6/7/2001 Editor's note: Please be aware that the faculty positions contained in this copy of Cipher represented available positions at the time Cipher was mailed (in this case, May 1, 2001). In particular, the junior and senior faculty positions at the NPS are now closed. Dr. Cynthia Irvine's list of faculty positions is posted at: http://cisr.nps.navy.mil/jobs/academic_jobs.html. Subject: Electronic CIPHER, Issue 42, May 1, 2001 _/_/_/_/ _/_/_/ _/_/_/_/ _/ _/ _/_/_/_/ _/_/_/_/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/_/_/_/ _/_/_/_/ _/_/ _/_/_/_/ _/ _/ _/ _/ _/ _/ _/ _/ _/_/_/_/ _/_/_/ _/ _/ _/ _/_/_/_/ _/ _/ ==================================================================== Newsletter of the IEEE Computer Society's TC on Security and Privacy Electronic Issue 42 May 1, 2001 Jim Davis, Editor Hilarie Orman, Assoc. Editor Bob Bruen, Book Review Editor Mary Ellen Zurko, Assoc. Editor Anish Mathuria, Reader's Guide ==================================================================== http://www.ieee-security.org/cipher.html Contents: * Letter from the Editor * Conference and Workshop Announcements o 2001 Symposium on Security & Privacy, May 13-16, 2001, Oakland, CA, USA. Registration and a list of accepted papers is available o Information on the 14th IEEE Computer Security Foundations Workshop, June 11-13, 2001, Cape Breton, Nova Scotia, Canada o Upcoming calls-for-papers and events * News Briefs: o LISTWATCH by Mary Ellen Zurko o News Bits: correspondence and announcements * Commentary and Opinion o Judith M. Myerson's review of Information Security Risk Analysis by Thomas Pelter o Robert Bruen's review of Network Intrusion Detection, An Analysts's Handbook 2nd Ed. by Stephen Northcutt and Judy Novak o Robert Bruen's review of The Practical Intrusion Detection Handbook by Paul E. Proctor o Robert Bruen's review of Intrusion Detection by Rebecca Bace o Review of Financial Crypto 2001 by L. Jean Camp * Staying in Touch o Information for subscribers and contributors o Recent address changes * Interesting Links and New reports available via FTP and WWW * Reader's guide to recent security and privacy literature, by Anish Mathuria * List of Computer Security Academic Positions, by Cynthia Irvine * Links for the IEEE Computer Society TC on Security and Privacy o Becoming a member of the TC o TC Officers o TC publications for sale ==================================================================== Letter from the Editor ==================================================================== Dear Readers: We are pleased to bring you another issue of Cipher! In it you will find three book reviews by Robert Bruen (all on intrusion detection) and a review by new contributor Judith Myerson (welcome Judith!). Also included are Mary Ellen Zurko's LISTWATCH and a review of the Financial Crypto 2001 conference by L. Jean Camp. (Many thanks to Mary Ellen for making time in a hectic travel schedule to pull together the LISTWATCH for this issue of Cipher!). Please be sure to register for the 2001 Symposium on Security and Privacy (May 13-16, 2001, Oakland). Registration and conference details can be found in this issue. As we head into a busy conference and workshop season, please consider volunteering to write a short conference review for Cipher. Sharing a summary of key issues or even a list of papers helps those of us in the community who don't work in your neighborhood stay current on important issues and problems. If you would like to contribute to Cipher, let me know. Thanks for your help in constructing this issue of Cipher! Best regards, Jim Davis 5/1/2001 ==================================================================== Conference and Workshop Announcements ==================================================================== It's not too late to join your colleagues in Oakland! Information about the 2001 IEEE Symposium on Security and Privacy (to be held May 13-16, 2001 at The Claremont Resort in Oakland, California, USA) is posted on the TC web page at www.ieee-security.org/TC/sp2001.html. Registration is available along with a list of accepted papers. ----------------------------------------------------------------- Information about the 14th IEEE Computer Security Foundations Workshop (to be held June 11-13, 2001, 2001 IEEE Symposium on Security and Privacy (to be held May 13-16, 2001 Keltic Lodge, Cape Breton, Nova Scotia, Canada) can be found at www.csl.sri.com/csfw/csfw14. ==================================================================== Upcoming Calls-For-Papers and Events ==================================================================== The complete Cipher Calls-for-Papers is located at www.ieee-security.org/cfp.html. The Cipher event Calendar is at www.cs.utah.edu/flux/cipher/cipher-hypercalendar.html ____________________________________________________________________ Cipher Event Calendar ____________________________________________________________________ Calendar of Security and Privacy Related Events maintained by Hilarie Orman Date (Month/Day/Year), Event, Locations, e-mail for more info. See also Cipher Calls for Papers file (www.ieee-security.org/cfp.html) for details on many of these listings. Also worth a look are the ICL calendar and the IACR site, and several others. 5/ 6/01- 5/10/01: Eurocrypt 2001, Innsbruck, Austria; www.ec2001.ocg.at 5/ 7/01: ICNP 2001, Riverside, California; www.cis.udel.edu/icnp2001/ 5/13/01- 5/16/01: IEEE S&P '01, Oakland, California; www.ieee-security.org/TC/sp2001.html 5/20/01: ICICS '01, Xian, China; submissions due; homex.coolconnect.com/member2/icisa/icics2001.html 5/29/01: SEMAS-2001, Montreal, Canada; 6/11/01- 6/13/01: CSFW 14, Nova Scotia, Canada www.csl.sri.com/csfw/csfw14/ 6/11/01- 6/13/01: IFIP/Sec '01, Paris, France; www.ifip.tu-graz.ac.at/TC11/SEC2001/ 6/11/01- 6/15/01: CITSS '01, Ottawa, Canada; www.cse-cst.gc.ca/cse/english/annual.html 6/15/01- 6/16/01: SCITS-II, Bratislava, Slovakia; www.conference.sk/ifip/ 6/17/01- 6/22/01: FIRST, Toulouse, France www.first.org/ 6/22/01- 6/23/01: EFECE, Edinburgh, Scotland www.efce.net/programme.html 7/2/01 - 7/4/01: ACISP '01, Sydney, Australia; www.cit.nepean.uws.edu.au/~acisp01 7/23/01- 7/24/01: WIAPP '01, San Jose, CA; www.cs.berkeley.edu/~gribble/wiapp01 8/10/01: Indocrypt '2001, Chennai, India ; papers due www.cs.utah.edu/flux/cipher/cfps/cfp-Indocrypt2001.html 8/13/01- 8/16/01: 10th USENIX Security Symposium, Washington, D.C. 8/19/01- 8/23/01: CRYPTO 2001, Santa Barbara, California www.iacr.org/conferences/c2001/ 8/22/01- 8/24/01: HOTI 9, Palo Alto, CA www.hoti.org 9/11/01- 9/13/01: NSPW 2001, Cloudcroft, New Mexico www.nspw.org 9/17/01- 9/19/01: ECC 2001, Waterloo, Ontario, Canada, www.cacr.math.uwaterloo.ca 10/10/01-10/12/01: RAID 2001, Davis, CA www.raid-symposium.org/Raid2001 10/27/01-10/29/01: TRPC 2001, Alexandria, Virginia; www.tprc.org/ 10/28/01-10/31/01: SRDS-20, New Orleans, Louisiana srds.cs.umn.edu 11/13/01-11/16/01: ICICS, Xian, China 12/16/01-12/20/01: Indocrypt '2001, Chennai, India 5/13/02- 5/15/02: (tentative date) IEEE S&P 2002 ____________________________________________________________________ Journal, Conference and Workshop Calls-for-Papers ____________________________________________________________________ Computer Communications, Special issue on Network Security. Publication: spring 2002. Editors: Brian Neil Levine, University of Massachusetts, and Clay Shields, Purdue University. Submission deadline is October 5, 2001. The Internet has become the cornerstone for the proliferation of networking technology. The quality of the security and privacy of the services, protocols, and infrastructure that make up the Internet is a key factor in its continued growth and survivability. This special issue will collect and archive the state of the art in Network Security for existing and future network technologies, publishing research that explores: The security of infrastructure and systems that form the network (such as routers, application-level proxies, and servers); The security of protocols and services that work end-to-end (such as DNS, HTTP, multimedia conferencing and virtual environments, and e-commerce); Protocols that protect the privacy of users on the network. An emphasis on deployable systems and the inclusion of an analysis of their network performance in the presence of security mechanisms is ideal. Areas of interest include, but are not limited to: - Network privacy and anonymity - Multicast and group-communication security - Intrusion detection and response - Network traceback - Integrating security in Internet protocols - Security analysis of Internet protocols - Network performance evaluation of network security protocols; - Denial-of-service attacks and counter measures - Virtual private networks - Security for wireless networks and technologies Through the publication of this special issue, we wish to bring together researchers from the security and networking communities that have not previously had a common forum in which to share methodologies and techniques. Instructions for submitting a paper are given at signl.cs.umass.edu/comcom IEEE Internet Computing, Special Issue on Peer-to-Peer Networking. Guest editor: Li Gong, Sun Microsystems. Publication date: January/February 2002. Submissions due June 1, 2001. The term peer-to-peer networking is applied to a wide range of technologies that greatly increase the utilization of information, bandwidth, and computing resources in the Internet. Frequently, these P2P technologies adopt a network-based computing style that neither excludes nor inherently depends on centralized control points. Apart from improving performance in terms of information discovery, content delivery, and information processing, such a style also can enhance the overall reliability and fault-tolerance of the computing system. This special issue of Internet Computing will showcase significant developments in the general area of peer-to-peer networking. Topics of interest include (but are not limited to): 1. Peer naming, discovery, and organization 2. Peer-based communication and information sharing 3. Systems support for peer-to-peer networking 4. Security support for peer-to-peer networking 5. Peer-based network infrastructure including operating systems 6. Peer-based services and applications Ideally, submissions will report advances that (a) use a simple and elegant solution to solve a seemingly complicated problem, (b) have a solid theoretical foundation but a realistic implementation path, and (c) are readily deployable over currently existing Internet infrastructure. We discourage strictly theoretical or mathematical papers on modeling of peer-to-peer computing. If you are uncertain about your submission in terms of scope, please provide an abstract to the guest editor for clarification before submission. (note: the complete call for papers has not been posted on the IEEE web site yet. We will update this Cipher entry when the URL is known. In the interim, you may choose to contact the guest editor, Dr. Li Gong at li.gong@sun.com) ICICS'2001 Web: homex.coolconnect.com/member2/icisa/icics2001.html Third International Conference on Information and Communications Security, Xian, China, November 13-16, 2001. (submissions due May 20, 2001) ICICS covers all aspects of theory and application of information and communications security. More information can be found on the conference web page at homex.coolconnect.com/member2/icisa/icics2001.html ISC'2001 Information Security Conference, Malaga, Spain, October 1-3, 2001. (submissions due May 25, 2001) Original papers are solicited for submission to the Information Security Conference 2001. ISC aims to bring together individuals involved in multiple disciplines of information security to foster exchange of ideas. Instruction for authors and more information on the conference are given on the conference web site at www.isconference.org. Workshop on Data Mining for Security Applications (part of the 8th ACM Conference on Computer Security Nov 6-8, 2001), Philadelphia, PA, USA, November 8, 2001. (abstracts are due March 25, 2001 and full papers are due June 1, 2001) This year the ACM's Conference on Computer Communications and Security offers a special half-day workshop on data mining for security applications. This event provides an opportunity for attendees of the ACM CCS to meet with researchers who are interested in applying data mining techniques to security applications and discuss critical issues of mutual interest during a concentrated period. The topics of interest include, but are not limited to: - Intrusion detection and analysis via data mining - Data mining in forensics - Text data mining as a tool for collecting criminal evidence - Classification and clustering of intrusions, attacks and computer-related crimes - Real-time detection - Predictive tools for security - Mining for inferences Instructions for submitting an abstract and paper can be found on the workshop web page at www.bell-labs.com/user/reiter/ccs8/ ACSAC'2001, 17th Annual Computer Security Applications Conference, New Orleans, USA, December 10-14, 2001. (submissions are due June 1, 2001) We are currently soliciting papers, panels, forums, case studies, and tutorial proposals for the 17th Annual Computer Security Applications Conference (ACSAC) to be held 10 - 14 December 2001 in New Orleans, Louisiana, USA. For general information or questions about ACSAC, please see our web page at www.acsac.org or email Publicity_Chair@acsac.org. For specific submission-related information, please see the following web page: www.acsac.org/2001/cfp. IW2001 2nd Australian Information Warfare and Security Conference, Scarborough, Perth, Western Australia, November 29-30, 2001. (submissions due June 30, 2001) The conference will be held in