multiple end systems o Inter-domain interactions o Management of information domains o Granularity of information domains o Separation of security policy definition and enforcement o Multidomain objects Please see the web page at atlas.ida.org:8500/idw/ for detail on submitting a paper, or contact: Ed Schneider (eschneider@ida.org). * CQRE CQRE [Secure] Exhibition & Congress, Duesseldorf, Germany, November 30-December 2, 1999. (submissions due: May 14th 1999.) We are looking for papers and panel discussions covering: o electronic commerce (new business processes, secure business transactions, online merchandising, electronic payment / banking, innovative applications) o network security (virtual private networks, security aspects in internet utilization, security aspects in multimedia-applications, intrusion detection systems) o legal aspects (digital signature acts, privacy and anonymity, crypto regulation, liability) o corporate security o access control o secure teleworking (enterprise key management, IT-audit risk / disaster management, security awareness and training, implementation, accreditation, and operation of secure systems in a government, business, or industry environment) o security technology o cryptography (public key infrastructures, chip card technology, biometrics) o trust management (evaluation of products and systems, international harmonization of security, evaluation criteria) o standardization o future perspectives Authors are invited to submit an extended abstract of their contribution to the program chair (R.Baumgart@secunet.de). Complete instructions are given on the conference web page at www.secunet.de/forum/cqre.html. * RBAC'99 Fourth ACM Workshop on Role-based Access Control, George Mason University, Fairfax, Virginia, USA, October 28-29, 1999. (Submissions due: May 15, 1999) The ACM workshop on RBAC bring together researchers, developers, and practitioners to discuss the development of new access control paradigms and their application. Topics of interest include, but are not limited to, new access control modeling concepts, verification of access control model properties, and case studies in a variety of areas, such as operating systems, language systems, groupware, databases, and enterprise systems. Please see the workshop web page at www.list.gmu.edu/rbac/ for complete submission instructions or contact Sylvia Osborn at sylvia@csd.uwo.ca. * ACSAC'99 15th Annual Computer Security Applications Conference, PRACTICAL SOLUTIONS TO REAL WORLD SECURITY PROBLEMS, December 6-10, 1999, Phoenix, Arizona, USA. (submissions due: May 28, 1999) Sponsored by the Applied Computer Security Associates (ACSA) in cooperation with the ACM Special Interest Group on Security, Audit and Control Nearly everyone today is dependent upon computers for everything from electronic commerce to military command and control. The very technology that created this dependence is its greatest weakness: the infrastructure is fundamentally insecure to attacks from individuals, organizations, or nation-states that can easily deny service or compromise the integrity of information. This has left us extremely vulnerable to fraud, crime, and espionage. If you are developing practical solutions to problems relating to protecting your country's information infrastructure or a commercial enterprise, consider submitting a paper to the Annual Computer Security Applications Conference. We are looking for papers, panels and tutorials that address: o Internet technologies o Electronic commerce o Crypto, key management, and digital signature applications o Network management and smart card applications o Mobile computing o Legal and ethical concerns over protecting intellectual property o Incident response planning - governmental and other perspectives o Audit and audit reduction/Intrusion detection o New paradigms for protecting electronic intellectual capital o Securing very high-speed telecommunications (e.g., ATM) o Defensive information warfare o Software safety and program correctness The complete Call for Papers is available at www.acsac.org/, or you may contact the publicity chair, Vince Reed, at Phone: +1.256.890.3323, FAX: +1.256.830.2608, publicity@acsac.org. * WIH'99 Third International Workshop on Information Hiding, Dresden, Germany, Sept. 29 - Oct. 1, 1999. (submissions due: June 1, 1999) Many researchers are interested in hiding information or in stopping other people doing this. Current research themes include copyright marking of digital objects, covert channels in computer systems, detection of hidden information, subliminal channels in cryptographic protocols, low-probability-of-intercept communications, and various kinds of anonymity services ranging from steganography through location security to digital elections. Interested parties are invited to submit papers on research and practice which are related to these areas of interest. Submissions can be made electronically (pdf or postscript) or in paper form; in the latter case, send eight copies. Papers should not exceed fifteen pages in length and adhere to the guidelines of the LNCS series www.springer.de/comp/lncs/instruct/typeinst.pdf. Addresses for submission: pfitza@inf.tu-dresden.de, Andreas Pfitzmann, Dresden University of Technology, Computer Science Department, D 01062 Dresden, Germany * ISW'99 1999 Information Security Workshop, Kuala Lumpur, Malaysia, November 6-7, 1999, (submissions due: June 4, 1999) ISW'99, the second workshop in the international workshop series on information security, will be held in Monash University's Sunway Campus which is about 20km to the south west of downtown Kuala Lumpur. ISW'99 will seek a different goal from its predecessor ISW'97 held in Ishikawa, Japan. More specifically, the focus of ISW'99 will be on the following emerging areas of importance in information security: o multimedia watermarking o electronic cash o secure software components and mobile agents o protection of software ISW'99 will be co-located with the 6th ACM Conference on Computer and Communications Security, November 1-4, 1999, and Asiacrypt'99, November 15-18, 1999. Both the ACM conference and Asiacrypt will be held in Singapore which is only a short distance to the venue of ISW'99. Complete instructions for suthors can be found on the conference web page at www.musm.edu.my/BusIT/isw99. You may also send general inquires to isw99-gen@musm.edu.my. * NDSS'2000 Network and Distributed System Security Symposium San Diego, California, USA, February 