Subject: Electronic CIPHER, Issue 53, March 20, 2003 _/_/_/_/ _/_/_/ _/_/_/_/ _/ _/ _/_/_/_/ _/_/_/_/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/_/_/_/ _/_/_/_/ _/_/ _/_/_/_/ _/ _/ _/ _/ _/ _/ _/ _/ _/_/_/_/ _/_/_/ _/ _/ _/ _/_/_/_/ _/ _/ ==================================================================== Newsletter of the IEEE Computer Society's TC on Security and Privacy Electronic Issue 53 March 20, 2003 Jim Davis, Editor Hilarie Orman, Assoc. Editor Bob Bruen, Book Review Editor Anish Mathuria, Reader's Guide ==================================================================== http://www.ieee-security.org/cipher.html Contents: * Letter from the Editor * Conference and Workshop Announcements * Conference and Workshop Announcements o Information and Preliminary Program for the IEEE Symposium on Security and Privacy, the Claremont Resort, Oakland, CA, USA, May 11-14, 2003. o Cipher calls-for-papers and calendar 13 new calls added since Cipher E52: - IEEE Security & Privacy issue on Understanding Privacy (submissions due July 31, 2003) www.computer.org/security - The 9th IEEE International Conference on Emerging Technologies and Factory Automation (submissions due March 31, 2003) www.uninova.pt/etfa2003 - Sixth International Symposium on Recent Advances in Intrusion Detection (submissions due March 31, 2003) www.raid-symposium.org/raid2003 - The Second International Workshop on Mathematical Methods, Models and Architectures for Computer Networks Security (submissions due April 1, 2003) http://space.iias.spb.su/mmm-acns03/ - New Security Paradigms Workshop (submissions due April 4, 2003) www.nspw.org - International Conference on Software Engineering and Formal Methods (submissions due April 14, 2003) www.svrc.uq.edu.au/Events/SEFM03/cfp.html - The 2003 International Conference on Emerging Technologies (submissions due May 1, 2003) www.rfbinternational.com - The 10th ACM Conference on Computer and Communications Security (submissions due May 9, 2003) www.acm.org/sigs/sigsac/ccs/CCS2003/ - Adaptive and Resilient Computing Security Security (submissions due June 1, 2003) Email: robert.ghanea-hercock@bt.com - The 19th Annual Computer Security Applications Conference (submissions due June 1, 2003) www.acsac.org - The Workshop on Rapid Malcode (submissions due July 1, 2003) http://pisa.ucsd.edu/worm03/ - The First Theory of Cryptography Conference (submissions due August 27, 2003) www-cse.ucsd.edu/users/mihir/tcc/ - 2004 International Workshop on Practice and Theory in Public Key Cryptography (submissions due September 20, 2003) www.i2r.a-star.edu.sg/pkc2004/ o Program for the WITS'03, the Workshop on Issues in the Theory of Security, April 5-6, 2003 * Commentary and Opinion o Robert Bruen's review of Firewalls and Internet Security (2nd edition) by William Cheswick, Steven Bellovin and Aviel Rubin o Review of the Seventh International Financial Cryptography Conference (Gosier, Guadeloupe, January 27-30, 2003) by Jean Camp o Review of the Australian Industry Group's workshop on "Threats to Australia's Security" (Melbourne, February 19, 2003) by Vernon Stagg o NewsBits: Announcements and correspondence from readers * Reader's guide to recent security and privacy literature, by Anish Mathuria (new entries March 15, 2002) * List of Computer Security Academic Positions, by Cynthia Irvine * Staying in Touch o Information for subscribers and contributors o Recent address changes * Interesting Links and New reports available via FTP and WWW * Links for the IEEE Computer Society TC on Security and Privacy o Becoming a member of the TC o TC Officers o TC publications for sale ==================================================================== Letter from the Editor ==================================================================== Dear Readers: We are pleased to bring you this issue of Cipher! In it you will find conference reports by Vernon Stagg and Jean Camp, a book review by Robert Bruen, plus the links to new calls for papers. We would also like to thank Eugen Bacic for contributing the memoriam for our colleague Milan Kuchta. On another sad note, you have no doubt heard of the passing of our friend Roger Needham on February 28, 2003. You can find several nice tributes and recaps of Roger's very long list of contributions at http://research.microsoft.com/users/needham/needham.aspx and http://research.microsoft.com/users/needham/. It's not surprising to note that nearly everyone uses the word "pioneer" when describing his accomplishments. He was a truly a leader with a vision for our community and will be greatly missed. As always, thanks to our colleagues who contribute to Cipher! Best regards, Jim Davis davis@iastate.edu ==================================================================== Conference and Workshop Announcements ==================================================================== ==================================================================== Upcoming Calls-For-Papers and Events ==================================================================== The complete Cipher Calls-for-Papers is located at www.ieee-security.org/cfp.html. The Cipher event Calendar is at www.cs.utah.edu/flux/cipher/cipher-hypercalendar.html ____________________________________________________________________ Cipher Event Calendar ____________________________________________________________________ Calendar of Security and Privacy Related Events maintained by Hilarie Orman Date (Month/Day/Year), Event, Locations, web page for more info. -------------- * 3/26/03- 3/28/03: WPET 2003, Dresden, Germany; www.petworkshop.org * 3/31/03: ETFA 2003, Lisbon, Portugal; http://www.uninova.pt/etfa2003 * 3/31/03: RAID 2003, Pittsburgh, PA; http://www.raid-symposium.org/raid2003 -------------- * 4/01/03: MMM-ACNS-2003, St. Petersburg, Russia; http://space.iias.spb.su/mmm-acns03/ * 4/4/03: NSPW 2003, Ascona, Switzerland; http://www.nspw.org/ * 4/5/03- 4/ 6/03: WITS '03, Warsaw, Poland; http://www.dsi.unive.it/IFIPWG1_7/index.html * 4/13/03- 4/17/03: CT-RSA 2003, San Francisco, CA. http://reg2.lke.com/rs3/rsa2003/crypto.html * 4/16/03- 4/18/03: NetCompApp '03, Cambridge, MA. www.cs.utk.edu/~mbeck/NCA03/NCA03-cfp.pdf * 4/22/03: BITE 2003, Angers, France; www.iceis.org/ * 4/28/03- 4/29/03: PKI '03, Gaithersburg, MD. http://middleware.internet2.edu/pki03/ * 4/28/03- 4/30/03: ITCC, Las Vegas, Nevada www.cs.clemson.edu/~srimani/itcc2003/cfp.html -------------- * 5/1/03: ACNS '03, Kunming, China; http://www.onets.com.cn/dhe.htm * 5/1/03: ISC '03, Bristol, UK; http://www.hpl.hp.com/conferences/isc03/call_for_papers.htm * 5/1/03: ICET '03, Minneapolis, Minnesota; http://www.rfbinternational.com/ICET03.htm * 5/9/03: CCS 2003, Washington, DC; http://www.acm.org/sigs/sigsac/ccs/CCS2003/ * 5/11/03: SNPA 2003 www.icc2003.com/workshop1.html * 5/11/03- 5/14/03: IEEE S & P, Oakland, California. www.ieee-security.org/TC/SP-Index.html * 5/15/03: ICICS '03, Mongolia, China; http://www.cstnet.net.cn/icics2003/ * 5/18/03- 5/21/03: IRMA 2003, Hershey, PA, USA www.irma-international.org/ * 5/20/03- 5/24/03: WWW-SEC-2003, Budapest, Hungary; www.www2003.org -------------- * 6/1/03: ACSAC 19, Las Vegas, Nevada; http://www.acsac.org/ * 6/2/03- 6/3/03: SACMAT '03, Como, Italy. www.acm.org/sigsac/sacmat/ * 6/4/03- 6/6/03: POLICY 2003, Lake Como, Italy. www.labs.agilent.com/policy2003/ * 6/5/03- 6/6/03: EIT 2003, Indianapolis, IN. www.cis-ieee.org/eit2003 * 6/23/03: WISP, Eindhoven, Netherlands; http://www.iit.cnr.it/staff/fabio.martinelli/wisp-cfp.html * 6/25/03: AMS 2003, Seattle WA; http://www.caip.rutgers.edu/ams2003 * 6/26/03- 6/28/03: WISE 3, Monterey, CA, USA cisr.nps.navy.mil/wise3/ * 6/26/03- 6/27/03: FCS '03, Ottawa, Canada; http://www.cs.stanford.edu/~iliano/fcs03/ -------------- * 7/1/03: WORM, Washington, DC; http://pisa.ucsd.edu/worm03/ * 7/2/03: CSFW 16, Pacific Grove, CA. www.csl.sri.com/csfw/index.html * 7/9/03- 7/11/03: ACISP 2003, Wollongong, Australia; http://www.itacs.uow.edu.au/research/NSLabs/acisp03/ -------------- * 8/4/03- 8/ 6/03: IFIP WG11.3, Estes Park, Colorado; http://www.cs.colostate.edu/~ifip03 * 8/17/03- 8/21/03: CRYPTO '03, Santa Barbara, CA. www.iacr.org/conferences/crypto2003/cfp.html * 8/18/03- 8/21/03: NSPW 2003, Ascona, Switzerland; http://www.nspw.org/ * 8/25/03- 8/29/03: SIGCOMM 2003, Karlsruhe, Germany; http://www.acm.org/sigcomm/sigcomm2003 * 8/25/03- 8/26/03: ICET '03, Minneapolis, Minnesota; http://www.rfbinternational.com/ICET03.htm -------------- * 9/28/03-10/1/03: ICON 2003, Sydney, Australia. www.ee.unsw.edu.au/~icon/ * 9/1/03- 9/ 5/03: TRUSTBUS '03, Prague, Czech Republic; http://www.uni-regensburg.de/Fakultaeten/WiWi/pernul/dexa03ws/ * 9/8/03- 9/10/03: RAID 2003, Pittsburgh, PA; http://www.raid-symposium.org/raid2003 * 9/16/03- 9/19/03: ETFA 2003, Lisbon, Portugal; http://www.uninova.pt/etfa2003 * 9/20/03: PKC '04, Singapore; http://www.i2r.a-star.edu.sg/pkc2004/ * 9/20/03- 9/24/03: MMM-ACNS-2003, St. Petersburg, Russia; http://space.iias.spb.su/mmm-acns03/ -------------- * 10/1/03-10/ 3/03: ISC '03, Bristol, UK; http://www.hpl.hp.com/conferences/isc03/call_for_papers.htm * 10/2/03-10/ 3/03: CMS 2003, Turin, Italy; http://security.polito.it/cms2003/ * 10/10/03-10/13/03: ICICS '03, Mongolia, China; http://www.cstnet.net.cn/icics2003/ * 10/16/03-10/19/03: ACNS '03, Kunming, China, http://www.onets.com.cn/dhe.htm * 10/27/03-10/31/03: CCS 2003, Washington, DC; http://www.acm.org/sigs/sigsac/ccs/CCS2003/ * 10/27/03: WORM, Washington, DC; http://pisa.ucsd.edu/worm03/ -------------- * 12/8/03-12/12/03: ACSAC 19, Las Vegas, Nevada; http://www.acsac.org/ -------------- * 3/1/04- 3/ 4/04: PKC '04, Singapore, http://www.i2r.a-star.edu.sg/pkc2004/ ____________________________________________________________________ Journal, Conference and Workshop Calls-for-Papers ____________________________________________________________________ IEEE Security & Privacy, George Cybenko, Editor. Theme: Understanding Privacy, Nov/Dec 2003 Issue. (submissions due July 31, 2003) Privacy is a growing concern in today's networked world. The Nov./Dec. issue of IEEE Security & Privacy will be devoted to privacy—its technological, commercial, and social aspects. Papers dealing with the following privacy-related topics are welcome: - identity theft and related abuses; - consumer and business practices and trends affecting privacy; - information ownership, competing claims, unresolved ambiguity; - legal and criminal issues; - privacy leakage case studies; - relationships and trade-offs between security and privacy; - privacy-enhancing technologies; - relationships between privacy management and digital rights management; - formal models and definitions of privacy; and - database issues in privacy protection. See www.computer.org/security. ETFA'2003 The 9th IEEE International Conference on Emerging Technologies and Factory Automation (Special session on IT Security for Automation Systems), September 16-19, 2003, Lisbon, Portugal. (submissions due March 31, 2003) Due to the increased interconnection between plant-floor systems and enterprise-level computer systems up to and including public networks like the Internet, and based on Internet protocols (HTTP/TCP/IP), IT security issues and concerns have also reached the domains of automation IT systems and automation communication networks. IT security needs, constraints, and mechanisms for automation systems are in various ways different from those of the office computing environment, which creates the necessity, but also the opportunity, for novel approaches. For this special session papers are solicited which are concerned with: - Specific security needs of automation systems, e.g. with respect to security objectives, usage scenarios, system topologies/architectures or operating environment. - Specific security mechanisms, devices, processes, protocols and architectures for automation systems. - IT security audits for automation devices and systems. More information can be found at www.uninova.pt/etfa2003. RAID'2003 Sixth International Symposium on Recent Advances in Intrusion Detection, Pittsburgh, PA, USA, September 8-10, 2003 (submissions due March 31, 2003) The RAID International Symposium series is intended to further advances in intrusion detection by promoting the exchange of ideas in a broad range of topics. Paper submission and panel proposals are invited on the following types of topics: - Assessing, measuring, and classifying intrusion-detection systems - IDS cooperation and integration - IDS interoperability standards and standardization - IDSs in high-performance and real-time environments - Vulnerabilities and attacks - Innovative Approaches - Practical Considerations More information can be found on the conference web page at www.raid-symposium.org/raid2003. ECIW 2003 European Conference on Information Warfare and Security, University of Reading, United Kingdom, June 30-July 1, 2003. (abstracts due April 1, 2003) The second European Conference on Information Warfare and Security (ECIW) is an opportunity for academics, practitioners and consultants from Europe and elsewhere who are involved in the study, management, development and implementation of systems and concepts to combat information warfare or to improve information systems security to come together and exchange ideas. The conference in July 2003 is seeking qualitative, experience-based and quantitative papers as well as case studies and reports of work in progress from academics, information systems practitioners, consultants and government departments. Topics may include, but are not limited to, e-Intelligence/counter-intelligence, Perception management, Information warfare theory, Electro-magnetic pulse weapons, Information, computer and network security, Cryptography, Physical security, Security policy, Information warfare policy, Information warfare techniques, Hacking, Infra-structure warfare, National security policy, Corporate defence mechanisms, Security for small to medium enterprises, Cyber Terrorism, Ethical, Political and Social Issues relating to Information Warfare, Information warfare and security education, Legal issues concerned with information warfare and e-Crime, Cyber-terrorism. In addition to multiple streams of papers, the conference committee are inviting proposals for workshops and tutorials on topics related to Information Warfare and research methods applicable to this field. The full call-for-papers and registration details can be found www.mcil.co.uk/conf-management.htm. MMM-ACNS-2003 The Second International Workshop "Mathematical Methods, Models and Architectures for Computer Networks Security", September 20-24, 2003, St. Petersburg, Russia. (submissions due April 1, 2003) The objective of the 2003 workshop is to bring together leading researchers from academia and governmental organizations as well as practitioners in the area of computer networks and information security and facilitate personal interactions and discussions on various aspects of information technologies in conjunction with security problems arising in large-scale computer networks engaged in information storing, transmitting, and processing. The complete call for papers, with a list of topics of interest and information on local arrangements can be found on the work shop web page at http://space.iias.spb.su/mmm-acns03/. NSPW 2003 New Security Paradigms Workshop, Centro Stefano Francini, Ascona, Switzerland, August 18-21, 2003. (submissions due April 4, 2003) For eleven years the New Security Paradigms Workshop has provided a stimulating and highly interactive forum for innovative approaches to computer security. In order to preserve the small, focused nature of the workshop, participation is limited to authors of accepted papers and conference organizers. NSPW is highly interactive in nature. Authors are encouraged to present ideas that might be considered risky in some other forum. All participants are charged with providing feedback in a constructive manner. The resulting brainstorming environment has proven to be an excellent medium for furthering the development of these ideas. The proceedings, which are published after the workshop, have consistently benefited from the inclusion of workshop feedback. Because we expect new paradigms, we accept wide-ranging topics in information security. Papers that present a significant shift in thinking about difficult security issues or builds on a previous shift are welcomed. Our program committee particularly looks for new paradigms, innovative approaches to older problems, early thinking on new topics, and controversial issues that might not make it into other conferences but deserve to have their try at shaking and breaking the mold. More information can be found on the conference web page at www.nspw.org. ESORICS 2003 8th European Symposium on Research in Computer Security, Gjøvik, Norway, October 13-15, 2003 (submissions due April 11, 2003) Papers offering novel research contributions in any aspect of computer security are solicited for submission to the Eighth European Symposium on Research in Computer Security (ESORICS 2003). Organized in a series of European countries, ESORICS is confirmed as the European research event in computer security. The symposium started in 1990 and has been held on alternate years in different European countries and attracts an international audience from both the academic and industrial communities. From 2002 it will be held yearly. The Symposium has established itself as one of the premiere, international gatherings on Information Assurance. Papers may present theory, technique, applications, or practical experience on topics including: - access control - network security - accountability - non-interference - anonymity - privacy-enhancing technology - applied cryptography - pseudonymity - authentication - security as quality of service - covert channels - secure electronic commerce - cryptographic protocols - security administration - cybercrime - security