conjunction with the Working for E-Business conference (see www.we-bcentre.com/conf2001) to be held at the Rendevous Observation City, Scarborough, Perth, Western Australia. Sample conference topics areas include but are not restricted to: - E-Intelligence/counter-intelligence - Perception management - Information warfare theory - Electro-magnetic pulse weapons - Information security - Cryptography - Physical security - Security policy - Information warfare policy - Information warfare techniques - Hacking - Infra-structure warfare - National security policy - Corporate defense mechanisms - Security for small to medium enterprises - Information warfare and security education See the workshop web page at www.we-bcentre.com/iw2001/ for more details. Cryptographer's Track at the RSA 2002 Conference, San Jose, California, USA, February 18-22, 2002. (submissions due June 30, 2001) Following the success of the new approach to the Cryptographers' Track 2001, the Cryptographers' Track of RSA Conference 2002 will be run as an anonymously refereed conference with proceedings edited in Springer-Verlag's Lecture Notes in the Computer Science series. Original research papers pertaining to all aspects of cryptography as well as tutorials and overviews are solicited. Submissions may present theory, techniques, applications and practical experience on topics including, but not limited to: fast implementations, secure electronic commerce, network security and intrusion detection, formal security models, comparison and assessment, tamper-resistance, certification and time-stamping, cryptographic data formats and standards, encryption and signature schemes, public key infrastructure, cryptographic protocols, elliptic curve cryptography, block ciphers, stream ciphers, hash functions, discrete logarithms and factorization techniques, lattice reduction and provable security. More information can be found at www.rsaconference.com/rsa2002/cryptotrack.html. Workshop on Security and Privacy in Digital Rights Management (part of the 8th ACM Conference on Computer Security Nov 6-8, 2001), Philadelphia, PA, USA, November 5, 2001. (papers due August 3, 2001) Increasingly the Internet is used for the distribution of digital goods, including digital versions of books, articles, music and images. The ease with which digital goods can be copied and redistributed make the Internet well suited for unauthorized copying, modification and redistribution. This workshop will consider technical problems faced by rights holders (who seek to protect their intellectual property rights) and end consumers (who seek to protect their privacy and to preserve access they now enjoy in traditional media under existing copyright law). The workshop seeks submissions from academia and industry presenting novel research on all theoretical and practical aspects of DRM, as well as experimental studies of fielded systems. We encourage submissions from other communities such as law and business that present these communities' perspectives on technological issues. A complete list of topics and instructions for submitting a paper can be found o the workshop web page at www.star-lab.com/sander/spdrm/. Indocrypt'2001 www.cs.iitm.ernet.in/indocrypt Second International Conference on Cryptology in India, Chennai, India, December 16-20, 2001. Papers due August 10, 2001. Original papers on all technical aspects of cryptology are solicited for submission to Indocrypt 2001. Detailed instructions for submission of a paper are given on the conference web site. ==================================================================== Conferences and Workshops (the call for papers deadline has passed) ==================================================================== SACMAT'2001 www.acm.org/sigsac/sacmat2001.html. Sixth ACM Symposium on Access Control Models and Technologies, Chantilly, VA, USA, May 3-4, 2001. Eurocrypt'2001 www.ec2001.ocg.at 20th Annual Eurocrypt Conference, Innsbruck, Austria, May 6-10, 2001. S&P'2001 www.ieee-security.org/TC/sp2001.html 2001 IEEE Symposium on Security and Privacy, Oakland, CA, USA, May 13-16, 2001. First Workshop on Information Security Systems Rating and Ranking, Williamsburg, Virginia, May 21-23, 2001. www.acsac.org/measurement NCISSE'2001 www.ncisse.org Fifth National Colloquium for Information Systems Security Education, George Mason University, Fairfax, Virginia, USA, May 22-24, 2001. SEEMAS'2001 www.dfki.de/~kuf/semas/ First International Workshop on Security of Mobile Multiagent Systems (to be held at the Fifth International Conference on Autonomous Agents), Montreal, Canada, May 29, 2001. IFIP/Sec 2001 www.ifip.tu-graz.ac.at/TC11/SEC2001/ 16th International Conference on Information Security, Paris, France, June 11-13, 2001. CSFW'14 www.csl.sri.com/csfw/csfw14/ 14th IEEE Computer Security Foundations Workshop, Cape Breton, Nova Scotia, Canada, June 11-12, 2001. SMC-IAW www.itoc.usma.edu/Workshop/2001/Workshop2001.htm 2nd Annual IEEE Systems, Man, and Cybernetics Information Assurance Workshop, United States Military Academy, West Point, New York, USA, June 5-6, 2001. The 13th Annual Canadian Information Technology Security Symposium, Ottawa, Canada, June 11-15, 2001. For information: (613)991-8500; fax: (613)991-7251; Web site: www.cse-cst.gc.ca/cse/english/annual.html e-mail: citss@cse-cst.gc.ca In English/French. SCITS-II www.conference.sk/ifip/ IFIP WG 9.6/11.7 Working Conference on Security and Control of IT in Society II, Bratislava, Slovakia, June 15-16, 2001. FIRST'2001 Web: www.first.org/conference/2001/ The 13th Annual FIRST Conference on Computer Security and Incident Handling, Toulouse, France, June 17-22, 2001. Verification Workshop (in connection with IJCAR 2001), Siena, Italy, June 19-19, 2001. www.ags.uni-sb.de/verification-ws/index.html MOS'2001 cui.unige.ch/~ecoopws The 7th ECOOP Workshop on Mobile Object Systems, (in association with the 15th European Conference on Object-Oriented Programming), Budapest Hungary, June 18, 2001. EFCE www.efce.net The Second Edinburgh Financial Cryptography Engineering Conference, Edinburgh, Scotland, June 22-23, 2001. ACISP'2001 www.cit.nepean.uws.edu.au/~acisp01 The Sixth Conference on Information Security and privacy, Sydney, Australia, July 2-4, 2001. IST'2001 www.itrc.ac.ir/ist2001 International Symposium on Telecommunications, Tehran, Iran, September 1-3, 2001. NSPW'2001 www.nspw.org. New Security Paradigms Workshop 2001, Cloudcroft, New Mexico, USA, September 11-13, 2001. ECC'2001 www.cacr.math.uwaterloo.ca The Fifth Workshop on Elliptic Curve Cryptography, University of Waterloo, Waterloo, Canada, September 17-19, 2001. InfoSecu01 java.sun.com/people/gong/conf/shanghai2001/cfp.txt ACM International Conference on Information Security, Shanghai, China, September 24-26, 2001. ISSE 2001 www.eema.org/isse. Information Security Solutions Europe Conference, QEII Conference Centre, London, UK, September 26-28, 2001. I3E www.ifi.unizh.ch/I3E-conference First IFIP Conference on e-commerce, e-business, e-Government, Zurich, Switzerland, October 4-5, 2001. RAID'2001 www.raid-symposium.org/Raid2001/ Fourth International Symposium on the Recent Advances in Intrusion Detection, Davis, California, USA. October 10-12, 2001. TPRC2001 www.tprc.org/TPRC01/2001.HTM The 29th Research Conference on Communication, Information and Internet Policy, Alexandria, Virginia, USA, October 27-29, 2001. SRDS-20 srds.cs.umn.edu 20th IEEE Symposium on Reliable Distributed Systems, New Orleans, USA, November 4-7, 2001. CCS-8 www.bell-labs.com/user/reiter/ccs8/ Eighth ACM Conference on Computer and Communications Security, Philadelphia, Pennsylvania, USA, November 6-8, 2001. ==================================================================== News Briefs ==================================================================== News briefs from past issues of Cipher are archived at www.ieee-security.org/Cipher/NewsBriefs.html ___________________________________________________________________ LISTWATCH: items from security-related mailing lists (April 17, 2001) by Mary Ellen Zurko (mzurko@iris.com) ____________________________________________________________________ This issue's highlights are from DCSB, CRYPTO-GRAM, ACM TechNews, and cypherpunks. ____________________ War Driving is being called the next big thing in hacking. It's driving around looking for unsecured 802.11 wireless networks. Even installations using Wired Equivalent Protocol (WEP) for security may be vulnerable if, for instance, they have the encryption key set to one of several well-known default values. The name of the activity is derived from the movie "War Games". ____________________ According to the March 19th Newsweek, one of the secrets Robert Hanssen told the Russians was that the U.S. tunnel under the Soviet embassy in Washington was used so that "laser beams could pick up vibrations from the keystrokes of Soviet ciphering machines -- helping to decode their signals." ____________________ VBS Worm Generator, the kit used to create the Anna Kournikova worm, has a new V2 . The creator says that any harm done with worms created using his kit is not his responsibility. The documentation (which is said to be very good) says that testing with Norton anti-viral 2001, Kaspersky Anti-Virus (AVP), McAfee and F-Secure's "Fprot" indicates they will not detect new worms created with this kit. ____________________ Office XP will have a new anti-piracy feature that will require an activation key and keep any instance from running on more than one PC. However, someone has stolen a corporate version that doesn't require an activation key, and posted it as warez. < http://www.wired.com/news/business/0,1367,42402,00.html> ___________________ A report on web bugs has some data on who has the most web pages bugged, and who generates the most bugged traffic. ____________________ Here's a great NT error message. We should have a contest to guess what it actually means 1381L ERROR_TOO_MANY_SECRETS The maximum number of secrets that can be stored in a single system was exceeded. The length and number of secrets is limited to satisfy the United States State Department export restrictions. ____________________ There's another object lesson on why not to release documents in Word format. This one is about the security implications of an Alcatel DSL modem product . ____________________ TRUSTe is seeking public comment on its privacy guidelines for companies undergoing mergers, acquisitions and bankruptcies. See www.truste.org. ____________________ Speculation abounds about NSA's Security-Enhanced Linux (SELinux) prototype. Will it be freely available? Will it provide actual security? Will it be usable? , . ____________________ A patch to IE to keep MIME handlers from incorrectly launching attachments ran into a second problem. Users who had not upgraded their IE to the appropriate service pack level were told by the patch installation process that they did not need to apply the patch, even though they were vulnerable. Unfortunately, this happened around April 1 as well. ____________________ And also around April 1, "DOJ STEPS UP CHILD PORNOGRAPHY FIGHT; Proposal makes digital cameras 'childsafe'" < http://www.cluebot.com/article.pl?sid=01/04/01/2155249> ____________________ IE will be supporting P3P, with a target release date of this summer. The interface is a privacy thermostat. Some privacy advocates object to this interface, on the grounds that it encourages trading off privacy for convenience. ____________________ On January 29 and 30, 2001, VeriSign, Inc. issued two certificates for Authenticode signing to an individual fraudulently claiming to be an employee of Microsoft Corporation. Any code signed by these certificates will appear to be legitimately signed by Microsoft. Users who try to run code signed with these certificates will generally be presented with a warning dialog, but of course who wouldn't trust a certificate that was validly issued from VeriSign, and claimed to be for Microsoft? The certificates are on a Certificate Revocation List (CRL) now, but I gather the code that checks the signatures for ActiveX controls, Office Macros, and so on, doesn't do any CRL processing. Microsoft adds that since the certificates don't have a CRL Distribution Point (DP), it's not possible to find and use the CRL. Rumor has it that the folks got the certificates by knowing the credit card information that Microsoft used to legitimately purchase certificates in the past. This would make sense, because even though I actually work for Iris Associates, Verisign shouldn't go issuing me certificates that claim I speak for Iris Associates on that basis alone. And Microsoft's claim that no one could possible check a CRL without a CRL DP seems wrong to me too. If you hard code trusted roots you can certainly hard code where a CRL is (or configure it somewhere). ____________________ A Gallery of CSS Descramblers includes one in a new language without a compiler, one in plain English, one in haiku form, one transformed into music, a movie version, and a greeting card. ____________________ The Aimster pig encoder that translated titles into pig latin to hide them from Napster title monitoring has been removed < http://www.aimster.com/pigencoder.phtml>. ____________________ Claude Shannon died on February 24, at age 84. ____________________ >From ACM TechNews: "Chinese Suspected of Hacking U.S. Sites" Washington Post (04/13/01) P. A13; Cha, Ariana E. Since an American spy plane and a Chinese jet fighter collided on April 1, there have been at least nine attacks by hackers on U.S. government and business sites. Chinese portals such as Sina.com and Sohu.com give hacking instructions and possible targets, and encourage citizens to vandalize American sites in retaliation for the death of the Chinese pilot. Users who tried to access a site for artists in Marin County, Calif., were greeted yesterday by a Chinese flag and an audio recording of their national anthem. Pa.