2-4, 2000. (submissions due: June 16, 1999) Technical papers and panel proposals are invited for the Internet Society's Year 2000 Network and Distributed System Security Symposium (NDSS 2000), tentatively scheduled for 2-4 February 2000 in San Diego, California. The symposium will foster information exchange among researchers and practitioners of network and distributed system security services. The audience includes those who are interested in the practical aspects of network and distributed system security, focusing on actual system design and implementation rather than theory. A major goal of the symposium is to encourage and enable the Internet community to apply, deploy, and advance the state of available security technology. Proceedings will be published by the Internet Society. A best paper award will be presented at the symposium to the authors of the best paper to be selected by the program committee. The deadline for electronic submission is 16 JUNE 1999. The complete call is available at www.isoc.org/ndss00/. JOURNALS Special Issues of Journals and Handbooks: listed earliest deadline first. * ACM Transactions on Software Engineering and Methodology Special issue on Software Engineering and Security. Guest Editors: Premkumar Devanbu (devanbu@cs.ucdavis.edu, UC Davis) and Stuart Stubblebine, (stubblebine@cs.columbia.edu). (submissions due: April 1, 1999). Software system security issues are no longer only of primary concern to military, government or infrastructure systems. Every palmtop, desktop and TV set-top box contains or will soon contain networked software. This software must preserve desired security properties (authenticity, privacy, integrity) of activities ranging from electronic commerce, electronic messaging, and browsing. From being a peripheral concern of a limited and specialized group of engineers, security has become a central concern for a wide range of software professionals. In addition, software is no longer a monolithic shrink-wrapped product created by a single development organization with a well-defined software process. Instead, it is composed of components constructed by many different vendors following different practices. Indeed, software may even contain elements that arrive and are linked in just prior to execution. Customers need assurance that constituent components and mobile code have certain desirable properties; this need conflicts with the need for vendors to protect their proprietary information. The issue of providing assurance without full disclosure has been studied in security research, and needs to be applied to this problem. To provide a focus for these and other interactions between security and software engineering, ACM TOSEM will bring out a special issue dedicated to the intersection of concerns between the two fields. We solicit submissions that address the following issues and sub-areas: o How can security be used to address problems in distributed software development? How does one build trust and control in the distributed enactment of software processes while protecting intellectual property? + Trust in software process; Trust in software tools; Trusted (distributed) configuration management. o Can conventional, standard software engineering techniques be used to achieve verifiably higher levels of security in heterogeneous, distributed systems? What new software engineering techniques are needed? + Formal Verified implementations of security protocols; Traceability of correctness into implementation; Testing of security protocols; Specification of Secure Systems; Domain specific languages for Secure systems; Static/Dynamic Analysis for System Security; Security Testing (property-based, coverage-based, etc.); Configuring trusted systems; Evolving Legacy Systems for greater security. o Intellectual Property Protection: can security techniques be used to protect the valuable investments in software? + Reverse engineering counter measures; Software watermarking and copy protection; Combination Software and Hardware-based techniques. Additional information about submitting papers can be found at www.cs.columbia.edu/~stu/tosem.html. * IEEE Internet Computing, Special Issue on Survivable, High-Confidence Distributed Systems (November/December 1999). Guest Editor: Mike Reiter, Bell Labs (reiter@research.bell-labs.com) (Submission deadline: 12 May 1999). As the world moves toward increasing reliance on computing networks, it is essential to find ways of building distributed systems that perform reliably under a wide range of circumstances that may include both accidents and malicious attacks. A "survivable" system is one that can make meaningful progress even when some (human or computer) components fail to behave as expected, and particularly when they behave in a way as to undermine the correct operation of the system as a whole. Survivable systems may combine techniques for detecting, masking, and adapting to such failures and attacks, at the network level, a middleware layer, or in the higher-level distributed application of interest. This issue examines the state of the art in the design, implementation, and analysis of survivable distributed systems and networks. Topics of interest include, but are not limited to: o Survivable networking infrastructures and routing protocols o Distributed algorithms for surviving attacks on system components o Tools and middleware for simplifying the development of survivable distributed systems o Survivable data storage and dissemination o Application-specific survivability techniques, e.g., in the arenas of electronic commerce or electronic voting o Case studies demonstrating survivability characteristics (or the lack thereof) of critical systems o Enhancing the survivability of legacy systems o Techniques for evaluating the survivability of a system o Achieving failure diversity in a monocultural system, i.e., one with a common o computing platform/OS throughout o Survivable applications built on untrustworthy platforms Acceptable papers can describe novel scientific advances in survivability, document experiences in developing or deploying survivable systems, or provide a survey of the state of the art in this area. The call-for-papers is located at www.computer.org/internet/call4ppr.htm. * International Journal of Computer Systems: Science & Engineering Special Issue on Developing Fault-Tolerant Systems with Ada. (Abstracts due June 1, 1999; full papers due: June 15, 1999). An electronic version