evaluation - data integrity - security management - denial of service attacks - security models - dependability - security metrics - firewalls - security requirements engineering - formal methods in security - security verification - inference control - smartcards - information flow control - steganography - information warfare - subliminal channels - intellectual property protection - survivability - intrusion detection - system security - intrusion tolerance - transaction management - language-based security - trustworthy user devices More information about the conference can be found at www.hig.no/esorics2003/. SEFM'2003 International Conference on Software Engineering and Formal Methods, Brisbane, Australia, September 22-27, 2003. (submissions due April 14, 2003) The objective of the conference is to bring together practitioners and researchers from academia, industry and government to exchange views on the theoretical foundation of formal methods, their application to software engineering and the socio-economic impact of their use. Authors are invited to submit both research and tool papers. The scientific program will include paper and tool presentations, tool demonstrations, tutorials and invited talks. More information can be found on the conference web page at www.svrc.uq.edu.au/Events/SEFM03/cfp.html. First International Mobile IPR Workshop: Rights Management of Information Products on the Mobile Internet, Helsinki, Finland, August 27-28, 2003 (submissions due April 25, 2003) MobileIPR Workshop welcomes papers on all aspects of rights management related to information products such as music, electronic books, videos, multimedia, games, or software distributed on the Mobile Internet commercially or otherwise. Relevant topics include, but are not limited to: - Digital rights management (DRM) and technical tools to protect and manage rights, e.g. cryptographic systems, watermarking, rights expression languages, and rights management databases. - Intellectual property rights (IPR) copyright, database right, patent, and trademark. - Privacy in relation to rights management, including protection of confidential information. - Contracts, especially open source licensing models in software and content production. - Societal and policy issues, including the effect of non-governmental organizations and citizens activism. - Control of information products - economic and ethical rationales too. - Business models related to rights management. - User-contributed content and rights management. - Rights management in peer-to-peer, super-distribution, and other new distribution models. - Related enabling technologies and their impact on digital rights management. We welcome both full and short (experience) papers as well as extended abstracts that address different aspects of rights management. More information can be found on the workshop web page at www.hiit.fi/de/mobileipr/workshop/. ECOOP 2003 Workshop on Exception Handling in Object Oriented Systems: towards Emerging Application Areas and New Programming Paradigms, Darmstadt, Germany, July 21-25, 2003. (submissions due April 25, 2003) The workshop will provide a forum for discussing the unique requirements for exception handling in the existing and emerging applications, including pervasive computing, ambient intelligence, the Internet, e-science, self-repairing systems, collaboration environments. We invite submissions on research in all areas of exception handling related to object oriented systems, in particular: formalisation, distributed and concurrent systems, practical experience, mobile object systems, new paradigms (e.g. object oriented workflows, transactions, multithreaded programs), design patterns and frameworks, practical languages (Java, Ada 95, Smalltalk, Beta), open software architectures, aspect oriented programming, fault tolerance, component-based technologies. We encourage participants to report their experiences of both benefits and obstacles in using exception handling, reporting, practical results in using advanced exception handling models and the best practice in applying exception handling for developing modern applications in the existing practical settings. To participate in the workshop, the prospective attendees are required to submit 4-7 page position papers (in the LNCS format) to Alexander Romanovsky (alexander.romanovsky@ncl.ac.uk) by April 25. Additional information can be found on the workshop web page: www.cs.ncl.ac.uk/~alexander.romanovsky/home.formal/ehoos2003.html. SecCo 2003 1st International Workshop on Security Issues in Coordination Models, Languages and Systems (affiliated with ICALP 2003), Eindhoven, the Netherlands, June 28-29, 2003. (submissions due April 27, 2003) Coordination models and languages, which advocate a distinct separation between the internal behaviour of the entities and their interaction, represent a promising approach. However, due to the openness of these systems, new critical aspects come into play, such as the need to deal with malicious components or with a hostile environment. Current research on network security issues (e.g. secrecy, authentication, etc.) usually focuses on opening cryptographic tunnels between fully trusted entities. For this to work the structure of the system must be known beforehand. Therefore, the proposed solutions in this area are not always exploitable in this new scenario. The aim of the workshop is to cover the gap between the security and the coordination communities. More precisely, we intend to promote the exchange of ideas, focus on common interests, gain in understanding/deepening of central research questions, etc. Topics of interest include, but are not limited to: Theoretical foundations, specification, analysis, case-studies, applications for: - authentication coordination models - integrity open-distributed systems - privacy mobile ad-hoc networks - confidentiality agent-based infrastructures - access control -in- peer-to-peer systems - denial of service global computing - service availability context-aware computing - safety aspects component-based systems - fault tolerance ubiquitous computing More information can be found at cs.unibo.it/secco03 ISC'03 6th Information Security Conference, Bristol, United Kingdom, October 1-3, 2003. (submissions due May 1, 2003) Original papers are solicited for submission to ISC 2003. ISC aims to bring together individuals involved in multiple disciplines of information security to foster exchange of ideas. Topics of interest include, but are not limited to: Access Control Key Management Applied Cryptography Legal and Regulatory Issues Cryptographic Protocols Mobile Code & Agent Security Digital Rights Management Network & Wireless Security E-Commerce Protocols Software Security Formal Aspects of Security Security Analysis Methodologies Information Hiding Trust Management Intrusion Detection More information can be found on the conference web page at www.hpl.hp.com/conferences/isc03. ICET'03 The 2003 International Conference on Emerging Technologies, Minneapolis, Minnesota, USA, August 25-26, 2003. (submissions due May 1, 2003) The goal of this conference is to foster cross-disciplinary interaction in emerging technologies that are approaching sufficient maturity for initial commercialization. By providing insights from academia, research, industry, and funding communities the conference will foster discussions on interactions of emerging technologies, and the insights that can be harvested from other disciplines. Major areas of interest for this conference are: Trusted and Reliable Systems; Interconnected Computing; and Integrated Bio/hardware/software Systems. More information is available at www.rfbinternational.com. ACNS'03 First MiAn International Conference on Applied Cryptography and Network Security, Kunming, China, October 16-19, 2003. (submissions due May 1, 2003) The first MiAn International Conference on Applied Cryptography and Network Security (ACNS’03) will be held in Kunming, China on October 16-19, 2003, organized by MiAn (ONETS) Pte Ltd and in cooperation with the local government. Original paper on all aspects of applied cryptography and network security are solicited for submission to the conference. Areas of interests include but not restricted to: Biometric Security Applications, Cryptographic and Anti-cryptographic Analysis, Cryptographic Applications, Data Recovery and Coding, Differential Power Attacks, Efficient Implementation, Firewall and Intrusion Detection, GPRS and CDMA Security, Identification and Entity Authentication, Key Management Techniques, Network Protocol and Analysis, PKI/PMI and Bridge CA, Secure e-commerce and e-government, Security Management and Strategy, Smart Card Security, Verification and Testing of Secure Systems, Virus and Worms, VPN and SVN, WLAN and Bluetooth Security. More information can be found at the conference web page at www.onets.com.cn/dhe.htm. IICIS'2003 Sixth IFIP TC-11 WG 11.5 Working Conference on