-based Intelligent Direct's site's home page was also replaced by a flag, as well as the message "China have bomb, too," and some "profane comments about someone's mother." Many of the computer attacks were signed by the Hackers Union of China, who calls itself a "network security organization." Last year, after the president of Taiwan expressed the desire to speak with Chinese officials on a "state-to-state" level, Chinese residents launched more than 100,000 attacks on Taiwanese sites. Chinese hackers differ from most others because they are generally motivated by politics, and not the desire for monetary profit. http://washingtonpost.com/wp-dyn/articles/A13431-2001Apr12.html "UN Working Group Seeks Common Ground on Security" InfoWorld.com (03/23/01); Verton, Dan The United Nations on Thursday will host Global InfoSec 2001, a meeting of its 189 member countries and representatives from the U.S. tech industry to discuss matters of Internet security. "We want to sensitize diplomats to the importance of the implications of IT so that they are equipped to deal with the issues," says Percy Mangoaela, the UN ambassador from Lesotho and chair of the UN's Working Group on Informatics, which is co-sponsoring the conference. Among the issues to be highlighted at the conference is devising a framework for pursuing cybercrime across international borders. Tech executive Bill Crowell says this issue is highly problematic because no country wants to give up any of its national sovereignty. Other issues include the privacy of individuals online, with Mangoaela pointing out that developing countries can learn much from the struggles that the United States and the European Union are having with this issue. http://www.infoworld.com/articles/hn/xml/01/03/23/010323hnun.xml?0326mnam ____________________ Schneier's latest CRYPTO-GRAM is a particularly good one. It has an informative paragraph on the much trumpeted OpenPGP key file vulnerability, and a nice discussion of a security survey (as well as several other references I used above). I include both below verbatim: A vulnerability was found in the OpenPGP standard. If an attacker can modify the victim's encrypted private key file, he can intercept a signed message and then figure out the victim's signing key. (Basically, if the attacker replaces the public key parameters with weak ones, the next signature exposes the private key.) This is a problem with the data format, and not with the cryptographic algorithms. I don't think it's a major problem, since someone who can access the victim's hard drive is more likely to simply install a keyboard sniffer. But it is a flaw, and shows how hard it is to get everything right. Excellent cryptanalysis work here. Announcement: News reports: The research paper: ** *** ***** ******* *********** ************* CSI's Computer Crime and Security Survey For the past six years, the Computer Security Institute has conducted an annual computer crime survey. The results are not statistically meaningful by any stretch of the imagination -- they're based on about 500 survey responses each year -- but it is the most interesting data on real-world computer and network security that we have. And the numbers tell a coherent story. (I'm just going to talk about the 2001 numbers, but the numbers for previous years track pretty well.) 64% of respondents reported "unauthorized use of computer systems" in the last year. 25% said that they had no such unauthorized uses, and 11% said that they didn't know. (I believe that those who reported no intrusion actually don't know.) The number of incidents was all over the map, and the number of insider versus outsider incidents was roughly equal. 70% of respondents report their Internet connection as a frequent point of attack (this has been steadily rising over the six years), 18% report remote dial-in as a frequent point of attack (this has been declining), and 31% report internal systems as a frequent point of attack (also declining). The types of attack range from telcom fraud to laptop theft to sabotage. 40% experienced a system penetration, 36% a denial of service attack. 26% reported theft of proprietary information, and 12% financial fraud. 18% reported sabotage. 23% had their Web sites hacked (another 27% didn't know), and over half of those had their Web sites hacked ten or more times. (90% of the Web site hacks were just vandalism, but 13% included theft of transaction information.) What's interesting is that all of these attacks occurred despite the wide deployment of security technologies: 95% have firewalls, 61% an IDS, 90% access control of some sort, 42% digital IDs, etc. Clearly the technologies are not working sufficiently well. The financial consequences are scary. Only 196 respondents would quantify their losses, which totaled $378M. From under 200 companies! In one year! This is a big deal. More people are reporting these incidents to the police: 36% this year. Those who didn't report were concerned about negative publicity (90%) and competitors using the incident to their advantage (70%). This data is not statistically rigorous, and should be viewed as suspect for several reasons. First, it's based on the database of information security professionals that the CSI has (3900 people), self-selected by the 14% who bothered to respond. (The people responding are probably more knowledgeable than the average sysadmin, and the companies they work for more aware of the threats. Certainly there are some large companies represented here.) Second, the data is not necessarily accurate, but is only the best recollections of the respondents. And third, most hacks still go unnoticed; the data only represents what the respondents actually noticed. Even so, the trends are unnerving. It's clearly a dangerous world, and has been for years. It's not getting better, even given the widespread deployment of computer security technologies. And it's costing American businesses billions, easily. The survey (you have to give them your info, and they will send you a paper copy): http://www.gocsi.com/prelea_000321.htm ** *** ***** ******* *********** ************* ____________________________________________________________________ News Bits ____________________________________________________________________ ____________________ NSA and NIST have decided that last fall's NISSC was the last one. See: csrc.nist.gov/nissc/ ____________________ The National Institute of Standards and Technology (NIST) invites proposals from eligible organizations for funding projects under the Critical Infrastructure Protection Grants Program (CIPGP). The objective of the CIPGP is improvement of the robustness, resilience, and security of information in all the critical infrastructures. This will be accomplished by funding research leading to commercial solutions to those information technology (IT) security problems central to critical infrastructure protection that are not being adequately addressed. More information is available from the Federal Register Notice or from: csrc.nist.gov/grants Program Director: Donald G. Marks NIST (301) 975-5342 ____________________ Preliminary Announcement SECOND INTERNATIONAL SCHOOL ON FOUNDATIONS OF SECURITY ANALYSIS AND DESIGN FOSAD 2001 www.cs.unibo.it/fosad 17-29 September 2001, Bertinoro, Italy Application deadline: May 31, 2001 General Information Security in computer systems and networks is emerging as one of the most challenging research areas for the future. The main aim of the school is to offer a good spectrum of current research in foundations of security, ranging from programming languages to analysis of protocols, that can be of help for graduate students, young researchers from academia or industry that intend to approach the field. As for the previous edition (FOSAD'00), the school covers two weeks (from Monday 17 to Saturday 29, September 2001) and alternates four lecturers per week on monographic courses of about 6/8 hours each. Saturdays are reserved for presentations given by those participants that intend to take advantage of the audience for discussing their current research in the area. The school is organised at the Centro Residenziale Universitario of the University of Bologna, situated in Bertinoro, a small village on a scenic hill with a wonderful panorama, in between Forli' and Cesena (about 50 miles south-east of Bologna, 15 miles to the Adriatic sea). The school offers seven main courses, each composed of 3/4 seminars, each seminar of 2 hours. In alphabetic order, the lecturers of the seven main courses are the following: Dominique Bolignano (Trusted Logics): Smart Card Security Marc Dacier (IBM, Zurich Research Laboratory): Intrusion Detection Systems Prem Devanbu (Univ. of California, Davis) and Stuart Stubblebine (Cert.Co): Secure Software Engineering and E-Commerce Privacy Rosario Gennaro (IBM, T.J. Watson Research Center): Security for multimedia traffic over IP Gary McGraw (Cigital): Building Secure Software John McLean (Naval Research Lab, Washington): Security Models Flemming Nielson (Technical Univ. of Denmark, Lyngby): Static analysis for security Further short courses will be given by: Carlo Blundo (Univ. of Salerno): Introduction to Cryptography I Iliano Cervesato (ITT industries): Security protocol specification languages Riccardo Focardi (Univ. of Venezia): Non-interference for security protocols Fabio Martinelli (IAT-CNR, Pisa): Logics for Non-Interference Pino Persiano (Univ. of Salerno): Security Notions for Public Key Cryptosystems Roberto Segala (Univ. of Bologna): Introduction to Cryptography II The scientific school directors are Riccardo Focardi (Univ. of Venezia), Roberto Gorrieri (Univ. of Bologna) and John McLean (Naval Research Lab). The administrative directors are Andrea Bandini and Roberta Poggi (cbert@sun1.spfo.unibo.it). The local organisers are Andrea Bandini, Alessandro Aldini (aldini@cs.unibo.it) and Mario Bravetti (bravetti@CS.UniBO.IT). In order to be really effective, at most 45 participants will be admitted to the lectures. Prospective participants should send an application to the address below, together with a recommendation letter, by May 31, 2001. Notification of accepted applicants will be posted by June 30, 2001. Registration to the school is due by July 31, 2001. Applications should be sent, using the form available on the web page, to Riccardo Focardi (by e-mail) and to Andrea Bandini (by mail or fax): Riccardo Focardi Dipartimento di Informatica Via Torino 155 I-30172 Mestre (Ve), Italy e-mail: fosad@dsi.unive.it Andrea Bandini Centro Residenziale Universitario Via Frangipane, 6 - 47032 Bertinoro (FC) tel. +39-0543-446500 fax: +39-0543-446599 e-mail: cbert@sun1.spfo.unibo.it A limited amount of grants will be provided to cover part of the expenses. Applications are pending to EU for European young researchers and to UNESCO-ROSTE for prospective participants from East European and South Mediterranean countries. Please, include your request with the application. Accommodation fee is 750 Euro and covers costs for the whole period in double room, half board (breakfast and lunch). Registration fee is 550 Euro and includes didactical material from the lecturers. More detailed information on courses will be soon available at URL www.CS.UniBO.it/fosad/ Requests of information on the school, grants and applications should be addressed to fosad@dsi.unive.it, while information on organisation (address, how to reach us, etc...) can be requested by e-mail to cbert@sun1.spfo.unibo.it _______________________ News Bits contains correspondence, interesting links, non-commercial announcements and other snippets of information the editor thought that Cipher readers might find interesting. And, like a UCITA protected product, by reading the above page you have already agreed to not hold the editor accountable for the correctness of its contents. ==================================================================== Commentary and Opinion ==================================================================== Book reviews from past issues of Cipher are archived at www.ieee-security.org/Cipher/BookReviews.html, and conference reports are archived at www.ieee-security.org/Cipher/ConfReports.html. ____________________________________________________________________ Book Review by Judith M. Myerson April 25, 2001 "Information Security Risk Analysis", by Thomas Pelter CRCPress, Inc. (Auerbach Publications), 2000. 281 pages. ISBN 0-8493-0880-1. $64.95 My first reaction to the book was favorable. Information Security Risk Analysis aims at information security professionals, project managers, auditors and facilities managers. The book fulfills its purpose by helping the readers to start in conducing risk analysis processes with sample forms. Information Security Risk Analysis contains 280 pages and is divided nearly between seven chapters and six appendices. It begins with asset identification, threat identification and Annual Loss Expectancy and proceeds to the next chapter on asset valuation, risk evaluation and risk management, threat impacts, safeguard identification, and cost-benefit analysis. The third chapter focuses on assigning values to assets, while the fourth chapter briefly covers vulnerability analysis, hazard impact analysis, threat analysis, questionnaires and single-time loss algorithm. As shown in the next chapter, the FRAP is a good example of considering, evaluating and documenting information security risks. Chapter 6 gives other types of qualitative risk analysis such as Business Impact Analysis (BIA). The final chapter presents a case study to better understand the concepts of FRAP. The book then moves to a series of appendices on a questionnaire sample, FRAP forms, BIA forms, a `report sample, threat definitions and other risk analysis opinions. The book cover is appropriately designed and reflects the theme of the subject. Typography in text is good. A contrasting color, such as medium blue, would be helpful in highlighting important words or topics. References and indexes are more than adequate. ____________________________________________________________________ ____________________________________________________________________ Book Review by Robert Bruen April 13, 2001 ____________________________________________________________________ Network Intrusion Detection. An Analyst's handbook, 2nd ed., by Stephen Northcutt and Judy Novak. New Riders 2001. 