of the abstract is to be sent to A. Romanovsky at: alexander.romanovsky@ncl.ac.uk (phone:+44 191 222 8135; fax: +44 191 222 8232) by June 1, 1999. Full submissions are to be forwarded by June 15, 1999 to one of the guest editors (electronic submissions are encouraged): A. Romanovsky or A.J. Wellings at andy@minster.cs.york.ac.uk More information: www.cs.ncl.ac.uk/people/alexander.romanovsky/home.formal/ftada.html. ________________________________________________________________________ Reader's Guide to Current Technical Literature in Security and Privacy Part 1: Conference Papers by Anish Mathuria ________________________________________________________________________ * ICPADS '98 - 1998 International Conference on Parallel and Distributed Systems, December 14-16, Tainan, Taiwan: [Security-related papers only] o A Model of Mobile Agent Services Enhanced for Resource Restrictions and Security. T. Taka, T. Mizuno and T. Watanabe o Electronic Exchange Check System on the Internet. S. Hwang o Design of a System to Support Security Communication between a Web Proxy and a CGI Program Based on PKI. J. Lee and K. Yoon o A Share Assignment Method to Maximize the Probability of Secret Sharing Reconstruction under the Internet. C.-Y. Lee, Y.-S. Yeh, D.-J. Chen and K.-L. Ku o Secure and Scalable Inter-Domain Group Key Management for N-to-N Multicast. T. Hardjono and B. Cain * POPL'99 - 26th ACM Symposium on Principles of Programming Languages, January 20-22, 1999, San Antonio, Texas, USA: [Security-related papers only] o Trust and Partial Typing in Open Systems of Mobile Agents. J. Riely and M. Hennessy o Practical Mostly-Static Information Flow Control. A. Myers o Type-Safe Linking and Modular Assembly Language. N. Glew and G. Morrisett o Typed Memory Management in a Calculus of Capabilities. K. Crary, D. Walker and G. Morrisett o Software Watermarking: Models and Dynamic Embeddings. C. Collberg and C. Thomborson * NDSS'99 - 1999 Network and Distributed Security Symposium (See conference writeup above) February 3-5, 1999, San Diego, California, USA: o Secure Password-Based Protocol for Downloading a Private Key. R. Perlman and C. Kaufman o A Real-World Analysis of Kerberos Password Security. T. Wu o Secure Remote Access to an Internal Web Server. C. Gilmore, D. Kormann and A. Rubin o Experimenting with Shared Generation of RSA Keys. M. Malkin, T. Wu and D. Boneh o Addressing the Problem of Undetected Signature Key Compromise. P. van Oorschot and M. Just o Practical Approach to Anonymity in Large Scale Electronic Voting Schemes. A. Riera and J. Borrell o Distributed Policy Management for Java 1.2. P. Nikander and J. Partanen o Distributed Execution with Remote Audit. F. Monrose, P. Wyckoff and A. Rubin o An Algebra for Assessing Trust in Certification Chains. A. Josang o PGRIP: PNNI Global Routing Infrastructure Protection. S. Vimercati, P. Lincoln, L. Ricciulli and P. Samarati o Client Puzzles: A Cryptographic Countermeasure Against Connection Depletion Attacks. A. Juels and J. Brainard * IWS99 - Internet Workshop'99 February 18-20, 1999, Osaka, Japan: [Security-related papers only] o Resolution of ISAKMP/Oakley Key-Agreement Protocol Resistant against Denial-of-Service Attack. K. Matsuura and H. Imai o A Block Cipher Technique for Security of Data and Computer Networks. K. Rahouma o A Shared Secure Server for Multiple Closed Networks. K. Terao and S. Ono o Half-Automated Generation of Secure, High-Performance Web/DB Software. Y. Kadobayashi and S. Yamaguchi o An Architecture for User Authentication of IP Multicast and Its Implementation. N. Ishikawa, N. Yamanouchi and O. Takahashi. o A Secure and Trusted Time Stamping Authority. A. Takura, S. Ono and S. Naito o Packet Filtering in Bridge. J. Liu and Y. Ma o Network Surveillance for Detecting Intrusions. M. Iguchi and S. Goto * Financial Cryptography '99 (See conference writeup above) February 22-25, 1999, Anguilla, BWI: o Experimenting with electronic commerce on the PalmPilot. N. Daswani and D. Boneh o Blinding of credit card numbers in the SET protocol. H. Krawczyk o Trustee tokens: Simple and practical anonymous digital coin tracing. A. Juels o A new approach for anonymity control in electronic cash systems. T. Sander and A. Ta-Shma o E-cash systems with randomized audit. Y. Yacobi o Assessment of counterfeit transaction detection systems for smart card based ecash. K. Ezawa, G. Napiorkowski and M. Kossarski o Reasoning about public-key certification: On bindings between entities and public keys. R. Kohlas and U. Maurer o Online certificate status checking in financial transactions: The case for re-issuance. B. Fox and B. LaMacchia o Playing `hide and seek' with stored keys. A. Shamir and N. van Someren o On channel capacity and modulation in watermarking of digital still images. M. Breitbach and H. Imai o Towards making broadcast encryption practical. M. Abdalla, Y. Shavitt and A. Wool o Conditional access concepts and principles. D. Kravitz and D. Goldschlag o Anonymous authentication of membership in dynamic groups. S. Schecter, T. Parnell and A. Hartemink o Some open issues and new directions in group signatures. G. Ateniese and G. Tsudik o Anonymous investing: Hiding the identities of stockholders. P. MacKenzie and J. Sorensen o Fair on-line auctions without special trusted parties. S. Stubblebine and P. Syverson o "Dynamic Fault"-robust cryptosystems meet organizational needs for dynamic control. Y. Frankel and M. Yung o Improved magic ink signatures using hints. M. Jakobsson and J. Muller * OSDI '99 - 3rd Symposium on Operating Systems Design and Implementation February 22-25, 1999, New Orleans, LA, USA: [Security-related paper only] o Defending Against Denial of Service Attacks in Scout. O. Spatscheck and L. Peterson * SAC '99 - 1999 ACM Symposium on Applied Computing February 28-March 2, 1999, San Antonio, Texas, U.S.A: [Security-related papers only] o C2 Secure Database Management Systems: A Comparative Study. R. Haraty o Security Issues in Small Linux Networks. W. Row, B. Adams, D. Morton and A. Wright o Emperor: Cheap Legal Secure Cryptography for the Web. C. Davis and C. Eick _______________________________________________________________________ Reader's Guide to Current Technical Literature in Security and Privacy Part 2: Journal and Newsletter Articles, Book Chapters by Anish Mathuria _______________________________________________________________________ * ACM SIGACT News, Vol. 29, No. 3 (September 1998): o D. Volpano and G. Smith. Confinement Properties for Programming Languages. pp. 33-42. * ACM Computer Communication Review, Vol. 28, No. 4 (October 1998): o C. Wong, M. Gouda and S. Lam. Secure Group Communication Using Key Graphs. pp. 68-79. * ACM Computer Communication Review, Vol. 28, No. 5 (October 1998): o C.