Integrity and Internal Control in Information Systems, Lausanne, Switzerland, November 13-14, 2003. (submissions due May 2, 2003) Confidentiality, integrity and availability are high-level objectives of IT security. The IFIP TC-11 Working Group 11.5 has been charged with exploring the area of the integrity objective within IT security and the relationship between integrity in information systems and the overall internal control systems that are established in organizations to support corporate governance codes. The goals for this conference are to find an answer to the following questions: what is the status quo of research and development in the area of integrity and internal control; where are the gaps between business needs on the one hand and research and development on the other and what needs to be done to bridge these gaps; and what precisely do business managers need to have confidence in the integrity of their information systems and their data. Topics of interest include: - integrity and internal control in Enterprise Resource Planning systems - integrity and internal control in e- and m-commerce applications and infrastructure - integrity and internal control in financial systems - developments in internal control concepts and the impact on integrity requirements - integrity standards - methods for dealing with incomplete or inconsistent information - efficient methods for checking integrity - integrity requirements necessary to implement an internal control structure within an organization - integrity of archival data - integrity and authentication of digital documents - trustworthy computation More information and the full call-for-papers can be found on the conference web site at http://lbd.epfl.ch/e/conferences/IICIS03/index.html. CCS2003 The 10th ACM Conference on Computer and Communications Security, Washington, DC, USA, October 27-31, 2003. (submissions due May 9, 2003) Papers offering novel research contributions in any aspect of computer security are solicited. The primary focus is on high-quality original unpublished research, case studies, and implementation experiences. Papers should have practical relevance to the construction, evaluation, application, or operation of secure systems. Theoretical papers must make convincing argument for the practical significance of the results. Theory must be justified by compelling examples illustrating its application. The primary criterion for appropriateness for CCS is demonstrated practical relevance. CCS can therefore reject perfectly good papers that are appropriate for theory-oriented conferences. Topics of interest include: - access control - accounting and audit - security for mobile code - data/ system integrity - cryptographic protocols - intrusion detection - key management - security management - information warfare - security verification - authentication - database and system security - applied cryptography - smart-cards and secure PDAs - e-business/ e-commerce - inference/ controlled disclosure - privacy and anonymity - intellectual property protection - secure networking - commercial and industry security More information can be found at www.acm.org/sigs/sigsac/ccs/CCS2003/. ICICS'03 5th International Conference on Information and Communications Security, Huhehaote City, Inner-Mongolia, China, October 10-13, 2003. (submissions due May 15, 2003) Information and communication security is a challenging topic at the best of times. This conference series brings together researchers and scholars to examine important issues in this area. Original papers on all aspects of information and communications security are solicited for submission to ICICS2003. Areas of interests include but not limited to: Access control, Anonymity, Authentication and Authorization, Biometric Security, Data and System Integrity, Database Security, Distributed Systems Security, Electronic Commerce Security, Fraud Control, Information Hiding and Watermarking, Intellectual Property Protection, Intrusion detection, Key Management and Key Recovery, Language-based Security, Operating System Security, Network Security, Risk Evaluation and Security Certification, Security for Mobile Computing, Security Models, Security Protocols, Virus and Worms. More information can be found on the conference web page at www.cstnet.net.cn/icics2003/. Adaptive and Resilient Computing Security (ARCS), Santa Fe Institute Workshop, SFI, NM, November 5-6, 2003. (submissions due June 1, 2003) This workshop is the second in the series and will focus on the theme of adaptive defence of information and computing networks. The aim is to stimulate novel approaches to securing the information infrastructure. In particular the workshop will consider long-term developments and research issues relating to the defence of information networks. The driving scientific motivation for this workshop is to further our understanding of adaptive and self-organising mechanisms that can be applied to the development of resilient and robust information networks. In particular it will provide a forum for commercial and academic researchers to exchange concepts and issues within this domain. Following a highly successful first event, this workshop will be based on two specific sub-themes. These are: - Bio-inspired Defence Systems - Adaptive Security Mechanisms Some of the specific problems, which will be addressed, include: - Design of self-healing networks - Optimization versus robustness - Machine learning and defence strategies - Dynamic stability in large-scale networks - Self & non-self recognition, Immunology models If interested please submit an extended 4 page abstract to Dr. Robert Ghanea-Hercock / BTexact technologies, Adastral Park, Admin 2, Martlesham, Suffolk, UK. Email: robert.ghanea-hercock@bt.com ACSAC 19 The 19th Annual Computer Security Applications Conference, Las Vegas, Nevada USA, December 8-12, 2003. (submissions due June 1, 2003) The 19th Annual Computer Security Applications Conference is an internationally recognized conference that provides a forum for experts in information system security to exchange practical ideas about solving real problems. Papers and proposals that address the application of technology, the implementation of systems, and lessons learned will be given special consideration. The ACSAC Program Committee is looking for papers, panels, forums, case studies presentations, tutorials, workshops, and works in progress that address practical solutions to problems related to protecting commercial enterprises or government information infrastructures. A list of topics of interest along with other conference information can be found at www.acsac.org. The Workshop on Rapid Malcode (in association with 10th ACM Conference on Computer and Communications Security), Washington, D.C., October 27, 2003. (submissions due July 1, 2003) In the last several years, Internet-wide infectious epidemics have emerged as one of the leading threats to information security and service availability. The vehicle for these outbreaks, malicious codes called "worms", leverage the combination of software monocultures and the uncontrolled Internet communication model to quickly compromise large numbers of hosts. Current operational practices have not been able to manage these threats effectively and the research community is only now beginning to address this area. The goal of this workshop is to bring together ideas, understanding and experience bearing on the worm problem from a wide range of communities including academia, industry and the government. We are soliciting papers from researchers and practitioners on subjects including, but not limited to: - Modeling and analysis of propagation dynamics - Automatic detection, characterization, and prediction - Analysis of worm construction, current & future - Propagation strategies (fast & obvious vs slow and stealthy) - Reactive countermeasures - Proactive defenses - Threat assessment - Forensic methods of attribution - Significant operational experiences More information can be found at http://pisa.ucsd.edu/worm03/. TCC'2004 The First Theory of Cryptography Conference, Cambridge MA, USA, February 18-20, 2004. (submissions due August 27, 2003) Papers presenting original research on theoretical and foundational aspects of cryptography are sought. The Theory of Cryptography deals with the paradigms, approaches and techniques used to conceptualize, define and provide solutions to natural cryptographic problems. Consequently, research in this area includes: - The study of known paradigms (resp. approaches and techniques), directed towards a better understanding and utilization of the latter. - Discovery of new paradigms (resp. approaches and techniques) that overcome inherent or seemingly inherent limitations of the existing paradigms. - Formulation of new cryptographic problems and treating them using known or new paradigms (resp. approaches and techniques). The importance of the Theory of Cryptography is widely