430 pages, index Softcover. ISBN 0-7357-1008-2. $45.00 This book is a typical New Riders production, well done, detailed, written for folks who know (or would like to know) what they are doing by folks who do know what they are doing. It is not a large print, full of white space, over hyped book. It is a well crafted journey through protocols, diagrams, dumps, logs, forensics and how to be gentle with victims who receive your assistance. There is a large and growing number of security related books available today. Many of these tell you practical information, such as how to use Secure SHell (SSH) instead of telnet and ftp because it will encrypt traffic. This is one helpful item is a large array of helpful items that will help secure your site. Unfortunately, this is not enough, because nothing will replace expertise. If you are going to spend significant time securing your site, you will need to understand what happens under the hood. While I like practical books, I really like books that explain the important details in a cohesive manner, so that I can learn to cope with the unexpected, new situation. If all you learn is the superficial level, you will be unable to handle the situation that does not come listed in that book. If you have a grasp of how the pieces work together, the new situation will have recognizable parts which you you will be able to join together so that it makes sense. My recommendation is to read and use the practical books, but also read the theory books and read books that explain the details, especially if they are done as well as Northcutt's book. The twenty-two chapters cover topics like filters, signatures, protocol manipulation, attacks, responses to attacks and lots of software tools. The tools discussed are of the commercial and free variety for both attack and defense. There are two chapters describing particular attacks, Mitnik and Timex, each of which provide interesting stories and important lessons. The scope of the book reaches to often ignored issues that are critical to dealing with security problems in general. Taking the technical path to protect your systems or networks can lead you past the big picture approach of looking at architecture and organization. It also generally bypasses the business problem, as well. These three ideas are related in that one must be able to integrate the structure of the organization and the configuration of nets, subnets and systems that ought to reflect that organization. How these are arranged makes a great difference in how difficult it will be to protect them. It makes a difference in determining whether traffic patterns within the enterprise are a problem or not. Above all of this are the managers who may or may not fund your attempts to protect the enterprise. Northcutt deals effectively with these issues. Network Intrusion Detection should be acquired and read by any one who wants to understand the basis for intrusion detection. ____________________________________________________________________ ____________________________________________________________________ Book Review by Robert Bruen April 13, 2001 ____________________________________________________________________ The Practical Intrusion Detection Handbook by Paul E. Proctor Prentice Hall, 2001. 359 pages, index, 2 appendices, bibliography Hardcover. ISBN 0-13-025960-8. $49.99 This is one of those times where the title of the book actually reflects the content. The Practical Intrusion Detection Handbook is exactly what it says it is and it is done well. TCP/IP is mentioned only twice throughout the book because protocols and what goes on underneath the hood is not the topic. Instead, the book covers ID from a user perspective where the user needs to learn about it, possibly to set one up. In the introduction, the first item we encounter is "Security versus Business", the main audience. Although it is hard to believe that any business is still without some level of ID, the fact is that many are not. Therefore, justification is the starting point with an entire chapter (Chapter 11) devoted to justifying the cost of an Intrusion Detection System based on the proper risk analysis and asset valuation that any astute corporate CFO should understand (e.g. ROI). Usually it is a hard sell to set up a system of prevention when the risk of failure is small. Fortunately, the media is full of stories of virus attack and defaced web sites. This chapter alone may be worth the price of the book if you are trying to get your management to fund an IDS. Since the audience is mainly the business world, there are several other chapters of great value for those who are new to IDS and security. One area that business just can not get away from is the legal jungle. Unless your business is directly concerned with money as a product, not just profits, such as banks or credit card companies, most have not taken security seriously. This has begun to change forcing the legal world to be satisfied when problems occur. A long time ago when you suffered a break in, the law was not very interested. Now, when a credit card heist from a web business involves 35,000 or cards at a shot, evidence and liability become important. Knowing how to fold legal requirements into incident response policy is no longer something that you figure out after the fact. Read Chapters 8 & 15. Continuing down the practical path, the are several chapters that big systems folks will like: the Project Lifecycle, the Requirements Definition and the Tool Selection and Acquisition Process. Having once upon a time taught project management, I appreciate the problems that one can run up against in larger organizations that formalize everything. These chapters will assist those people. These days I prefer the smaller, flexible approach, but it is nice to a resource if the choice is not yours. No IDS book would be complete with a chapter on things you can purchase, along with pros and cons. For now, at least, most systems will be software, but not all. Another distinction will be host based tools and network based tools. In the end you will be analyzing data in the same place, but naturally, the sources will be different. The important tools are covered with pictures and screen shots. This is definitely a recommended book, just keep in mind that it aims at the business world, with all the caveats that brings. There are plenty of real world examples of intrusions and detections, but there are also examples of cost estimates, policy management and operational issues. ____________________________________________________________________ ____________________________________________________________________ Book Review by Robert Bruen April 13, 2001 ____________________________________________________________________ Intrusion Detection by Rebecca Bace Macmillan Technical Publishing, 2000. 339 pages, index, 4 appendices including glossary, bibliography, and resources check list. Hardcover. ISBN 1-57870-185-6. $50.00 Ms. Bace has approached Intrusion Detection in a methodical manner, more notes and bibliographical references than most other related books. She appears to have done her research over many years so that she is able to present a meaningful, coherent history of ID. This history includes analyses of older software and older cases (eg Mitnik) that have important lessons for our work today. The book reads like a long, clear definition of ID looking down at it from 30,000 feet. Covering almost all aspects from the general to selected specifics, such as Anderson's Threat Matrix, this book is a great reference source. Whenever a discipline is under construction, it must pass through stages such as identification, early models, practical and technical approaches and some work that pulls it all together to define the discipline. It shows that the field is maturing. The first report seems to be one by James Anderson in 1980 followed by the next important paper in 1986 by Dorothy Denning. Since then there have been various papers and software that have appeared, but only a few good books, several of them just recently. Bace has gathered all of this to provide the next step in placing the field on secure footing. When reading books that draw on history to explain current events, it is almost always disheartening to realize that we do not learn from history, which causes no end of grief. The RISOS project from the 1970s is described as a study of operating systems to understand the roots of security problems. The list of problems was looked at during a 1993 meeting where is was discovered that they all still exist as sources of exploits. Moreover, they are still with us today, about 25 years later, with no expectation of vendors fixing the problems. For example, buffer overflows, stack smashing, authentication/authorization inadequacies and race conditions were all there in the original report. Moreover, vendors still send out products with poor configurations that are exploitable upon installation. It is a bit hard to understand why only now "secure" operating systems are beginning to appear, unless one takes into account that we have passed from time where computer people did computing for computing's sake to a time where it is done only if there is commercial demand. Let us hope that the bazaar will be more successful than the cathedral. Security needs to be built in from the beginning. The beginning was a while ago. This a recommended book that gives the reader a insightful, comprehensive picture of ID form the beginning to today. It shares a space on my shelf with the other good books on intrusion detection because it is different enough in its approach and is good source of information. ____________________________________________________________________ ____________________________________________________________________ Conference Report on FC 2001 by L. Jean Camp ____________________________________________________________________ International Conference on Financial Cryptography (FC 2001) Grand Cayman, BWI February 19-22, 2001 These notes are from the morning session of Financial Cryptography 2001 in The Cayman Islands in the British West Indies. My sometimes-relevant asides are in italics. [Editor's note: I put the italicized text in brackets. Please see the original text at www.ieee-security.org/cipher. JAD] The conference reflected both a field that was coming of age and an academic area that is getting entangled in the nasty interdisciplinary world. Issues of computation efficiency, device capacities, implementation in real world financial systems, and risk management were all addressed. Although I did not count I would guess something more than 100 attendees. Because the conference is front-loaded, that is the morning sessions are academic and the afternoon sessions are commercial, the attendance at the earliest sessions was highest. The afternoon sessions were vendor sessions. You can go to their sites to check out what the vendors say for themselves. The sponsors were nCipher, Bibit, Intertrust, Hush, Zero Knowledge, IBM, CertCo, CertiCom, RSA, and Microsoft. As in all conferences the value is in the dialogue as much as the presentations. I did not review my paper, for obvious reasons, the slides are at www.ljean.net/fc01.pdf. However, I also did not review the paper immediately before mine, as I was quite busy tensing up. There were two non-crypto papers. There was one paper on analysis of trust from difference disciplinary perspectives (mine) and one paper on analyzing the cost of MicroMint. If the financial privacy laws happen in the US if some of the papers next year may be on regulatory compliance. MONDAY FEB 19 The first paper was Amortized E-cash by Moses Liskov and Silvio Micali at MIT. Moses presented it. Okamoto was the first to offer a proposal for divisible e-cash, and is used by the authors as the basis for comparison of their own coinage. In addition to past work on divisible e-cash, there has been much work to create definitions for the requirements for divisible e-cash. In this case the authors developed the requirements and worked from there. The core idea was to amortize expensive crypto operations over multiple coins by dividing the coin into two two parts. The goal is provide cash that is both off-line and anonymous. Off-line implies double spending, so identity is embedded in the coin. Spent once, anonymous, spent twice identity is released. The basic idea is that two expenditures create two equations, thus solving for identity. Embedding identity requires uses zero knowledge protocol. However, zero knowledge protocols are expensive. Consider the cost when $100=10,000cents. Coins from one wallet can be linked to coins with other wallets. Models the identity lost under a single wallet on the conceptual model of a single ATM transaction. Anonymity is lessened because the wallet becomes a pseudonym. Each wallet has a single wallet-defining subcoin. Authenticated by bank, includes user's identity, specifies all