-H. You, J. Zhou and K.-Y. Lam. On the Efficient Implementation of Fair Non-Repudiation. pp. 50-60. o A. Mathuria. Comparing Lower Bounds on Messages and Rounds for Two Classes of Key Establishment Protocols. pp. 91-98. * IEEE Internet Computing, Vol. 2, No. 6 (November/December 1998): o G. McGraw and E. Felten. Guest Editors' Introduction Mobile Code and Security. o A. Rubin and D. Geer. Mobile Code Security. o B. Hashii, M. Lal, R. Pandey and S. Samorodin. Securing Systems Against External Programs. o V. Anupam and A. Mayer. Secure Web Scripting. o L. Gong. Secure Java Class Loading. * Information Processing Letters, Vol. 68, No. 4 (November 1998): o H. Gilbert, D. Gupta, A. Odlyzko and J.-J. Quisquater. Attacks on Shamir's 'RSA for paranoids'. pp. 197-199. o Journal of Systems and Software, Vol. 43, No. 3 (November 1998): Q. Shi and N. Zhang. An effective model for composition of secure systems. pp. 233-244. * The Computer Journal, Vol. 41, No. 7 (1998): o R. Benjamin, B. Gladman and B. Randell. Protecting IT systems from cyber crime. pp. 429-443. o H. Thimbleby, S. Anderson and P. Cairns. A framework for modelling Trojans and computer virus infection. pp. 444-458. [Thanks to Carl Landwehr for the next two entries -A.M.] * Information Processing Letters, Vol. 68, No. 5 (December 1998): o Y. Zheng and H. Imai. How to construct efficient signcryption schemes on elliptic curves. pp. 227-233. * IEEE Transactions on Computers, Vol. 47, No. 12 (December 1998): o M. Reiter and S. Stubblebine. Resilient Authentication Using Path Independence. pp. 1531-1362. * SIGMOD Record, Vol. 27, No. 4 (December 1998): o J. Domingo-Ferrer and J. Herrera-Joancomarti. An Anonymous Electronic Commerce Scheme with an Off-Line Authority and Untrusted Agents. pp. 62-67. o Mobile Networks and Applications, Vol. 3, No. 4 (1998): V. Gupta and G. Montenegro. Secure and mobile networking. pp. 381-390. * Information Processing Letters, Vol. 69, No. 2 (January 1999): o C.-H. Wang, T. Hwang and N.-Y. Lee. Comments on two group signatures. pp. 95-97. * ACM Operating Systems Review, Vol. 33, No. 1 (January 1999): o T. Kwon and J. Song. Clarifying Straight Replays and Forced Delays. pp. 47-52. * Information and Computation, Vol. 148, No. 1 (January 1999): o M. Abadi and A. Gordon. A Calculus for Cryptographic Protocols: The Spi Calculus. pp. 1-70. * Notices of the American Mathematical Society, Vol. 46, No. 2 (February 1999): o D. Boneh. Twenty years of attacks on the RSA cryptosystem. pp. 203-213. * Communications of the ACM, Vol. 42, No. 2 (February 1999): [Special section on Internet Privacy] o L. Cranor. Introduction. pp. 29-31. o M. Reiter and A. Rubin. Anonymous Web Transactions with Crowds. pp. 32-38. o D. Goldschlag, M. Reed and P. Syverson. Onion Routing for Anonymous and Private Internet Connections. pp. 39-41. o E. Gabber, P. Gibbons, D. Kristol, Y. Matias and A. Mayer. Consistent, Yet Anonymous, Web Access with LPWA. pp. 42-47. o J. Reagle and L. Cranor. The Platform for Privacy Preferences. pp. 48-55. o P. Benassi. TRUSTe: An Online Privacy Seal Program. pp. 56-59. o R. Clarke. Internet Privacy Concern Confirm the Case for Intervention. pp. 60-67. ________________________________________________________________________ Calendar ________________________________________________________________________ ==================================================================== See Calls for Papers section for details on many of these listings. ==================================================================== "Conf Web page" indicates there is a hyperlink to a conference web page on the Cipher Web pages. (In many cases there is such a link even though mention is not made of it here, to save space.) Dates Event, Location Point of Contact/ more information ----- --------------- ---------------------------------- * 3/15/99- 3/19/99: IETF, Minneapolis, MN * 3/15/99: CMS '99. Katholieke Universiteit Leuven, Belgium; Conf Web page Submissions to cms99@esat.kuleuven.ac.be; * 3/22/99- 3/23/99: Second AES, Rome, Italy Conf Web page * 3/23/99- 3/24/99: AIPA99. Ronald Reagen International Trade Center, Washington Conf Web page * 3/24/99- 3/26/99: FSE 6, Rome, Italy Conf Web page * 3/26/99: WFMSP '99; Trento, ItalyConf Web page Submissions to nch@research.bell; * 3/27/99- 3/30/99: ICEIS '99, Setubal, Portugal Conf Web page * 4/ 1/99: IICIS99. Amsterdam, The Netherlands; Conf Web page Information re submissions strous@iaehv.nl; * 4/ 1/99: ACM-TSEM-SEC, Special Issue, Web page * 4/ 1/99: DSOM '99. Zurich, SwitzerlandConf Web page Submissions to stiller@tik.ee.ethz.ch; * 4/ 2/99: NSPW '99; Caledon Hills, Ontario, Canada; Conf Web page Electronic submissions due; * 4/ 7/99: HASE '99. Washington, DC Conf Web page; Submissions due meadows@itd.nrl.navy.mil * 4/ 8/99- 4/ 9/99: WECWIS '99. Santa Clara, California Conf Web page * 4/ 9/99: DISC '99, Bratislava, Slovak Republic; Conf Web page Submissions to prasad@cs.dartmouth.edu; * 4/11/99- 4/12/99: USENIX IDS; Santa Clara, California Conf Web page * 4/23/99: ADAlgs, Siena, Italy; applications due; info lodi@miele.mat.unisi.it; * 4/30/99: HUC '99; Karlsruhe, GermanyConf Web page Submissions to huc@teco.edu; * 4/30/99: CCS6. Singapore; Submissions due; Conf Web page; * 4/30/99: SAC '99, Ontario, Canada; Submissions to sac99@engr.mun.ca; * 5/ 1/99: ICICS '99, submissions due * 5/ 2/99- 5/ 6/99: Eurocrypt '99, Prague, Czech Republic, Conf web page * 5/ 8/99: IDW '99, Alexandria, VA; Conf Web page Submissions due; info via eschneider@ida.org; * 5/ 9/99- 5/12/99: IEEE S&P 99; Oakland, CA; conf web page * 5/11/99- 5/14/99: 11th CITSS, Ottawa; no e-mail address available * 5/12/99: IEEE-Special-HCDS; Submissions due; guest editor reiter@research.bell; * 5/14/99: CQRE. Duesseldorf, Germany Conf Web page Submissions to cqre@secunet.de.; * 5/14/99: CQRE '99. Duesseldorf, GermanyConf Web page; Submissions due. * 5/28/99: ACSAC99. Phoenix, Arizona Conf Web page Submissions to Program_chair@acsac.org; * 6/ 1/99: WIH '99, Dresden, Germany; Submissions to pfitza@inf.tu; * 6/ 1/99: Special Issue IJCSSE; Journal Web page; Submissions due * 6/ 1/99: IEEE-NetMag-NetSec, submissions due; magazine web page * 6/ 5/99: WSS '99, Austin, Texas Conf Web page * 6/16/99: NDSS '00. San Diego, California; Conf Web page; * 6/21/99- 6/23/99: ICATM '99. Colmar, France Conf Web page * 6/21/99- 6/27/99: ADAlgs; Siena, Italy * 7/ 4/99- 7/ 8/99: IMACS-IEEE99. Athens, Greece Conf Web page * 7/ 5/99: WFMSP '99; Trento, Italy Conf Web page * 7/ 6/99- 7/ 8/99: ISCC '99. Sharm El Sheikh, Red Sea, Egypt Conf Web page * 7/12/99- 7/16/99: IETF, Oslo, Norway * 7/26/99- 7/28/99: IFIP WG11.3, Newark, NJ Conf Web page * 7/26/99- 7/27/99: WIAPP '99. San Jose, California Conf Web page * 8/ 5/99- 8/ 6/99: IDW '99. Alexandria, VA Conf Web page * 8/ 9/99- 8/10/99: SAC '99, Ontario, Canada * 8/15/99- 8/19/99: MobiCom 99. Seattle, Washington Conf Web page * 8/15/99- 8/19/99: Crypto '99, Santa Barbara, California, Conf web page * 8/23/99- 8/26/99: 8th USENIX Security Symposium, Washington D.C.; conf web page; info at: conference@usenix.org * 9/20/99- 9/24/99: FM '99, Toulouse, France Conf Web page * 9/20/99- 9/21/99: CMS '99. Katholieke Universiteit Leuven, Belgium Conf Web page * 9/22/99- 9/24/99: NSPW '99. Caledon Hills, Ontario, Canada; Conf Web page * 9/27/99- 9/29/99: HUC '99; Karlsruhe, Germany Conf Web page * 9/27/99- 9/29/99: DISC99. Bratislava, Slovak Republic Conf Web page * 9/29/99-10/ 1/99: WIH '99, Dresden, Germany * 10/11/99-10/13/99: DSOM '99. Zurich, Switzerland Conf Web page * 10/18/99-10/22/99: ; NISSC '99, Crystal City VA * 11/ 1/99-11/ 4/99: CCS6, Singapore; Conf Web page * 11/ 9/99-11/12/99: IETF, Washington DC * 11/17/99-11/19/99: HASE '99. Washington, DC Conf Web page * 11/18/99-11/19/99: IICIS '99. Amsterdam, The Netherlands Conf Web page * 11/30/99-12/ 2/99: CQRE. Duesseldorf, Germany Conf Web page * 11/30/99-12/ 2/99: CQRE '99, Duesseldorf, Germany; Conf Web page * 12/ 6/99-12/10/99: 15th ACSAC; Phoenix, Arizona. Conf Web page * 2/ 2/00- 2/ 4/00: NDSS '00. San Diego, California; Conf Web page * 3/27/00- 3/31/00: IETF, Adelaide, Austraila * 4/30/00- 5/ 3/00: IEEE S&P 00; Oakland no e-mail address available * 5/16/00- 5/19/00: 12th CITSS, Ottawa; no e-mail address available Key: * ACISP = Australasian Conference on Information Security and Privacy * ACM-MOBILE = ACM Mobile Computing and Communications Review ACM-MOBILE * ACM-MONET = Special Issue of the Journal on Special Topics in Mobile Networking and Applications ACM-MONET * ACM-TSEM-SEC = ACM Transactions on Software Engineering and Methodology, Special issue on Software Engineering and Security ACM-TSEM-SEC * ACSAC = Annual Computer Security Applications Conference 15th ACSAC * ADAlgs = Summer Course in Advanced Distributed Algorithms ADAlgs * AES = Advanced Encryption Standard Candidate Conference Second AES * AGENTS-EMCSR = From Agent Theory to Agent Implementation * AIPA = Advanced Information Processing and Analysis AIPA99 * ASIACRYPT = ASIACRYPT * ASIAN = Asian Computing Science Conference * AT = Workshop on Agent Technologies * ATMA = Advanced Transaction Models and Architectures ATMA * BDBIS = Baltic Workshop on DB and IS, BDBIS * CAiSE*98 = Conference on Advanced Information Systems Engineering * CCS = ACM Conference on Computer and Communications Security CCS-6 * CCSS = Annual Canadian Computer Security Symposium (see CITSS) * CFP = Conference on Computers, Freedom, and Privacy * CIKM = Int. Conf. on Information and Knowledge Management * CISMOD = International Conf. on Information Systems and Management of Data * CITSS = Canadian Information Technology Security Symposium * CMS = Communications and Multimedia Security CMS '99 * COMAD = Seventh Int'l Conference on Management of Data (India) * COMPASS = Conference on Computer Assurance * COMPSAC = Int'l. Computer Software and Applications Conference * CoopIS = First IFCIS International Conference on Cooperative Information Systems * CORBA SW = Workshop on Building and Using CORBASEC ORBS CORBA SW * CPAC = Cryptography - Policy and Algorithms Conference * CQRE = [Secure] Exhibition and Congress CQRE * CRYPTO = IACR Annual CRYPTO Conference * CSFW = Computer Security Foundations Workshop * CSI = Computer Security Institute Conference * CVDSWS = Invitational Workshop on Computer Vulnerability Data Sharing CVDSWS * CWCP = Cambridge Workshop on Cryptographic Protocols * DAPD-SEC = Distributed and Parallel Databases: Special Journal Issue on Security DPD-SEC * DART = Databases: Active & Real-Time * DASFAA = Database Systems For Advanced Applications * DATANET = Datanet Security, Annual International Conference and Exhibition on Wide Area Network Security * DCCA = Dependable Computing for Critical Applications DCCA-7 * DEXA = International Conference and Workshop on Database and Expert Systems Applications * DEXA-SIDIA = DEXA Workshop on Security and Integrity of Data Intensive Applications * DIMACS Security Ver = DIMACS Workshop on Formal Verification of Security Protocols * DISC = International Symposium on DIStributed Computing DISC '99 * DMKD = Workshop on Research Issues on Data Mining and Knowledge Discovery * DOCSec = Second Workshop on Distributed Object Computing Security * DOOD = Conference on Deductive and Object-Oriented Databases * DSOM = Distributed Systems: Operations & Management DSOM '99 * ECC = Workshop on Elliptic Curve Cryptography * ECDLP = Workshop on the Elliptic Curve Discrete Logarithm Problem ECDLP * ECOMM = Business Process Reegineering and Supporting Technologies for Electronic Commerce ECOMM * EDOC = Enterprise Distributed Object Computing * Electronic Commerce for Content II = Forum on Technology-Based Intellectual Property Management URL * ENCXCS = Engineering Complex Computer Systems Minitrack of HICSS ENCXCS * ENM = Enterprise Networking * ENTRSEC = International Workshop on Enterprise Security * ESORICS = European Symposium on Research in Computer Security * ETAPS = European Joint Conferences on Theory and Practice of Software * Euro-PDS = European Conference on Parallel and Distributed Systems * EUROCRYPT = EUROCRYPT * EUROMED-NET = The Role of Internet and the World Wide Web in Developing the Euro-Mediterranean Information Society * FC = IFCA Annual Financial Cryptography Conference 3rd Annual FC * FIRST = Computer Security Incident Handling and Response * FISP = Federal Internet Security Plan Workshop * FISSEA = Federal Information Systems Security Educators' Association * FME = Formal Methods Europe * FMLDO = Foundations of Models and Languages for Data and Objects FMLDO7 * FMP = Formal Methods Pacific * FMSP = Formal Methods in Software Practice * FSE = Fast Software Encryption Workshop FSE 6 * GBN = Gigabit Networking