recognized by now. This area has contributed much to the practice of cryptography and secure systems as well as to the theory of computation at large. The Theory of Cryptography Conference is a new venue dedicated to the dissemination of results in the area. The conference will provide a meeting place for researchers and be instrumental in shaping the identity of the Theory of Cryptography. More information can be found at www-cse.ucsd.edu/users/mihir/tcc/. PKC'04 2004 International Workshop on Practice and Theory in Public Key Cryptography, Singapore, March 1-4, 2004. (submissions due September 20, 2003) For the last few years the International Workshop on Practice and Theory in Public Key Cryptography PKC is the main annual workshop focusing on research on all aspects of public key cryptography. The first workshop was organized in 1998 in Japan. Other PKCs have taken place in Australia, France, Japan, South Korea and USA. PKC has attracted papers from famous international authors in the area. Submissions in all areas related to applications and theory in public key cryptography are welcome, including but not limited to the following areas: - Theory of public key cryptography - Design of new public key cryptosystems - Analysis of public key cryptosystems - Efficient implementation of public key cryptographic algorithms - Applications of public key cryptography and PKI More information can be found on the conference web page at www.i2r.a-star.edu.sg/pkc2004/. ==================================================================== Conferences and Workshops (the call for papers deadline has passed) ==================================================================== www.ieee-tfia.org/iwia2003/ The First International Workshop on Information Assurance, Darmstadt, Germany, March 24, 2003. Workshop on Privacy Enhancing Technologies 2003, Dresden, Germany, March 26-28, 2003. www.petworkshop.org/. SPI 2003 www.vabo.cz/spi/defaulten.htm Security and Protection of Information, Brno, Czech Republic, March 28-30, 2003. WITS'03 www.dsi.unive.it/ifipwg1_7/wits2003.html Workshop on Issues in the Theory of Security, Warsaw, Poland, April 5-6, 2003. CHI2003 www.iit.nrc.ca/~patricka/chi2003/hcisec/ ACM Workshop on Human-Computer Interaction and Security Systems, Fort Lauderdale, Florida, USA, April 5-6, 2003. IPCCC'2003 www.ipccc.org. The International Performance, Computing, and Communications Conference, Phoenix, Arizona, USA, April 9-11, 2003 CT-RSA 2003 reg2.lke.com/rs3/rsa2003/crypto.html. Cryptographers' Track RSA Conference 2003, San Francisco, CA, USA, April 13-17, 2003. IWWST'03 http://iwwst.org.uk First International Workshop in Wireless Security Technologies, London, UK, April 15-16, 2003 BITE2003 www.iceis.org/workshops/bite/bite2003-cfp.html The First International Workshop on Business Information Technology Ethics, Angers, France, April 22, 2003 ICEIS'2003 www.iceis.org. 5th International Conference on Enterprise Information System, Angers, France, April 23-26, 2003 ITCC 2003 www.cs.clemson.edu/~srimani/itcc2003/cfp.html International Conference on Information Technology: Coding and Computing, Las Vegas, Nevada, April 28-30, 2003 Second Annual PKI Research Workshop, NIST, Gaithersburg MD, USA, April 28-29, 2003. middleware.internet2.edu/pki03/ Workshop on Data Mining for Counter Terrorism and Security, (held in conjunction with the Third SIAM International Conference on Data Mining), San Francisco, CA, USA, May 3, 2003 http://ic.arc.nasa.gov/~ashok S&P2003 www.research.att.com/~smb/oakland03-cfp.html The 2003 IEEE Symposium on Security and Privacy, Oakland, California, USA, May 11-14, 2003 IRMA 2003 www.irma-international.org. Information Resources Management Association International Conference, Philadelphia, Pennsylvania, USA, May 18-21, 2003 WWW2003 www.www2003.org/. The Twelfth International World Wide Web Conference, Security & Privacy Track, Budapest, Hungary, May 20-24, 2003 WEIS2003 mloeb@rhsmith.umd.edu Workshop on Economics and Information Security, College Park, MD, USA, May 29-30, 2003 CISSE 2003 www.ncisse.org 7th Colloquium for Information Systems Security Education, Washington, DC, USA, June 1-5, 2003 SACMAT'03 www.acm.org/sigsac/sacmat/ 18th ACM Symposium on Access Control Models and Technologies, Como, Italy, June 2-3, 2003 IEEE Electro/Information Technology Conference www.cis-ieee.org/eit2003 Indianapolis, IN, USA, June 5-6, 2003 4th Annual IEEE Information Assurance Workshop, United States Military Academy, West Point, NY, USA, June 18-20, www.itoc.usma.edu/workshop/2003 FCS'2003 www.cs.stanford.edu/~iliano/fcs03 LICS Satellite Workshop on Foundations of Computer Security, Ottawa, Canada, June 26-27, 2003 PODSY2003 http://lpdwww.epfl.ch/fgaertner/podsy2003 Workshop on Principles of Dependable Systems, San Francisco, CA, USA, June 22, 2003 WISP 2003 http://www.iit.cnr.it/staff/fabio.martinelli/wisp-cfp.html Workshop on Issues in Security and Petri Nets, Eindhoven, NL, June 23, 2003 Special Session on Web Services, First International Conference on Web Services, Las Vegas, NV, USA, June 23-26, 2003 http://tab.computer.org/tfec/icws03 WISE 3/ WECS 5 http://cisr.nps.navy.mil/wise3/ Third World Conference on Information Security Education, and Workshop on Education in Computer Security, Naval Postgraduate School, Monterey California, USA, June 26-28, 2003. CSFW16 www.csl.sri.com/csfw/csfw16 16th IEEE Computer Security Foundations Workshop, Asilomar, Pacific Grove, CA, USA, June 30-July 2, 2003. ACISP 2003 www.itacs.uow.edu.au/research/nslabs/acisp03 The Eighth Australasian Conference on Information Security and Privacy, Wollongong, Australia, July 9-11, 2003 Security in Distributed Computing (special track of the 22nd Annual ACM SIGACT-SIGOPS Symposium on Principles of Distributed Systems), Boston, Massachusetts, USA, July 13-16, 2003 www.podc.org/podc2003/ USENIX Security 2003 12th USENIX Security Symposium Washington, DC, USA August 4-8, 2003 www.usenix.org IFIP WG11.3 2003 7th Annual IFIP WG 11.3 Workshop Conference on Data and Applications Security, Estes Park, Colorado, USA, August 4-6, 2003 www.cs.colsostate.edu/~ifip03 ECC 2003 www.cacr.math.uwaterloo.ca The 7th Workshop on Elliptic Curve Cryptography, University of Waterloo, Waterloo Canada, August 11-13, 2003 TrustBus'03 www.uni-regensburg.de/fakultaeten/wiwi/pernul/dexa03ws/ Trust and Privacy in Digital Business, Prague, Czech Republic, September 1-5, 2003 7th International Conference on Knowledge-Based Intelligent Information & Engineering Systems (special session on Artificial Intelligence Applications to Information Security), St Anne's College, University of Oxford, U.K., September 3-5, 2003. scalab.uc3m.es/~docweb/AIIS_KES03.html CHES 2003 www.chesworkshop.org Workshop on Cryptographic Hardware and Embedded Systems, Cologne, Germany, September 8-10, 2003 CMS 2003 http://security.polito.it/cms2003/cfp.pdf The 7th IFIP Communications and Multimedia Security Conference, Turin, Italy, October 2-3, 2003 Communications Security Symposium (part of the IEEE GLOBECOM 2003 workshop), San Francisco, CA, USA, December 1-5, 2003. www.globecom2003.com/CFP1.html ____________________________________________________________________ PRELIMINARY PROGRAM 2003 IEEE Symposium on Security and Privacy May 11-14, 2003 The Claremont Resort Oakland, California, USA sponsored by IEEE Computer Society Technical Committee on Security and Privacy in cooperation with The International Association for Cryptologic Research (IACR) Sunday, May 11, 2003 4:00-7:00 Registration and Reception Monday, May 12, 2003 8:45-9:00 Opening Remarks 9:00-10:30 Session: Anonymity "Mixminion: Design of a Type III Anonymous Remailer Protocol" George Danezis (Cambridge Univ.), Roger Dingledine, Nick Mathewson (Free Haven Project) "Probabilistic Treatment of MIXes to Hamper Traffic Analysis" Dakshi Agrawal (IBM Watson), Dogan Kesdogan, Stefan Penz (Aachen Univ. Tech.) "Defending Anonymous Communication Against Passive Logging Attacks" Matt Wright, Micah Adler, Brian Neil Levine, Clay Shields (U. Mass.) 10:30-11:00 Break 11:00-12:00 Session: IDS "Active Mapping: Resisting NIDS Evasion Without Altering Traffic" Umesh Shankar (UC Berkeley), Vern Paxson (ICSI) "Anomaly Detection Using Call Stack Information" Henry Hanping Feng (U. Mass.), Oleg M. Kolesnikov, Prahlad Fogla, Wenke Lee (Georgia Tech.), Weibo Gong (U. Mass.) 12:00-1:30 Lunch 1:30-2:30 Invited talk 2:30-3:00 Break 3:00-4:00 Session: OS "Defending Against Denial-of-Service Attacks with Puzzle Auctions" XiaoFeng Wang, Mike Reiter (CMU) "Pi: A Path Identification Mechanism to Defend against DDoS Attacks" Abraham Yaar, Adrian Perrig, Dawn Song (CMU) 4:00-6:00 5-minute talks Tuesday, May 13, 2003 9:00-10:30 Session: Formal Methods "A Unified Scheme for Resource Protection in Automated Trust Negotiation" Ting Yu, Marianne Winslett (U. Illinois, Urbana-Champaign) "Beyond Proof-of-compliance: Safety and Availability Analysis in Trust Management" Ninghui Li (Stanford), William H. Winsborough (NAI Labs), John C. Mitchell (Stanford) "Intransitive Non-Interference for Cryptographic Purposes" Michael Backes, Birgit Pfitzmann (IBM Zurich) 10:30-11:00 Break 11:00-12:00 Session: Hardware "Specifying and Verifying Hardware for Tamper-Resistant Software" David Lie, John Mitchell (Stanford), Chandramohan Thekkath (Microsoft Research), Mark Horowitz (Stanford) "Using Memory Errors to Attack a Virtual Machine" Sudhakar Govindavajhala, Andrew W. Appel, (Princeton) 12:00-1:30 Lunch 1:30-2:30 Invited talk 2:30-3:00 Break 3:00-4:00 Session: Hardware & Crypto "Secret Handshakes from Pairing-Based Key Agreements" D. Balfanz, G. Durfee (PARC), N. Shankar (U. Maryland), D.K. Smetters, J. Staddon, H.C. Wong (PARC) "Random Key Predistribution Schemes for Sensor Networks" Haowen Chan, Adrian Perrig, Dawn Song (CMU) Wednesday, May 14, 2003 9:00-10:30 Session: Distributed Systems "Hardening Functions for Large Scale Distributed Computations" Douglas Szajda, Barry Lawson, Jason Owen (U. Richmond) "A Practical Revocation Scheme for Broadcast Encryption Using Smart Cards" Noam Kogan, Yuval Shavitt, Avishai Wool (Tel Aviv Univ.) "Using Replication and Partitioning to Build Secure Distributed Systems" Lantian Zheng, Stephen Chong, Andrew C. Myers (Cornell), Steve Zdancewic (U. Pennsylvania) 10:30-11:00 Break 11:00-12:00 "Vulnerabilities in Synchronous IPC Designs" Jonathan S. Shapiro (Johns Hopkins) "Garbage Collector Memory Accounting in Language-Based Systems" David W. Price, Algis Rudys, Dan S. Wallach (Rice) ==================================================================== Commentary and Opinion ==================================================================== ____________________________________________________________________ News Briefs ____________________________________________________________________ Mary Ellen Zurjo's News Briefs from past issues of Cipher are archived at www.ieee-security.org/Cipher/NewsBriefs.html ____________________________________________________________________ Book Reviews ____________________________________________________________________ Book reviews from past issues of Cipher are archived at www.ieee-security.org/Cipher/BookReviews.html, and conference reports are archived at www.ieee-security.org/Cipher/ConfReports.html. ____________________________________________________________________ Book Review By Robert Bruen March 14, 2003 ____________________________________________________________________ Firewalls and Internet Security, Second Edition. by William Cheswick, Steven Bellovin, and Aviel Rubin Addison-Wesley 2003. ISBN 020163466X LoC TK5105.875.I57C44 2003. 433 pages. $49.99. Index, Bibliography, two Appendices, list of Acronyms. The first edition of this book was a very worthwhile book, the second edition is even more so. It has been about ten years between the two editions and a lot has happened during that time. The principles put forth in the first edition are still valid. As an example, in the description of NFS, the authors asserted that while NFS had security problems, it was "not going away anytime soon." Well, the same statement in the second edition is just as correct now as it was then. There are two main differences between the first and second edition. The approach is a little different and second, more material has been added to reflect the developments of the intervening years. Some of the more humorous parts have been removed, such as the pretend proofs, and the cartoon on the cover has been updated. The Recommendations to Vendors appendix in the first edition is also missing. A quick look finds recommendations for routers to include logging and to distinguish between incoming and outgoing TCP traffic. Since these were good ones, perhaps a list that tells us which recommendations were followed and which were not would be of interest. This is just another example of how good the book was to begin with. Some of the changes are additional chapters on networking and intrusion detection. Firewalls are clearly related to intrusion detection, but the ID field has also moved forward over the years, so the relationship needed to be fleshed out a bit. Besides the Evening with Berferd, there is also the Taking of Clark, which analyzes the cracking of a system. And the addition of Aviel Rubin to the book cannot go without mention. In early days most firewalls were built by hand with only a few kits available. Now that there are a fair number of commercial and free kits, the book now emphasizes how to use them. There is still a mention of building your own firewall using ipchains for those who might like to roll their own. The technical explanations are improved and more illustrations have been added. Looking at the bibliography, there are twelve additional pages in spite of the deletion of some of the items on the first list. Naturally the other pointers to resources have been updated as well. The addition of more protocols, tools and applications have made the book even more useful. Things like VPNs, snort, RealPlayer and ssh were simply not around in the early 90s and the web was just beginning. To their credit, the authors did write about the web in the first edition, but it got much more attention in the second edition, its own chapter. I kept my original copy from 1994 and I think I will hang on to it. It will be on my shelf next to the new edition. This second edition of Firewalls is a must have book, but there is something to be said about an original. Besides, I would like to spend a some more time with that recommendation list ____________________________________________________________________ Review of The Australian Industry Group "Threats to Australia's Security" Melbourne, February 19, 2003 by Vernon Stagg ____________________________________________________________________ In February 2003 the Australian Industry Group ran a conference on the "Threats to Australia's Security" across three states. (This review, and associated web links are available from my website www.infowar.com.au) Ivan James, Chairman of the AiGroup provided the introduction and chaired the conference. He discussed the changing environment that businesses face, and warned not to become desensitised to the risks they face. Speakers Daryl Williams, the Australian Attorney General was unfortunately unable to attend but provided a pre-recorded address to delegates. He discussed the heightened level of alert in Australia since September 11, and the fact we can't ignore terrorism or hope it will just go away. He outlined the Australian Government's commitment to strengthen security along with the public campaign to raise awareness. The support, advice, expertise and resources of businesses and the private sector was recognised, as well as the difficulties involved in cooperation between these various entities with government. Efforts in protection of national economic infrastructure, and the model of critical infrastructure assurance developed from the Business Government Task Force recommendations, and the forthcoming critical infrastructure protection summit in April were detailed. In describing the physical security and response measures provided by State and Territory services, he reinforced the need to be cautious and prepared. In recognition of the threats to IT infrastructure he cited the recent DDOS attack on the Internet root servers. The need to secure data, and provide esecurity will be strengthened with the recent AGD/AusCERT scheme to report on attacks. He closed with a description of the recent Cybercrime act and enhanced electronic investigative powers provided to law enforcement, claiming "protection of national security and critical infrastructure is now important than ever. Protect the future". Dennis Richardson, Director General of the Australian Security Intelligence Organisation, began with a background on ASIO covering its role and powers. Highlighting the changes that terrorism has caused, he pointed out that pre-Sept 11 there was little public knowledge of Usama Bin Laden or Al Qaeda. He went on to discuss a number of terrorist incidents from the mid-90's to 2001 showing that terrorism is not a new issue. He discussed how post-Sept 11 Australia has become a legitimate terrorist target and that the threat levels to various elements of critical infrastructure and chemical, biological, and nuclear facilities have been raised. In discussing the need to apply appropriate security to each sector he indicated the need to determine whether you are part of the national or critical infrastructure, are your products of a security related concern (e.g. fertiliser), does your company have an overseas presence, and do your business continuity plans consider collateral damage. Clive Williams, Director of Terrorism Studies at the Australian National University outlined various threats to Australia's security environment. Beginning with internal threats he examined: * ethical activity by board members * tax evasion * misuse of