coins. Wallet is a Merkle hash tree. Root and depth defines coins. Wallet of depth d has 2^d subcoins. Common subcoin is the root. Each coin is an ephemeral k, or commitment. Common subcoin includes root, depth, PK, Ek(identity). Essentially core for double spending is Schnorr signature which exposes the signed identity by exposing the key when there are two transactions using the same subcoin (which is a subcoin-specific key). The existence of two transactions and the shared wallet/coin that contains identity. Q& A argues that the contribution of this paper is not primarily efficiency given the ZK protocol but rather off-line divisible coins with strict security assumptions. Moses agrees. The questions were rather pointed. The second paper was Offline payments without trusted hardware by Matt Blaze, John Ioannidis, Angelos Keromytis (ATT, ATT, Upenn) presented by Angelos Keromytis. The design decisions began with a single observation: avoid hardware because trusted hardware fails catastrophically. When it is broken, all the wallets are broken. As opposed to concentrating risk, distribute risk in an appropriate per-transaction manner. Tolerate and manage risks of bad transactions. Use credentials to encode risk management. User has credential, which encodes risk profile. Assumes occasional communication for credential validation but does not require constant connectivity. In order the create a reasonable level of risk management the maximum value is low (e.g. $1.25) and credentials are short-lived. So there is no CRL rather risk management is embedded with credential extension. The authors argue that this is not unlike the credit system. This is based on the keynote microcheck system developed by Upenn and AT&T. Based on a Trust Management Language. Claims other systems require their own clearance systems, [although this was not the case with NetBill or FirstVirtual, or any early aggregator. ] Payments are vendor-specific microchecks. Vendors aggregate. Vendor determines how much risk to accept. Keynote compliance system is the vendor-specific risk-management mechanism that requires that the vendor manage his or her own risks. Compared to newspaper stands, where there is little theft. Implemented on a Palm with a PocariSweat machine using a Linux PC as merchant hardware and SSL port, gnu utilities on Palm hardware under Linux. Billing or clearing service must have pre-existing relationship by payers. Note that AT&T would be a good party for billing given their micro-billing transactions. In order to support this the central party would have clearance, party fees, or transaction percent. No claims on anonymity. [The work of Ian Simpson isn't referenced but could inform their implementation IMHO. Ian's paper, Modeling the Risks and Costs of Digitally Signed Certificates in Electronic Commerce at www.ini.cmu.edu/NETBILL/pubs/certlife/certlife.html. ] The next paper was one of two non-crypto papers. This paper was focused on order of magnitude calculations which examined the possibility of a trial Microcmint, Practical Problems for Building a MicroMint by Nicko van Someren of www.ncipher.com Someren is the CTO of a company that is trying to implement secure hardware and argues that the economics of MicroMint make it impossible to introduce because you can scale up but not down. As you may recall, using the birthday paradox MicroMint uses coins that are hash collisions. Minting is cost-effective because of great economies of scale. Extra criteria can be added, so the scheme can be n-way hash. Coins have a life span based on the work factor of the has collision. Once spending begins anyone can mint coins but it takes time, and the bank has a head start. "It is traditional at this conference to present an e-cash scheme so I thought I would make one up". (but doesn't offers secure hardware) Not anonymous. Double spending is tolerable because of very low value transactions and rather traditional risk-management schemes. Problem: dirty money is cheap. Business model is spending false money while banks are living off interest and fees. Argues that attackers have far more money, but Moore's Law helps the attacker. So Someren argues that in fact the attacker can produce fraudulent cash because a borderline attack, including Moore's law Argues that for the system for function effectively the initial investment will be about $100M. MicroMint scales up but not down. Paper in the proceeding argues you need dozens of floor to ceiling racks and uses .5 megawatt of electricity to create hash engine. 10,000 sq.-ft. then sorting the hash requires .25 terabyte of storage and then sort it. Scales up but not down. Basically only a government could do it. In general argues that assumptions were cryptographically valid at the time (six yrs ago) given hardware costs. Thus MicroMint is not feasible today. The need for massive scale in MicroMint makes this system far more expensive. However he neglects the secret predicate option. His focus that a system must be able to function in small prototype. Digital signatures allow this. He proposes using secure hardware since it is easier to scale up. The next section was a panel on Digital Rights Management which was chaired by Yair Frankel who argues the keys to DRM are efficacy, customer acceptance, and diffusion. David Kravits, WAVE Management of conditional Access keys requires compliance of set-top box (STB) assume CAM is good and STB is compliant, then the flow from STB to monitor is unencrypted proposed enforced licensing STB as legislative solution, forced compliance and make content inaccessible with non-compliant STB require phone-home Wave is concerned with set-top boxes where consumers make multiple content copies. CAM not only determines what consumers watch but must "log attacks". Proposes that only compliant monitors are allowed. Pirates may not be backward compatible but those who offer consumer hardware must be. (This is a bit ironic given that the speaker advocates only allowing content to go into compliant monitors.) Consolidated hardware deployment offers the opportunity to replace point solutions by shared solutions and preserve user privacy yet handle revocation. Barb Fox: Microsoft Web TV No one has been deterred by the total historical failure of detailed controls. At least three competing DRM standards: W3C, CableLabs Thuis DRM is a life form which is amazingly resiliant. Conditional access currently consist of a massive number of supplication-specific systems including Digital RM systems, black box crypto Barbara suggests that the problem with digital information is that there is a completely immature risk model. Where in physical or analog systems the risk model is mature. The stakeholders have completely different design parameters. First industry want authentication, encryption, renewable, revocable. However for there to be widespread adoption the system must be coherent, cheap, privacy, and use rational risk-mgt. Finally for efficacy the system must be robust, scalable, and support flexible decentralized mgt. Jeremy Wyant: Ntru Device-based systems are what he proposes. He sells a toolkit. He provided an overview of the possible set of technologies: watermarking, fingerprinting, encryption, authentication, network scanning, fees on blank media, and an honor system . He agreed with/repeated/expanded on what Barb said, in detail, e.g. flexibility in terms of computability and ease of use. Proposes that a minimalist DRM on trusted devices that is supported by a critical mass of content providers would be widely adopted. Thomas Sander of Intertrust DRM is dynamic in both business model and technology. The current goals is convenient anytime anywhere accesses to your music. The ultimate goal is to try to tie the right of use of content to a particular person. Thomas proposes lockers which track what you have rights to access, argues that portability is the core current technical challenge. Usability is terrible. However, second generation products are improving. Must be backward compatible. Strong legal protection will protect DRM investment because there is no way to run a legitimate business using copyrighted content on the net without consent of rights holders. OTOH, technology companies influence content strategies. NCa: Southern Ca doesn't get it SCa: Yes but we already Have It, and to get content on-line you have to play our way. Loss management needs to be a critical element. Consider that in Pay TV most protection schemes have been broken but there is still plenty of money to be made. In DVD there was no proven monetary damage, in terms of crypto it was broken but in terms of business DVD still works. He suggested that versioning is not like QoS, as it exist in the net access market. If you could combine ease of use with Napster with fidelity that commercial service can provide people are willing to pay for it. Audit v privacy is a major research issue. Intertrust has deployed technology with Universal, BNG, and Bertelsmann. Learned that the shopping cart model works better than the wallet model in US. In Europe the wallet model works better. Conclusion: economics is on the side of digital distribution and the technology for adequate DRM already exists. Scott Moslowitz, BlueSpike Scott starts by saying his has very different views. Advocates stenographic ciphers with traditional encryption. Believes that artist should sign work, and then trace and bust the thieves. There are two different risk models. The current concept of DRM is pay before viewing. In contrast watermarking models a "look and then pay or we trace you". Market note: 10 movies account for 90% of store revenue and 83 recordings provide 25% of sales. This implies that under the current blockbuster model DRM could focus on very few titles. Scott believes the highly skewed blockbuster model is a result of free consumer choice not market structure and that this distribution will continue on the net. Argues that consumers advocate DRM that `reduces value'; fair use and first sale are culturally ingrained and reasonable. He believes in risk Mt but calls it balancing copyright and privacy. Security system must first add value and then do no harm. Audience: I am disturbed by this discussion. DRM is not a technological problem. DRM takes away rights like Fair Use Audience: How to balance rights and detecting infraction vs. anonymity and privacy. Joan Feigenbaum: There is an unstable bubbling legal cauldron. The whole challenge is not technology or law but rather business. The panel agrees. (DRM is narrow and economically deterministic.) Audience: Napster allows you to find music on the hard drive of someone who has similar interests. Napster allows consumers to be DJ's etc. Napster allows customers to listen first. Napster has radically increased CD sales. Scott: Napster has radically reduced singles sales. Matt Blaze suggests that those who would remove fair use and first sale through technology lose the social bargain of copyright. David suggests that putting the ball in the owner's courts. Thomas: It is not the lack of DRM -- it is the content owners. The content owners are making plenty of money and are not interested in cannibalization of their own business model. DRM is just an excuse or attempt to keep business models unchanged. TUESDAY FEB 20 The first session is on Groups and Anonymity. Avi Rubin, the Chair, jokes that this was kind of an umbrella session, of good papers that need not necessarily be grouped together. Group authentication protocol: prove one belongs to a group without revealing identity. Requires the following steps: Setup: an authority chooses parameters Registration: a user becomes a member of a group w/ or w/o revealing identity Anonymous authentication: anonymous certificate Properties: Completeness: works with honest players Soundness: only group members can be authenticated Anonymity: non-revocable anonymity Efficiency: less strong requirement Biblio:F C 99: Shechter, Parnell, Hartemink and FC 00: Handley I however think that the work of Brands provides the ability to prove group membership. But that is a general expensive solution and this may be a cheaper specific solution. Setup: p, g generator, u public constant z,w private keys of authority v=u^w mod (p-1) User data: User secret key x User public y=g^x mod p Keys are used for other applications to prevent users handing off anonymous membership Registration Authority chooses a in space of g Authority computer a1=(gy^z)^a mod p a2=a^w mod (p-1) User now has a certificate (a1, a2). User can prove she knows discrete log. You can use Schnorr or zero knowledge protocol to prove this. Criticisms of Homage in the paper. Suppose a user knows n,m such that using m=n^z mod p. Then such a user can construct a valid, bogus, proof of membership. The user can obtain the zth root of some number m by constructing her challenge in verification of soundness. A solution is proposed. (Sending hash of verification, rather than verification which is zth root of m) Authority can break anonymity by using different secret keys z to computer certificates and then distinguish users during authentication. In order to avoid this it is necessary to avoid verification. The author proposes a new mechanism using zero knowledge proofs for verification. Audience member argues that protocol is not completely broken. In fact, audience member argues that all the flaws found and fixed in the protocol were found and fixed last year. Is the protocol broken or going through normal iterative improvement? The first paper was On the Security of the Homage Group Authentication Protocol. This paper was presented, and accepted at a previous FC when the author was a high school student. Both respect and concern for a young colleague resulting in somewhat harsh questioning. The next paper was Anonymity without Cryptography by Dahlia Malkhi and Elan Pavlov, and Dahlia presented it. This was an excellent presentation. Crypto-free communication assuming secure channels using Anonymous Multi-Party Computation uses Chaums mixnets. Really it is with less crypto (as Dahlia notes first thing in talk). This would allow use with pervasive devices with low processing power. No infrastructure required. There are fairly secure channels use without crypto - e.g. regular mail. The initial secure channel assumption is only needed to bootstrap the protocol. Also, there already exist SSL connections so this requires no additional infrastructure after initial communication between users. Describes mixes, which is effectively onion routing with the removal of timing attacks. Of course onion routing/mixing requires multiple public key encryption. As opposed to encryption the messages are broken into shares and the initial shares are sent as elements. At each level message values are split and remerge. So any function used must be homomorphic. F(a%b) = F(a) % F(b) where % ={+, *, xor,.