Workshop * HASE = IEEE Symposium on High Assurance Systems Engineering HASE '99 * HICSS = Hawaii International Conference on Systems Sciences; Electronic Commerce Technologies Minitrack HICSS-32 * HPTS = Workshop on High Performance Transaction Systems * HUC = International Symposium on Handheld and Ubiquitous Computing HUC '99 * IC3N = International Conference on Computer Communications and Networks * ICAST = Conference on Advanced Science and Technology * ICATM = International IEEE Conference on ATM ICATM99 * ICCC = International Conference for Computer Communications * ICDCS = International Conference on Distributed Computing Systems * ICDE = Int. Conf. on Data Engineering * ICDT = International Conference on Database Theory * ICECCS = International Conference on Engineering of Complex Computer Systems * ICEIS = International Conference on Enterprise Information Systems ICEIS '99 * ICI = International Cryptography Institute * ICICS = International Conference on Information and Communications Security ICICS '99 * ICNP = International Conference on Network Protocols * ICOIN = International Conference on Information Networking ICOIN--12 * ICSSDBM = Int. Conf. on Scientific and Statistical Database Management * IDEAS = International Database Engineering and Applications Symposium * IDW = Information Domain Workshop IDW '99 * IEEE NM = IEEE Network Magazine Special Issue on PCS Network Management IEEE NM 1998 * IEEE-NetMag-NetSec = IEEE Network Magazine Special Issue on Network Security IEEE-NetMag-NetSec * IEEE S&P = IEEE Symposium on Security and Privacy S&P '99 * IEEE-ANETS = IEEE Network Magazine Special Issue on Active and Programmable Networks IEEE-ANETS * IEEE-COMP-NETSEC = IEEE Computer - Special Issue on Networking Security IEEE-COMP-NETSEC '98 * IEEE-INETCOMP = Special Issue IEEE: Internet Security in the Age of Mobile Code IEEE-INETCOMP * IEEECOMHYB = IEEE Communications Magazine Special Issue on Hybrid Networks IEEECOMHYB * IESS = International Symposium on Software Engineering Standards * IETF = Internet Engineering Task Force IETF * IFIP Mobile Commns = IFIP 1996 World Conference, Mobile Communications * IFIP WG11.3 = 13th IFIP WG11.3 Working Conference on Database Security IFIP WG11.3 * IFIP/SEC = International Conference on Information Security (IFIP TC11) * IH Workshop = Workshop on Information Hiding WOIH * IICIS = IFIP WG 11.5 working conference on Integrity and Internal Control in Information Systems IICIS99 * IIIS = Integrity and Internal Control in Information Systems: Bridging Business Requirements and Research Results IIIS * IJCSSE = Journal of Computer Systems: Science & Engineering. Special Issue on Developing Fault-Tolerant Systems with Ada IJCSSE * IMACCC = IMA Conference on Cryptography and Coding, 5th IMACC * IMACS-IEEE99 = Special Session on Applied Coding, Cryptology and Security IMACS-IEEE99 * IMC = IMC Information Visualization and Mobile Computing * INET = Internet Society Annual Conference * INTRA-FORA = International Conference on INTRANET: Foundation, Research, and Applications INTRA-FORA * IPIC = Integration of Enterprise Information and Processes * IPSWG = Internet Privacy and Security Workshop * IRISH = Irish Workshop on Formal Methods * IRW-FMP = International Refinement Workshop and Formal Methods Pacific * IS = Information Systems (journal) * ISADS = Symposium on Autonomous Decentralized Systems * ISCC = IEEE Symposium on Computers and Communications ISCC '99 * ISCOM = International Symposium on Communications * ISTCS = Fourth Israeli Symposium on Theory of Computing and Systems * IT-Sicherheit = Communications and Multimedia Security: Joint Working conference of IFIP TC-6 and TC-11 and Austrian Computer Society * ITLIT = CSTB Workshop on Information Technology Literacy ITLIT * IWES = International Workshop on Enterprise Security IWES * JBCS = Journal of the Brazilian Computer Society * JCMS = Journal of Computer Mediated Communication * JCS = Journal of Computer Security * JDSE = Journal of Distributed Systems Engineering; Future Directions for Internet Technology JDSE * JOCSIDS = JCS Special Issue on Research in Intrusion Detection JOCSIDS * JSS = Journal of Systems and Software (North-Holland) Special Issue on Formal Methods Technology Transfer * JTS = Journal of Telecommunications Systems, special multimedia issue JTS * JWWW = World Wide Web Journal Web page * KDD = The Second International Conference on Knowledge Discovery and Data Mining * MCDA = Australian Workshop on Mobile Computing & Databases & Applications * MCN = ACM Int. Conf. on Mobile Computing and Networking. See MOBICOM * MDDS = Mobility in Databases and Distributed Systems * MDS = Second Conference on the Mathematics of Dependable Systems * METAD = First IEEE Metadata Conference METAD * MMD = Multimedia Data Security * MMDMS = Wkshop on Multi-Media Database Management Systems * MOBICOM = Mobile Computing and Networking MobiCom 99 * NBIS = Network-Based Information Systems * NCSC = National Computer Security Conference * NDSS = ISOC Network and Distributed System Security Symposium NDSS '00 * NGITS = World Conference of the WWW, Internet, and Intranet * NISS = National Information Systems Security Conference NISSC '99 * NSPW = New Security Paradigms Workshop NSPW '99 * OBJ-CSA = OMG-DARPA Workshop on Compositional Software Architectures OBJ-CSA * OOER = Fourteenth Int. Conf. on Object-Oriented and Entity Relationship Modelling * OSDI = Operating Systems Design and Implementation * PAKDD = First Asia-Pacific Conference on Knowledge Discovery and Data Mining * PISEE = Personal Information - Security, Engineering, and Ethics PISEE * PKC = Practice and Theory in Public Key Cryptography PKC '99 * PKS = Public Key Solutions * PTP = Workshop on Proof Transformation and Presentation * RAID = Workshop on the Recent Advances in Intrusion Detection * RBAC = ACM Workshop on Role-based Access Control * RIDE = High Performance Database Management for Large Scale Applications * RTDB = First International Workshop on Real-Time Databases: Issues and Applications * SAC = Workshop on Selected Areas in Cryptography SAC '99 * SAFECOMP = Computer Safety, Reliability and Security * SCRAPC = Smart Card Research and Advanced Application Conference * SDSP = UK/Australian International Symposium On DSP For Communication Systems * SECURICOM = World Congress on the Security of Information Systems and Telecommunication * SETA = Sequences and their Applications * SFC = Society and the Future of Computing * SFTC-VI = Symposium