organisational resources * insider information * personal use of company resources * sabotage and malicious tampering * fraud * extortion from insider activities * assault and intimidation * abuse of drugs * skimming credit cards next he looked at external threats, including: * misrepresentation of an organisation by a competitor * sabotage of website (e.g. etoys) * vandalism * intimidation * theft * sabotage * electronic attack/cybercrime * identity related crime * false invoicing * electronic fraud * manipulation of share prices * mail tampering * misuse of company switchboards * malevolent hacking * malicious disruption * attacks on staff * occupational violence He then followed with industrial espionage and the various tools and techniques used, including the threats from temporary staff, cleaning staff (uninhibited access), and the increasing use of electronic communications. Finally he looked at terrorism and politically motivated violence and the high number of businesses affected by terrorism. He pointed out businesses need to be aware of their associations and determine whether they are targets. He also indicated that the perceived threat can be quite different to the actual threat, and that litigation poses a large risk to corporate assets. Bruce Esplin, Chairman of the Victorian State Emergency Management Committee began by outlining the relationship between the States, Territory's, and the Commonwealth, and how State/Territory services would be first responders to an incident. There is a need to recognise the environmental and economic health of the States, and that each State is different and it will be difficult to develop a National strategy. Looking at the developments in counter-terrorism, he noted the improved cooperation and sharing between States, as well as the need to manage both the crisis and the consequences. Crisis will be primarily addressed by police and military, whilst consequences deal with emergency management arrangements, public health systems, national anti-terrorist plans, and an enhanced counter-terrorism capacity. He stressed that while public safety is a core responsibility of government, emergency management is a political activity, noting that communities hold government responsible and that communications with the community are critical in the judgement of success or failure. Following a list of emergency management issues, he listed the balances that need to be maintained, being: * Cost of doing versus Cost of not doing * Response versus Prevention/Mitigation * Intelligence gathering versus Intelligence sharing * Right to know versus Media as a weapon * Civil liberties versus Security He looked at the Victorian efforts in protection of critical infrastructure and how the Victorian Police play a role and are assisting in audit and valuation, that a register of critical infrastructure is being developed (over 600 items), and how the Emergency Committee are working with operators and regulating departments in risk assessment. Victoria has a well developed emergency management arrangement, a whole of government approach, well coordinated, multi-agency response and recovery capabilities. [A question raised after this presentation highlighted the benefits of Standards Australia and the risk management (4360) and information security (17799) documents they provide, and forthcoming documents on business continuity planning. Diane Sisely, CEO of Equal Opportunity Commission considered how workplace discrimination had risen since Sept-11, especially in racial and religious reports/incidents. Citing a number of statistics on these rises, she indicated that Arab people were facing a number of verbal and physical assaults and vilification. The notion of Islamophobia was raised, following from a Macquarie University report on widespread antagonism towards Muslims. Considering the risks to business from such discrimination, she highlighted the following issues: * Legislative requirements exist to deal with discrimination in the workplace * The victims are susceptible to various problems * Businesses need to grow their markets * Employ from diverse cultures * Less immigration = less business opportunities * If a business is labelled racist, it can have serious consequences Considering overseas trading and international partners, she expressed the need for clear, insightful leadership on these issues, the ability to deal with systemic issues (be proactive), and complying with regulations and laws. Ken Thompson, Project Director of the Critical Infrastructure Review Group (NSW) like many of the other speakers highlighted the change in the environment. He discussed the development of the National Principles Security Notification Model for Critical Infrastructure that is being adopted nationally. Examining the various levels, he outlined the practical measures required for medium to long term plans, including: * not to just plan ad hoc * consider Australia is not highly populated and has limited financial resources * utilise the AS/NZS 4360 Risk Management Standard Discussing the NSW initiative to develop the model, he outlined the need to establish context, develop risk criteria then identify, analyse, assess, and treat the risks. The model is aimed at providing the minimum security considerations and a risk analysis based on the 4360 Standard. Geoffrey Ross, Managing Director of Securenet Limited said businesses need to recognise the new risks that have emerged, especially in an online environment. He stated how the number, frequency and targeting of attacks is increasing and how the Internet has changed security needs. With risks being cumulative, systems that are connected to the Internet are at risk. Pointing out that whilst security is expensive, businesses should see security as an enabler and aim at achieving a security return-on-investment. He finished by stating make security a serious issue in your business. Bruce Gordon, Director of Marsh Pty Ltd provided an insurance perspective on the risks faced. He examined a breakdown of costs from the World Trade Centre collapse, and how Sept-11 has changed perspective on insurance. He explained the need to redefine credible/possible hazards, how the definition of "credible" has changed, and how exposure is no longer capable of specific measurement. Policies now have certain terrorism exclusions on liabilities, and various changes have occurred to the Australian reinsurance pool corporate structure. In regards to certain terrorism exclusions, he identified: * overseas assets * lack of consistency across insurers * provisions untested at law * protection of personnel Julia Selby, Executive General Manager of Austrade and Slater Smith, General Manager of the Export Finance and Insurance Corporation gave a shared presentation on implications for companies in developing and maintaining offshore markets. Examining offshore and overseas markets it was pointed out that business is still occurring overseas, and there are many opportunities available. Company's can maintain contact with overseas clients and customers through physical interaction, representatives, email, and video conferencing. It is important to maintain these relationships during good and bad times, and also to remain aware of a country's status. People were reminded that economic problems existed pre Sept-11, that they can't just blame terrorists or terrorist incidents for world risks, and that terrorism and war threats are only marginally holding back projects and the world economy. The need to look for risks was detailed through a number of examples such as how the Asian financial crisis affected the Italian clothing manufacturers which in turn affected Australian wool growers. Robert McNaught, Director of Control Risks Group finished the conference off with a look at how to protect employees overseas. In considering the heightened risks of political and popular violence, organisations should have effective: * crisis management * awareness training * evacuation planning Some of the implications if unprepared can include injury or loss of life, business interruption, damaged reputation, or financial loss. He indicated that businesses have an obligation under law ("duty of care") to their employees and should: * adequately prepare staff * informed assessment of risks * safety net if something happens * employee to acknowledge these preparations * develop a company travel policy * develop a risk analysis of overseas locations ____________________________________________________________________ Review of the Seventh International Financial Cryptography Conference Gosier, Guadeloupe, FWI January 27-30, 2003 by Jean Camp ____________________________________________________________________ Monday 1/27/2003 Keynote talk: Digital Cash - ahead of its time or just a bad idea? Tim Jones (Mondex) Session Chair: Rebecca Wright. Mondax was an attempt to bring crypto to the masses. Why did it fail? Did it have any successes? What was learned? Tim