} Thus it is restrictive but practical. Like this: Initiator and recipient agree on permutation and function Initiator: m = (x1), (x2) Sends the tuples as distinct messages Second layer performs permutation (y1, y2) Recipient receives (x1, y1) and (x2, y2) and can calculate m The goal here was the creation of a new primitive. Its main practical feature is that it requires no heavy calculation of the client. This is a building block for various security applications, perhaps ideal for wireless environments. Then Fair tracing Without Trustees by Dennis Kugler and Holger Vogt was presented. A protocol which provides coin tracing without owner tracing. Goals of protocol are: Legal tracing: tracing is legal if approved by judge Illegal tracing: illegal if not approved by judge Fair tracing: if legal tracing is possible but illegal tracing is not In order to enable this tracing is detectable after the fact. Therefore if illegal tracing has occurred it is detectable, traceable is auditing and illegal tracing is provable. Decision to trace coins must be made at generation of coins. After the coin is spent the validation of the coin both implements and identifies coin tracing. Gross generalization: the coin is generated with a second key, x= a^PKB (mod p) as opposed to PKB(mod p). No additional trusted parties that hold sensitive data. The goal is to build in later auditing rather than long term trust. (Generally what is done in terms of governance today.) Audience has mixed feelings. Is traceable anonymity anonymity? Why the War on Money Laundering should be Aborted This was the big event talk by Richard Rahn. Right wing rant about money laundering which focuses primarily on the drug war, since the drug war is such an exercise that could be called ludicrous it it were not so relentlessly cruel. Rahn is a Pepperdine School honorary doctorate. Opposed to money laundering controls. Notes the political spectrum agrees with him, defines it as all the way from the Cato Institute to the Enterprise Institute. Invites all to join him in his goal to end controls on money laundering. He has a book out, The End of Money and the Struggle for Financial Privacy; Discovery Institute; ISBN: 0963865420. [I do too, mine is Trust and Risk in Internet CommerceMIT Press] [Afterwards I asked him what his plan was. I proposed that the Tobin tax be adopted in exchange for tax evasion money laundering, while the drug war is a distinct issue which could be opposed on its own terms. I still don't know what he thinks about the Tobin tax. I know we are both against the drug war. But money laundering is also used, for example in the trade of women and children, and the slave trade in general example the press release here: http://www.ksg.harvard.edu/ksgpress/ksg_news/publications/trafficking.html or http://www.friends-partners.org/partners/stop-traffic/1999/0888.html The drug war issue is tangential to the money laundering issue. (The Tobin tax is a proposal to tax international monetary flows. In theory the funds could be used to assist countries hurt by, for example, currency raids (e.g. Russia, the Asian currency crisis. Here is the Tobin Tax campaign web site, with definitions and a bibliography. This would be interesting to implement anonymously, since location and tax payment are the only critical bits of information.] Provable Secure Implicit Certificates by DRL Brown, R Gallant, SA Vanstone Implicit certificates contain a user's identity, data D, and CA's public key which together can be used to reconstruct the public key of the user. In earlier implementations the CA knows the private key of the user. This paper produces a self-certified implicit certificate scheme meaning that user generates private and public keys. Uses El-Gamal signature key. The CA and the user contribute to the private key. Verifier can compute the user's public key using public information (public data includes an elliptical curve point, user identifier, CA identity, and expiration date, serial #) This system has considerable computational savings because the computation of the digital certificate and verification of user (e.g. user proves knowledge of private key) are integrated. This produces at least a factor of two improvement in processing overhead. Next Joan Feigenbaum presented Nonmonotonicity, User Interface, and Risk Assessment in Certificate Revocation, by her graduate student Ninghui Li and herself. Revocation is a method of managing risk rather than providing security. Has three recommendations. 1.UI of PKI should be clear and simple 2.Difficult of revocation is caused by temporal non-monotonicity 3.A certificate illustrates that the issuer believes a statement at issuer time t 4.A revocation of a certificate should cancel the certificate and nothing else 5.A certificate that serves diverse applications should have flexible revocation schemes 6.The UI of a PKI should support auditing 7.We recommend not allowing certificates to be put on hold in order to simplify auditing CRLs proves not that a binding is valid but rather to update the fresh time of all valid certificates Stuart Stubblebine suggests that he has previously published these axioms in previous FC [Again I think Ian's work would be helpful.} Next was a paper on Mutual Authentication for Low Power Mobile Devices by Markus Jakobson & David Pointcheval. Mobile apps have strict power and computational limits. Also, mobile users interact with a range of switches not all of which are trustworthy. Thus mutual authentication is required.Using Schnorr the computation can take place in pre-processing. It enables mutual authentication. Bob decrypts an El Gamal ciphertext to authenticate himself. Alice who has low power, uses Schnorr to authenticate herself. For a designated server Alice can precompute everything. However, it seems to me that the server usually knows which mobile connection is coming while the client is less aware of handoff management. [Here are a couple of other papers on wireless commerce: www-csl.cs.colorado.edu/csci7000/mobile_papers/peirce99.pdf and the O project which I am geographically required to mention [PDF] info.lcs.mit.edu/data.ws/Research%20Highlights%20rev.%205.pdf Notes on a wireless e-commerce conf which complement this paper are available at http://www.cs.dal.ca/~akerman/wireless.html _______________________ Rump Session Notes from Tuesday The European Bridge-CA Connecting Existing PKIs Bernhard.esslinger@db.com Apps today assume PKI but how do you connect multiple PKIs between businesses/consumers. In fact the problem is too many PKIs, and there are problems with all of them PGP-requires experienced user, users make bad security mgrs. Identrus- good only for B2B Netscape -trust software provider n:n complete network, doesn't scale, excessive Bridge CA: star topology best way to address, managed by NFT NGO Efficient & Secure Protocol for Stock Market Shin'ichiro Matsuo NTT Proposes a broker-free market that uses PKI to identify the right of users to buy and sell. Proposes hashing (stock, prices) & look for matches, search mechanisms allows users to expose upper and lower bounds of price range and search matches highest acceptable seller price with lowest acceptable buyer price. Provides fairness, verifiability, un-deniability, anonymity Claim: will always find Paredo optimal price How to Leak a Secret is presented by Shamir starts with Relationship between Finance and Crypto: using the Time=money email joke Seriously, the Goal: anonymous leak that verifies group membership (e.g. in the cabinet) without showing identity The Deep Throat protocol Assume PKI exists all have keys well-known No trusted authorities Efficient for large groups Sender remains information theoretic anonymous within group Sender can later prove he or she sent it A set is defined by a set of keys A member signature is x1^2(mod m1) XOR x2^2(mode m2) XOR ... ==h(m) Proves group membership, sender can recreate later NanoMint Donald Beaver, CertCo Inc Argues Micromint would work with DNA computing because volume would be critical and Moore's law won't apply. How serious was he? I cannot say. Exact Payments in Electronic Cashby Yiannis Tsiounis CTO, co-founder of InternetCash Corp Great outline and comparison of various Internet commerce mechanism. I want to use the slides for my class. This is as good an overview of all the mechanisms as I have seen, in the set-up section. Selective Disclosure Envelopes presented by Rene Pevalta from Yale His research focus is to develop a primitive that allows selective elements of a message to be exposed by the owner His goal is not unlike Incogno's He uses the complexity of construction of VLSI logic assuming only NAND gates. Minimizes as if for layout and then counts order of uncertainty by delay (e.g count 1 for every gate delay in series) Self-Protecting Pirates presented by Aggelog Kaiyias A story about broadcast piracy Suppose pirates are aware of tracing and that they cooperated and compared outputs of data streams. Put keys outside box so that only pirates can cooperate in the pirate network Cooperatively determine data flow - distinct data results from attempts at tracing - pirates detect all attempts at tracing _________________________ WEDNESDAY FEBRUARY 21 The first session was concerned with examining the single use credit card numbers which are a popular way for addressing credit card fraud over the net. Off-line generation of limited-use credit card numbers by Aviel Rubin and Rebecca Wright was presented by Rebecca. They argue that small changes in the infrastructure would allow much more security. Given the 16 digit limit on credit card numbers, any attack on credit card numbers can fairly easily succeed. Audience: 13- 16 bit card digit change was a huge expense and ANY change in infrastructure is massively expensive Matt: benefit to the consumer is not only increase in security but also privacy Shamir: the cost of infrastructure change is excessive? (I was in the back and could not clearly hear his comments) A Security Framework for Card-based systems presented by Yiannis Tsiounis Offers a formal model of credit card and proposes cardsec product Discusses Internet cash With card present transaction in credit card numbers one cannot expand space and create card numbers, and that currently the signature authenticate. In contrast MOTO transactions: (MOTO stands for mail order telephone order it means card not present) have problems. They are forgeable, although the credit card space is unexpandable the amount can be changed. Credit card number can be used multiple times The Formal ideal is that one cannot expand space and create card numbers, and a PIN authenticates This would make MOTO transactions still forgeable, at least unexpandable, yet sill the amount can be changed. As long as one reuse requires PIN, merchant can replay if merchant sees PIN. Credit cards would comply with security definition IF the combination of credit card number and PIN were long enough and always keep secret from merchant Thus the proposal for InterCash cards offers a Card id: 9 digits base 32, with a Card security code: 11 digits base 32 and requires the use of a User PIN: 4-8 chars. (Authentication & signature function: HMAC-SHA1) Total security is 75 bits. Paper includes cost analysis. SecureClick: A Web Payment System with Disposable Credit Cards Numbers Adi Shamir addressed the problem of developing a more secure payment system for web. Proposes a disposable credit card system. Soon it will be implemented and used for 1//2 of all cards in Israel. He is not a founder of the company but a security consultant. Discusses manner in which it addresses security while still remaining feasible in the market. Practical stuff. Internet Cash Payment Protocol It offers the following: security against parallel attacks guarding against adversarial changes of payment information immunity to replays creation of secure channel between InternetCash and customer Promises an update on the trial in Israel next year. Panel on Internet Voting Participants Chair: Moti Young Avi Rubin AT&T Ed Gerck Safevote Ron Rivest MIT Ron Rivest Edison patent 90846 for mechanical voting for Congress, never adopted because it was "too fast" and did not fit the cultural realities [For example the voting period sometimes allows horse trading. Constituent service, capital improvements, etc. are traded in order to build coalitions. While we may classify all of this as "pork", removing it is a political problem and not something to be done via technical fiat. ] MIT and CalTech working on alternative voting technologies Secure platform problem is very serious Buying and selling votes must be policed. Anonymous political contributions are currently mited by size, electronic systems should not enable political smurfing. How can we bring financial crypt to bear on this problem? Absentee ballot analogous to one-time credit card number Casting a vote like an electronic coin Integrity is MOST IMPORTANT Auditing is incredibly important Lack of uniform technology makes systemic fraud more difficult, heterogeneity is critical Disabled voters are critical Absentee ballots are critical. The security community is not ready at this tim to enable on-line voting. Ron's favorite: fill in bubbles with scanning at site Ed Gerck, PhD Ed is the CEO of SAFEVOTE. He spends time on cpsr-activists discussing voting so any questions can easily find a good discussion forum there. Ed thinks the technology is past ready. Public votes must be: Anonymous, Secure, Reliable, Trusted Acknowledges valid concerns that need to be addressed. Discusses the situation in Brazil, with zero fraud and 100% logging Ed is very ready to talk about his system. Check his site or engage him on CPSR activists email group VoteHere: Andy Neff At the least should electronic voting should not be worse. It's going to happen no matter what we do. There are classes of electronic voting not to be confused: e-voting includes digital voting, DRE machines, optical scanning machines Louisiana voting fraud in 1999, where someone had altered the DRE machines software i-voting, in contrast, includes voting over the network; using generic platforms There have been military votes for president using a system provided by Booze Allen. 