on Fault Tolerant Computing - VI (Brazil) * SICON = IEEE Singapore International Conference on Networks * SIGMOD/PODS - ACM SIGMOD International Conference on Management of Data / ACM SIGACT SIGMOD-SIGART Symposium on Principles of Database Systems * SOC = Biennial Symposium on Communications, SOC18 * SOSP = ACM Symposium on Operating Systems Principles * SPECNS = Software Practices and Engineering, Special Issue on Experiences with Computer and Network Security SPECNS * TAPOS = Theory and Applications of Object Systems, special issue Objects, Databases, and the WWW * TAPSOFT = Theory and Practice of Software Development * TPHOLs = Theorem Proving in Higher Order Logics TSEEH. IEEE Transactions on Software Engineering. Special Issue on Current Trends * TSMA = 5th International Conference on Telecommunication Systems - Modeling and Analysis * USENIX Sec Symp = USENIX UNIX Security Symposium, 8th Annual * USENIXIDS = USENIX Workshop on Intrusion Detection and Network Monitoring 1st USENIX IDS * VLDB = International Conference on Very Large Data Bases * WDAG = Int. Workshop on Distributed Algorithms WDAG * WebDB = International Workshop on the Web and Databases * WebNet = World Conference of the Web Society * WECS = Workshop on Education in Computer Security WECS '99 * WECWIS = Workshop on Advanced Issues of E-Commerce and Web-based Information Systems WECWIS '99 * WETICE = IEEE Workshops on Enabling Technologie, Infrastructure for Collaborative Enterprises * WFMSP = Workshop on Formal Methods and Security Protocols WFMSP '99 * WIAPP = IEEE Workshop on Internet Applications WIAPP99 * WIH = Workshop on Information Hiding WIH '99 * WSS = Workshop on Self-Stabilizing Systems WSS '99 ________________________________________________________________________ Listing of Academic (Teaching and Research) Positions in Computer Security maintained by Cynthia Irvine ________________________________________________________________________ Swiss Federal Institute of Technology, Lausanne (EPFL), Switzerland/Eurecom/Telecom Paris General Director Areas of particular interest: Education and research in telecommunications. Applications begin immediately. http://admwww.epfl.ch/pres/dir_eurecom.html Department of Computer Science, Naval Postgraduate School, Monterey, CA Junior and Senior Tenure Track Positions in Professorship Areas of particular interest: Computer Security, but applicants from all areas of Computer Science will be considered. Applications begin immediately and are open until filled. http://www.cs.nps.navy.mil/people/faculty/chairman.html Department of Computer Science, University of Karlstad, Sweden Full Professor in Computer Science Areas of particular interest: Data communications, distributed systems, intrusion security, multimedia applications. Closing Date for applications: February 15, 1999. http://www.cs.kau.se/cs/jobs/ Department of Computer Science, Purdue University, West Lafayette, IN Assistant, Associate or Full Professor in Computer Science Areas of particular interest: Computer graphics and scientific visualization, database systems, information security, operating systems and networking, and software engineering. Positions beginning August 1999, interviews beginning October 1998; open until filled. http://www.cs.purdue.edu/facAnnounce/ Swiss Federal Institute of Technology, Lausanne (EPFL) Communications System Section, Switzerland Assistant, Associate or Full Professor in Security of Communication and Information Systems Areas of particular interest: Cryptography, security protocols and systems (ex. authentication, confidentiality, protection of software resources, security aspects of electronic commerce. Closing Date for applications: January 9, 1999. http://sscwww.epfl.ch Department of Computer Science, Florida State University, Talahassee, FL Tenure-track positions. (6/99) Areas of particular interest: Trusted Systems, software engineering, provability and verification, real-time and safety-critical systems, system software, databases, fault tolerance, and computaional/simulation-based design. Emphasis on issues of certainty, reliability, and security. http://www.cs.fsu.edu/~lacher/jobs.html Department of Electrical and Computer Engineering, Iowa State University, Ames, Iowa Assistant, Associate, or Full Professor in Computer Engineering Areas of paricular interest: Distributed and parallel computing, computer netwroking, security, software engineering, computer architecture, VLSI CAD, computer graphics, and human/computer interface design. Date closed: December 19, 1998, or until filled. http://vulcan.ee.iastate.edu/~davis/job-ad.html Naval Postgraduate School Center for INFOSEC Studies and Research, Monterey, CA, Visiting Professor (Assistant, Associate, or Full Professor levels) (9/98) Areas of particular interest: Computer and information systems security. http://cisr.nps.navy.mil/jobs/npscisr_prof_ad.html This job listing is maintained as a service to the academic community. If you have an academic position in computer security and would like to have in it included on the Cipher web page and e-mail issues, send the following information : Institution, City, State, Position title, date position announcement closes, and URL of position description to: irvine@cs.nps.navy.mil ________________________________________________________________________ How to become <> a member of the IEEE Computer Society's TC on Security and Privacy ________________________________________________________________________ You do NOT have to join either IEEE or the IEEE Computer Society to join the TC, and there is no cost to join the TC. All you need to do is fill out an application form and mail or fax it to the IEEE Computer Society. A copy of the form is included below (to simplify things, only the TC on Security and Privacy is included, and is marked for you) Members of the IEEE Computer Society may join the TC via an https link. The full and complete form is available on the IEEE Computer Society's Web Server by following the application form hyperlink at the URL: http://computer.org/tcsignup/ IF YOU USE THE FORM BELOW, PLEASE NOTE THAT THE IT IS TO BE RETURNED (BY MAIL OR FAX) TO THE IEEE COMPUTER SOCIETY, >>NOT<< TO CIPHER. --------- IEEE Computer Society Technical Committee Membership Application ----------------------------------------------------------- Please print clearly or type. ----------------------------------------------------------- Last Name First Name Middle Initial ___________________________________________________________ Company/Organization ___________________________________________________________ Office Street Address (Please use street addresses over P.O.) ___________________________________________________________ City State ___________________________________________________________ Country Postal Code ___________________________________________________________ Office Phone Fax ___________________________________________________________ Email Address (Internet accessible) ___________________________________________________________ Home Address (optional) ___________________________________________________________ Home Phone ___________________________________________________________ [ ] I am a member of the Computer Society IMPORTANT: IEEE Member/Affiliate/Computer Society Number: ____________________ [ ] I am not a member of the Computer Society* Please Note: In some TCs only current Computer Society members are eligible to receive Technical Committee newsletters. Please select up to four Technical Committees/Technical Councils of interest. TECHNICAL COMMITTEES [ X ] T27 Security and Privacy Please Return Form To: IEEE Computer Society 1730 Massachusetts Ave, NW Washington, DC 20036-1992 Phone: (202) 371-0101 FAX: (202) 728-9614 ________________________________________________________________________ TC Publications for Sale ________________________________________________________________________ o Proceedings of the 1998 IEEE CS Symposium on Security and Privacy Copies are available directly from the TC on Security and Privacy for $25 per copy. This price includes domestic shipping and handling. For overseas delivery: -- by surface mail, please add $5 per order (3 volumes or fewer) -- by air mail, please add $10 per volume If you would like to place an order, please specify * how many issues you would like, and * where to send them, and * the shipping method (air or surface) for overseas orders. For mail orders, please send a check in US dollars, payable to the IEEE Symposium on Security and Privacy to: Brian J. Loe Treasurer, IEEE TC on Security and Privacy Secure Computing Corp. 2675 Long Lake Rd. Roseville, MN 55113 U S A For electronic orders, in addition to the information above, please send the following credit card information to loe@securecomputing.com: - the name of the cardholder, - type of card (VISA, Mastercard, American Express, and Diner's Club are accepted) - credit card number, and - the expiration date. For security, please use the following PGP public key to encrypt any information that you're not comfortable sending as cleartext. You may also order some back issues from IEEE CS Press at http://www.computer.org/cspress/catalog/proc9.htm. o Proceedings of the Computer Security Foundations Workshops (2 through 11, excluding 4) The most recent Computer Security Foundation Workshop (CSFW11) took place the 9th through 11th of June in Rockport, Massachusetts USA. Topics included formal specification of security protocols, protocol engineering, distributed systems, information flow, and security policies. Copies of the proceedings are available from the publications chair for $25 each. Copies of all earlier proceedings (except the first and fourth) are also available at $10. Checks payable to "Joshua Guttman for CSFW" may be sent to: Joshua Guttman, MS A150 The MITRE Corporation 202 Burlington Rd. Bedford, MA 01730-1420 USA guttman@mitre.org ________________________________________________________________________ TC Officer Roster ________________________________________________________________________ Chair: Past Chair: Charles P. Pfleeger Deborah Cooper Arca Systems, Inc. P.O. Box 17753 8229 Boone Blvd, Suite 750 Arlington, VA 22216 Vienna VA 22182-2623 (703) 908-9312 (voice and fax) (703) 734-5611 (voice) d.cooper@computer.org (703) 790-0385 (fax) c.pfleeger@computer.org Vice Chair: Chair, Subcommittee on Academic Affairs: Thomas A. Berson Prof. Cynthia Irvine Anagram Laboratories U.S. Naval Postgraduate School P.O. Box 791 Computer Science Department Palo Alto, CA 94301 Code CS/IC (650) 324-0100 (voice) Monterey CA 93943-5118 berson@anagram.com (408) 656-2461 (voice) irvine@cs.nps.navy.mil Newsletter Editor: Paul Syverson Code 5543 Naval Research Laboratory Washington, DC 20375-5337 (202) 404-7931 (voice) (202) 404-7942 (fax) syverson@itd.nrl.navy.mil Chair, Subcommittee on Standards: Chair, Subcomm. on Security Conferences: David Aucsmith Michael Reiter Intel Corporation AT&T Labs - Research JF2-74 Room A269 2111 N.E. 25th Ave 180 Park Ave Hillsboro OR 97124 Florham Park NJ 07932-0971 (503) 264-5562 (voice) (973) 360-8349 (voice) (503) 264-6225 (fax) (973) 360-8809 (fax) awk@ibeam.intel.com reiter@research.att.com ________________________________________________________________________ Information for Subscribers and Contributors ________________________________________________________________________ SUBSCRIPTIONS: Two options: 1. To receive the full ascii CIPHER issues as e-mail, send e-mail to (which is NOT automated) with subject line "subscribe". 2. To receive a short e-mail note announcing when a new issue of CIPHER is available for Web browsing send e-mail to (which is NOT automated) with subject line "subscribe postcard". To remove yourself from the subscription list, send e-mail to cipher-request@itd.nrl.navy.mil with subject line "unsubscribe". Those with access to hypertext browsers may prefer to read Cipher that way. It can be found at URL http://www.itd.nrl.navy.mil/ITD/5540/ieee/cipher CONTRIBUTIONS: to are invited. Cipher is a NEWSletter, not a bulletin board or forum. It has a fixed set of departments, defined by the Table of Contents. Please indicate in the subject line for which department your contribution is intended. For Calendar entries, please include a URL and/or e-mail address for the point-of-contact. For Calls for Papers, please submit a one paragraph summary. See this and past issues for examples. ALL CONTRIBUTIONS CONSIDERED AS PERSONAL COMMENTS; USUAL DISCLAIMERS APPLY. All reuses of Cipher material should respect stated copyright notices, and should cite the sources explicitly; as a courtesy, publications using Cipher material should obtain permission from the contributors. BACK ISSUES: There is an archive that includes each copy distributed so far, in ascii, in files you can download at URL http://www.itd.nrl.navy.mil/ITD/5540/ieee/cipher/cipher-archive.html =========end of Electronic Cipher Issue #31, 15 March 1999+============