84 votes at a cost of about 8,000,000. Used full PKI. After authentication personnel selected choices, transmitted over an SSL. Created a paper record. Arguments Against I-voting: Digital Divide; Security; Loss of community The events in the election of 2000 put perhaps too much light onto the problem, so that changes may be made for the sake of quick change. Risk that the better technology will be lost. Successful trails in WA, Fl, OH, IA, VA, AK, AZ Refused to do AZ Democratic vote or LA republican party because of lack of security. Proposes that the problems in those system were the result of the consultants hired and their lack of strict technical integrity. Fundamental distinction in SafeVote. SafeVote is built on a subscription model, in that the SafeVote people remain to operate the machines and provide oversight. Safe Vote tries to address some of the human problems with the voting system. Avi Rubun, AT&T Approach it as an engineering problem with the realities of the installed base. Threat variables: election type, expertise skills, resources needed to disrupt, motivation of potential attackers, disruption necessary to sway the election, Internet voting, technical awareness. Issues: -vote coercion -vote sale -vote solicitation (imagine banner add that says "DO Y OU LIKE A" then click here to vote for A) Technical issues: Securing the platform Securing communications channel Assuring availability of network Registration Authentication in both directions Maintaining equitable costs (no poll tax) Wintel is installed. It's real it's flawed and it exists. Think BackOrifice. It is totally inadequate as a voting machine. The Internet is totally inadequate as a network. The ratio of cost of disruption to result for disturption is far too low. Bob Hettinga (sp?) wants to talk about finance and voting not public voting because this political cryptography no financial cryptography Matt Blaze says fraud and error is quite possible but the difficulty of accomplishing fraud is proportional to the amount of fraud you can perform however there are catastrophic failures in networked systems. We do not need to accept the idea that Internet voting is what we are going to have. Our role is not to make it happen but rather to prevent it from happen. I made a very strong statement. Noting that some of the factual statements were wrong. For example, Andy Neff said that there was a divide in plumbing and that was fine. In fact the right was passionately opposed to publicly funded water systems. Cholera epidemics finally motivated widespread investment in public water supplies. I accused him of political autism. My point was meant to be that the distribution of risk is a voting system is deeply social and political. While those debates about risk distribution should be informed by technical understanding, making technical decisions about risk distribution is fundamentally political and social. (My comments were scathing and I meant them to be far less so. I hate it when I do that. Andy Neff is a committed intelligent ethical person. But still I think the problem of specifications is an (admittedly irrational) political one, not a strictly scientific one. Having technical expertise in a democracy can be frustrating because people have the right to be wrong.) The discussion was so passionate that it was determined that the other panel will meet after lunch. Q: Do we understand the systems that do exist? Is it that the nature of paper itself that gives us a false sense of confidence? Can we inspect a system? Do we understand all modes of failures? Does having four people look at the number make it right? A speaker said that technical people struggling to do the right thing should not be scathed. Stefen Brands has put forward a proposal for shared key systems. He proposes this would provide anonymity but certification for voting. Andy Neff offers threshold privacy, where the VoteHere system offers threshold voting. The discussion was so animated that the session on Markets and Multiparty Computations was delayed until after lunch. This session, chaired by Moti Young, had two papers. The first paper, Privacy for the Stock Market, addresses the issue of allowing large stock transactions to be made in private, so that observers will not obtain traffic information. In particular sometimes the identity of the buyer or seller could change the price of the stock. In particular stock markets are a specific case of auctions, and the work may be fairly classified into that literature. The second paper, Distributed Computing with Payout, addresses the problem of correctness for distributed computing. While massively distributed computing, with SETI being the canonical example, is technically possible yet there is no mechanism for widespread verification of the correctness of the computation. Thus the findings and calculations done in these projects depends on the goodwill of the users. In the case of SETI a positive answer is sufficiently unlikely that any supposed positive can be checked. However, there is no mechanism for the situation where the bulk of the calculations have to be trusted, and there is an economic incentive to cheat and fake results. If the business potential of massively distributed computing is to be met, then there needs to be both reliable payment mechanisms and certainty that the correctness of the calculation purchased. THURSDAY THE LAST DAY The first paper of the last day began as I was getting my tea, so I do not know the name of the presenter. Monotone Signatures is by David Naccache, David Pointcheval, Christophe Tymen Predicates are monotone if for any input x if Pn(x)=>P n-1(x)=>.=>P1(x) Monotone signatures requires a key generation algorithm, a signing algorithm, a list n of monotone verifying algorithms. This offers the following properties: completeness; soundness (no existential forgery) Indistinguishability missing public keys should not change distribution of the t+1 certificate In most systems the idea is that keys are kept and that revocation is an unusual event. In this system the possibility/reality of fraud is addressed in the design by depending on a predicate and key generating function as well as creating messages such that the verifier can determine on which dates they may be valid but the attacker cannot. Properties of Schnorr: to prevent n corruptions requires n random values to prevent n corruptions. And clearly this is incredibly expensive. Okamoto-Schnorr improves on this cost. MSS offers improvements by hiding relationships between the key generation and signing algorithm. Rivest suggests that this is similar to the revealed predicate in MicroMint. Shamir says signature size has an upper bound of k. A: only verifier and signer need to know k, it is hidden The Power of RSA Inversion oracles and the security of Chaum's RSA-Based Blind Signature Scheme was presented by C. Namprempre (who goes by Miao) Critical topics in coin creation: unforgability and anonymity RSA is secure but other than noting that it is a one-way function the basis of RSA security in a transactional system is not well understood. In order to evaluate digital signature schemes it is important Building on the work of one-more forgery where forger can get q signatures and is successful is forger can create q+1 coins, e.g. forger is assumed to have access to the Oracle RSA is homomorphic E(a)*E(b) = E(ab) thus coins must be constructed to remove this homomorphism Chaum's blind signature were quickly reviewed in her talk, necessary for most audiences. The problem the paper is trying to shop is that the Chosen Target Inversion Problem is easy to solve without an underlying proof that RSA is np complete. If Chaum's signature protocol is forger then the CTI problem is easy to solve. The CTI problem can be solved in polynomial time. They have proven the unforgability of Chaum's scheme. RSA inversion problem such as CTI problems capture new issues of RSA and are of independent interests. No questions. Optimistic Fair-Exchange with Transparent Signature Recovery Presented by a colleague, neither author could make the conference. Transparent means that whatever occurs the participants at the end will have correct signatures. An example of fairness: airline ticket is provided bit-by-bit as is payment. Trusted Third Party should be used only during set-up and dispute resolution. TTP can either give affidavit and can be transparent. (recommends work of Asokan). [Non-english exchange with Shamir. For my purposes, an encrypted exchange.} The transaction is as follows: P-> C encrypted item and providers commitment C->P client's committed signature on the item's description P->C item and provider's final signature on item's description C->P client's final signature on the item's description TTP will produce final signatures from the committed signature and will transmit item to client or payment to provider Maintains that this provide a high level of atomicity. [Very similar in goals to the work on NetBill by Sirbu, Tygar, etc. The difference between them may be in efficiency. NetBill requires one DES and two public key encryption operations. NetBill requires no operations but read on case of default. This seems to have traded efficiency for grace in design. However, it is more efficient than a zero knowledge protocol. Substitutes computation for communication. Assumes identity of consumer for purposes of dispute resolution.] [I believe that anonymity is sacrificed for dispute resolution. However, the authors were not there so they could not address my concerns. My big thing in e-commerce was anonymous rollback and a system which would not allow framing of consumers even if all security parameters failed. It's at http://www.ljean.net/acd/acd.html in an old form a newer one should soon be at http://www.ljean.net/tse.html] Quick Auction review common to two following papers: English: buyers bid up Dutch: sellers bid down Sealed bid auctions provide privacy of bidders Vickrey Auction: Sealed bid has first price and second price auctions. First price is M=0, second price is M=1 M items, n>M bidders. Bids (mn, m n-1, ..mj.m0) winning price is mm and all winners pay mj. but only parties ' (n, j+1) win where M=n-(j+1) (M+1)st Price Auction presented by Hiroaki Kikuchi who offered his email as Kikn@p.u-tokai.ac.jp Identities and specific bids are usually exposed even in a M>0 auction. This information is not necessary, and can be hidden for all auctions. Hiroaki offers anonymous sealed-bid mechanism. Threat models: dishonest bidders. Bidders can conspire to control winning prices. Nonrepudiation is required to prevent bidder conspiracy. Auctioneer: leaks information Blackmail: forced bidder conspiracy Literature review. Work has been done on Dutch auctions and distributed auctioneers/ trust in auctioneers. Also oblivious evaluator. Here focus on distributed approaches. Idea: homomorphism of sum of polynomial. Degree of polynomial represents bid. Calculate bid of largest degree. Bidders calculate shares of polynomial (like secret sharing) and each auctioneer has some integer x. Using verifiable secret sharing bidders can detect cheating by auctioneers. Auctioneers can prove correctness of results. An additional polynomial identifies winners. The prices offered by the individual bidders are never known but the price paid by the winners is known ex. Since this works on Vickrey auction this works on all auctions. Sorry, couldn't hear the question. Still sitting in back next to my outlet. Non-interactive Private Auctions presented by Oliver Baudron Very good overview of previous approaches to auction approaches previously published. Bids are encrypted via predicates, and the maximizes for each predicate. Bit-comparison of predicates. Winner receives zero as predicate comparisons. Winner proves submission of highest bid. For Vickroy auctions the protocol is run each time until the jth winner is reached. More expensive than previous protocol and exposes more information. For Dutch and English auctions an innovative design. I am definitely coming to this conference next year. ==================================================================== Staying in Touch ==================================================================== ____________________________________________________________________ Information for Subscribers and Contributors ____________________________________________________________________ SUBSCRIPTIONS: Two options: 1. To receive the full ascii CIPHER issues as e-mail, send e-mail to (which is NOT automated) with subject line "subscribe". 2. To receive a short e-mail note announcing when a new issue of CIPHER is available for Web browsing send e-mail to (which is NOT automated) with subject line "subscribe postcard". To remove yourself from the subscription list, send e-mail to cipher@issl.iastate.edu with subject line "unsubscribe". Those with access to hypertext browsers may prefer to read Cipher that way. It can be found at URL www.ieee-security.org/cipher.html CONTRIBUTIONS: to cipher@issl.iastate.edu are invited. Cipher is a NEWSletter, not a bulletin board or forum. It has a fixed set of departments, defined by the Table of Contents. Please indicate in the subject line for which department your contribution is intended. For Calendar entries, please include a URL and/or e-mail address for the point-of-contact. For Calls for Papers, please submit a one paragraph summary. See this and past issues for examples. ALL CONTRIBUTIONS CONSIDERED AS PERSONAL COMMENTS; USUAL DISCLAIMERS APPLY. All reuses of Cipher material should respect stated copyright notices, and should cite the sources explicitly; as a courtesy, publications using Cipher material should obtain permission from the contributors. ____________________________________________________________________ Recent Address Changes ____________________________________________________________________ Address changes from past issues of Cipher are archived at www.ieee-security.org/Cipher/AddressChanges.html ==================================================================== Interesting Links and Reports Available via FTP and WWW ==================================================================== "Reports Available" links from previous issues of Cipher are archived at www.ieee-security.org/Cipher/NewReports.html and www.ieee-security.org/Cipher/InterestingLinks.html ==================================================================== Reader's Guide to Current Technical Literature in Security and Privacy, by Anish Mathuria ==================================================================== The Reader's Guide from Past issues of Cipher is archived at www.ieee-security.org/Cipher/ReadersGuide.html ==================================================================== Listing of academic positions available by Cynthia Irvine May 1, 2001 ==================================================================== Vrije Universiteit, Amsterdam, The Netherlands Postdoc/Assistant Professor (internet security). Positions available immediately. www.cs.vu.nl/~ast/jobs Department of Information and Software Engineering, George Mason University, Fairfax, VA 1 Tenure-track and 1 visiting position in security (05/01/00) Areas of particular interest: Computer security, networking, data mining and software engineering. Search will continue until positions are filled. ise.gmu.edu/hire/ Department of Computer Science, Purdue University, West Lafayette, IN Emphasis on Assistant Professor Positions, but more senior applicants will be considered. Areas of particular interest: Computer security, and INFOSEC. Positions beginning August 2000. www.cs.purdue.edu/announce/faculty.html Department of Computer Science, Renesselaer Polytechnic Institute, Troy, NY Tenure Track, Teaching, and Visiting Positions Areas of particular interest: Computer security, networking, parallel and distributed computing and theory. Positions beginning Fall 2000. www.cs.rpi.edu/faculty-opening.html Swiss Federal Institute of Technology, Lausanne (EPFL), Switzerland/Eurecom/Telecom Paris General Director Areas of particular interest: Education and research in telecommunications. Applications begin immediately. admwww.epfl.ch/pres/dir_eurecom.html Department of Computer Science, Naval Postgraduate School, Monterey, CA Junior and Senior Tenure Track Positions in Professorship Areas of particular interest: Computer Security, but applicants from all areas of Computer Science will be considered. Applications begin immediately and are open until filled. apache.cs.nps.navy.mil/app/ Department of Computer Science, Florida State University, Talahassee, FL Tenure-track positions at all ranks. Several positions available. (1/00) Areas of particular interest: Trusted Systems, security, cryptography, software engineering, provability and verification, real-time and software engineering, provability and verifications, real-time and safety-critical systems, system software, databases, fault tolerance, and computational/simulation-based design. www.cs.fsu.edu/positions/ Naval Postgraduate School Center for INFOSEC Studies and Research, Monterey, CA, Visiting Professor (Assistant, Associate, or Full Professor levels) (9/98) Areas of particular interest: Computer and information systems security. cisr.nps.navy.mil/jobs/npscisr_prof_ad.html This job listing is maintained as a service to the academic community. If you have an academic position in computer security and would like to have in it included on this page, send the following information: Institution, City, State, Position title, date position announcement closes, and URL of position description to: irvine@cs.nps.navy.mil ==================================================================== Information on the Technical Committee on Security and Privacy ==================================================================== ______________________________________________________________________ How to become <> a member of the IEEE Computer Society's TC on Security and Privacy ________________________________________________________________________ You do NOT have to join either IEEE or the IEEE Computer Society to join the TC, and there is no cost to join the TC. All you need to do is fill out an application form and mail or fax it to the IEEE Computer Society. A copy of the form is included below (to simplify things, only the TC on Security and Privacy is included, and is marked for you). Members of the IEEE Computer Society may join the TC via an https link. The full and complete form is available on the IEEE Computer Society's Web Server by following the application form hyperlink at the URL: computer.org/tcsignup/ IF YOU USE THE FORM BELOW, PLEASE NOTE THAT THE IT IS TO BE RETURNED (BY MAIL OR FAX) TO THE IEEE COMPUTER SOCIETY, >>NOT<< TO CIPHER. --------- IEEE Computer Society Technical Committee Membership Application ----------------------------------------------------------- Please print clearly or type. ----------------------------------------------------------- Last Name First Name Middle Initial ___________________________________________________________ Company/Organization ___________________________________________________________ Office Street Address (Please use street addresses over P.O.) ___________________________________________________________ City State ___________________________________________________________ Country Postal Code ___________________________________________________________ Office Phone Fax ___________________________________________________________ Email Address (Internet accessible) ___________________________________________________________ Home Address (optional) ___________________________________________________________ Home Phone ___________________________________________________________ [ ] I am a member of the Computer Society IMPORTANT: IEEE Member/Affiliate/Computer Society Number: ____________________ [ ] I am not a member of the Computer Society* Please Note: In some TCs only current Computer Society members are eligible to receive Technical Committee newsletters. Please select up to four Technical Committees/Technical Councils of interest. TECHNICAL COMMITTEES [ X ] T27 Security and Privacy Please Return Form To: IEEE Computer Society 1730 Massachusetts Ave, NW Washington, DC 20036-1992 Phone: (202) 371-0101 FAX: (202) 728-9614 _____________________________________________________________ TC Publications for Sale _____________________________________________________________ Proceedings of the IEEE CS Symposium on Security and Privacy The Technical Committee on Security and Privacy has copies of its publications available for sale directly to you. Proceedings of the IEEE Symposium on Security and Privacy -------------------------------------- 2000 $25.00 1999 -- SOLD OUT -- 1998 $15.00 For domestic shipping and handling, add $3.20 (3 volumes or fewer). For overseas delivery: -- by surface mail, please add $5 per order (3 volumes or fewer) -- by air mail, please add $10 per volume If you would like to place an order, please specify * how many issues you would like, and * where to send them, and * the shipping method (air or surface) for overseas orders. For mail orders, please send a check in US dollars, payable to the "2000 IEEE Symposium on Security and Privacy" to: Brian J. Loe Treasurer, IEEE TC on Security and Privacy Secure Computing Corp. 2675 Long Lake Rd. Roseville, MN 55113 U S A For electronic orders, in addition to the information above, please send the following credit card information to brian.loe@computer.org: - the name of the cardholder, - type of card (VISA, Mastercard, American Express, and Diner's Club are accepted) - credit card number, and - the expiration date. You may use the following PGP public key to encrypt any information that you're not comfortable sending as cleartext. -----BEGIN PGP SIGNATURE----- Version: 4.0 Business Edition iQCVAwUBOSVyE0y6WVOs56vlAQFVRwQAg3/SovqmTqWKCExfeTDkgMaFpkOGRKpo A/p5c/oSrg8g2ev7GBllKz+e3/frSi27pyA5HBxXzm5tnqnCafjS1Fub8S7XepWo opI/lPGGXRmHHlBDNQ+58ui5/SH68cT64auBbYmvhh8YQqJJnoieMMWDlU3fvR/y RynPbZ2hMn0= =FL5l -----END PGP SIGNATURE----- -----BEGIN PGP PUBLIC KEY BLOCK----- Version: 4.0 Business Edition mQCNAy+T6TkAAAEEAN/fnVu7VCPtcmBQhXFhJbejSoZJkEmWNUYvx13yRwl/gyir 61ae+GUjgWjWs9O06C6dugRGrjFZpBhMosu7sgGJMz54hvKbBNrYBSHpH0yex6e/ +c2mzbCbh40naARgPAaAki2rCkV2ryETj2Z6w98/k5fMgOZDnEy6WVOs56vlAAUR tBtCcmlhbiBKLiBMb2UgPGxvZUBzY3RjLmNvbT6JARUDBRA5FvlSehjn4trNNnMB AVulCAC/cqeBfMVohQqSZSHsaBudKUaKRCbH9PoKB0xr2SkmI/XYTzm6X7Cc+CXb hfcO/t++p1IscnB9Ne7Qa/MYqTD3zzgp/x/xor0bHnLSLGlVCN3XoRr3oxWuGOE9 Bul85Jse5V3FqMjsnGzm3PFRnYEJ9EPfTbWLnmmPteNSCwzFJe0z2nSAWbW+X4BQ W6qN/5SHFWQ/0xcpSWte7TD98BDpZl12ow3W+NY1P01AYfby0IthvuPL7PMrcOgV cGz8sBflkF4QbL/CJW42oPjztvj+Ks+I2b1W9oSJgX5fPeU9hcsPg3wVO5o3/Mdb lEtBSrdQfnbfOpiEm16/CK3OGr3NiQB1AwUQL5UPKjVOHVCprfxtAQG2tgMAruPD qtQzxJVdegzUG+0r0AMEDxmGDN84PUU9AMhXl2owR2/TthpDpmovMq8ibeLd0PGk NgXJFlLHJNvU09jP1O4TqwvoSTzG84qm8OY7kfdOqY7PTsz0keT7WgFuuglKiQCV AwUQL5UOenp25Pxx+Z6ZAQH5MAP/c1SngCYf1+Ks1M2Cbf8PR4t5hQAM5tGFHA8J zS5L/3NZNyoNAD4fgRm62xr8trFWtT4BSmZboXgqklTvwbQKWn90EsoKEtdfJNtJ swVNkLF/SjLyes/J6HEgllPUaKVIq5PM8AIrKsAKvHZoDcDbDH8QypnQsdxYhOOh a0pxCpaJAJUDBRAvlCiXTLpZU6znq+UBAdmiA/9eq6niZHHykR/27P9chkqhYLuq /E1CirA+aYP73OdbfXeV+vwDxr9Zzv2iTra/DUNyJzU7JelWRFlov+k7yiO6Pr7j bWeqms0WYsQV30jIelBs6w34A4CC1bnuHxt6gKxd63EZCqhVsZV+GN3pGfL2CQBc mraYYRb4Q1+gSocsAIkAdQMFEDXRyzCbYv3kpAuW2QEBv+AC/jDstmZP0UTTwixB htVd50TqxE0vU/g6YC6sKg1wyHNlYEvwP0xRsM1P+Qs1603SV6TarP8q5AQVMuwg 1qQxxuThCAG/hXcsI5t/5pbMTQSAMUkZQHittS69sSQtNSd+R7QlQnJpYW4gSi4g TG9lIDxicmlhbi5sb2VAY29tcHV0ZXIub3JnPrQmQnJpYW4gSi4gTG9lIDxsb2VA c2VjdXJlY29tcHV0aW5nLmNvbT4= =PUX1 -----END PGP PUBLIC KEY BLOCK----- You may also order some back issues from IEEE CS Press at www.computer.org/cspress/catalog/proc9.htm. Proceedings of the IEEE CS Computer Security Foundations Workshop The most recent Computer Security Foundation Workshop (CSFW13) took place the 3rd through 5th of July 2000 in Cambridge, UK. Topics included formal specification of security protocols, protocol engineering, distributed systems, information flow, and security policies. Copies of the proceedings are available from the publications chair for $25 each. Copies of earlier proceedings starting with year 5 are available at $10. Photocopy versions of year 1 are also $10. Checks payable to "Joshua Guttman for CSFW" may be sent to: Joshua Guttman, MS A150 The MITRE Corporation 202 Burlington Rd. Bedford, MA 01730-1420 USA guttman@mitre.org ________________________________________________________________________ TC Officer Roster ________________________________________________________________________ Chair: Past Chair: Thomas A. Berson Charles P. Pfleeger Anagram Laboratories Arca Systems, Inc. P.O. Box 791 8229 Boone Blvd, Suite 750 Palo Alto, CA 94301 Vienna VA 22182-2623 (650) 324-0100 (voice) (703) 734-5611 (voice) berson@anagram.com (703) 790-0385 (fax) c.pfleeger@computer.org Vice Chair: Chair,Subcommittee on Academic Affairs: Michael Reiter Prof. Cynthia Irvine Bell Laboratories U.S. Naval Postgraduate School 600 Mountain Ave., Room 2A-342 Computer Science Department Murray Hill, NJ 07974 USA Code CS/IC Monterey CA 93943-5118 (908) 582-4328 (voice) (408) 656-2461 (voice) (908) 582-1239 (fax) irvine@cs.nps.navy.mil reiter@research.bell-labs.com Newsletter Editor: Jim Davis Department of Electrical and Computer Engineering 2413 Coover Hall Iowa State University Ames, Iowa 50011 (515) 294-0659 (voice) davis@iastate.edu Chair, Subcommittee on Standards: Chair,Subcomm.on Security Conferences: David Aucsmith Jonathan Millen Intel Corporation SRI International EL233 JF2-74 Computer Science Laboratory 2111 N.E. 25th Ave 333 Ravenswood Ave. Hillsboro OR 97124 Menlo Park, CA 94025 (503) 264-5562 (voice) (650) 859-2358 (voice) (503) 264-6225 (fax) (650) 859-2844 (fax) awk@ibeam.intel.com millen@csl.sri.com BACK ISSUES: Cipher is archived at: www.ieee-security.org/cipher.html ========end of Electronic Cipher Issue #42, May 1, 2001===========