Jones, who choose to introduce himself as Co-inventor of Mondex and therefore the person whose fault it all is. This is a business presentation on why bringing crypto to the masses failed even with the support of major corporations. "Of all the things we did wrong one was an absolute corker." So he begins with a history of Mondex. Initially the banks choose to create EFTPOS-UK 1986. The banks conceptualized as an electronic check and that led to 250£ into a architecture based on an flawed intellectual premise. There were huge debates he classifies as jihads on DES v. RSA. "EFTPOS-UK was a turkey so it didn't matter but we learned." The UK banks felt debit cards happened _to_ _them_ instead of there being control. The banks wanted to control the next big thing - the charge card, the credit card, and then the debit card using the same architecture. You have high->medium->low transactions so it appears that the next will be ecash. So there was a particular specific search, and then there was a choice for an 'accounted'* model. (An accounted model means that the ecash is debited and then loaded on the card. After it is spent it is ends up at the bank again.) At the close down meeting the right questions were asked: Why don't we have a business case? Because it is too expensive? Why? Because we have all these accounting steps? why? because we don't know if the data coming in as money is truly money. so let's get rid of all the steps by implementing RSA, ensuring data, and locating liability appropriately March 2, 1990 Mondex insight: every purse in a peer-to-peer network is a secured node that removed the need for accounting steps What we did right: * buckets of market research in multiple countries with quant and qual research * sound specification and solid built * excellent security model, intellectually clean, independent of components that could be de-listed without breaking the entire system * "minimal novelty" approach - do not do anything else new unless you absolutely have to -- too many innovations creates too many unexpected interactions. Money is absolutely the ideal product and improving money is extremely difficult. * secrecy to surprise the market to prevent competition a filibuster. What we did wrong: * we built too sophisticated a product. we were too serious about the whole thing. we should have raced to market with a simple one. * too close to regulators and they say "hmm it is very serious and therefore must be extremely complicated" this lead to * "Mature scheme controls" in terms of systems and controls Mondex is a mature as VISA and if you think of the relative risks and market size this is a function of having come from a large mature and highly regulated industry * poor marketing strategy. This is the ugly true fact: You Cannot Tolerate a Weak Link in an Innovation Team * we did not notice the net *because Mondex was a bank, because we had a card, we were not taken seriously. There was quite a lot of "we have pony tails and open toe'd shoes and do real crypto and you are a nasty English banker." So we could not get the attention of the right people. (In my opinion this is a condemnation of the choice to be closed. Not that I am arguing against the existence of the ill-mannered cool-than-thou dot snob thing happening. Yet I was deeply in net commerce early on and Mondex was boring because it was closed. There was nothing interesting about having someone show you a black box and say - trust me this works.) The corker: We Picked the Wrong Kind of Everywhere Town trials are the worst way to do diffusion, because there is an immediate boundary created because it does not work outside. Even in the town it is impossible to get _every_ single merchant to take it. (Naff off? is that some English rude word?) So customers are not sure where it works. When you go and do a town trail because the worst merchants will embrace the system because they are the ones with the worst cash controls and most severe need for Mondex. The least relevant shops with established facilities took it, like upscale locales. Yet the worse places won't take it (like coin-operated laundries). This was also visible in the Upper West Side trial. Town trials are wrong, and the brand becomes associated with failure. You are also trying to talk to every demographic segment. redefine everywhere by brand association. (I believe that is what the EFTPOS cards did because they connected with VISA.) By bonding with a known brand then you create a comprehensible customer promise that fits with the way humans extent trust. It also creates a demographic target. It means that instead of getting every single technical challenge right, and making it work in every environment there is a single technical challenge. You can make it work perfectly in a rather narrow rather than work at all everywhere. Who is closest to getting this right? Mass transit systems. You can buy the cards in petrol stops (that's a gas station for us). Where is Mondex. Well, you can bet on the net. (ha ha ha). The Dutch were going to use interactive television which is awful. The only product that interactive tv consistently delivers is a screen that says "please wait". Since there are small winnings you can download money from the ban, make the lottery bet, and get your (almost certainly very small winnings) back on the card where you can spend it again. The merchants used UK debit because it was better for them for a check, Koreans are adding it to debit cards. So after two years Mondex will be everywhere. No one anticipated pervasive networks. These make server ecash possible. In a networked world where the cost of communications is decreasing even faster than processing power (see the work of Andrew Odzkylo for this). M-commerce looks promising. Ring tones and logos are deliverable to Nokia phones. So m-commerce has already go beyond the fantasy no-revenue model of the Internet. There is a picture of my hotel taken this morning. It is just pants. ("Pants" is the English kid rude word. Americans can translate that as "Stink"). The phone is a Vodephone leading edge. (He also has an orange SPV. That is Microsoft's first cell phone. It is a bit like a Handspring Trio. ) 5 million could subscribe to pay a couple of euros for the next hot new single delivered in MP3 the moment it is released. Server-based ecash is pants/stink for privacy. IC cards balances the states' right to regulate with the users right to privacy. So Mondex might come later, because society has not been harmed by privacy loss. Only the elites have experience true privacy problems. So every card has a Mondex pin. But the card does not need to be linked with an account a person of anything else. The pins are token identifiers. Inside each smart card there is a transaction history file. Any user can set it to a record size. It was initially set to a company standard of 10, and users can wipe this by doing a series of cheap transactions. (I do not buy that argument. I think the user should control records distribution and storage. That's not so hard and allows for ease of dispute resolution. ) Contactless has got to happen. People like that flexibility. Contactless makes the product cool. Bankers never think about cool. He proposed a throbbing pellet. If you are into leather who knows what your token might look like. (I propose that a throbbing token is a completely boy idea. Of course I like boys.) Security assessment. Public scrutiny is not a sensible way to protect a payment system. On your side of the debate you say that strength requires widespread analysis. Tim advocates controlled access to assessment. Paul Kosher (sp?) got inside the product with a brilliant attack with a differential attack. He dismisses the claims of Texas (Sandia National Labs) of having broken Mondex. Basically he says if someone with a facilities of the US government can break it -- that is not the threat model. He believes publishing security holes is not a good idea. Stuart Schechter: Maybe it is not broken because it is not being used. TJ: As long as you keep looking and maintain your humility and be honest and humble. (That honesty issue with respect to power and secrets is a chronic problem.) Concludes by saying the net has delayed ubiquitous computing but it will come, and we will have to agree to disagree on security mgt. A truly charming talk. An insight on the meaning of ubiquitous. But IMHO he was so totally wrong on the security by obscurity thing. See Matt Blaze's response to his critics on publishing the master key attack. Mike Smith: Well you refuse to believe Sandia. Tim Jones: That Sandia National Labs can break it means that we have a reasonable work factor. What concerns me is the silicon fabs in Eastern China. So my worry is how fast is it that the fabs in China get access to the information. There is a club of good guys working together. Nicko: Do you put controls in Mondex that structurally prevent switching value and speed of transaction amounts? Tim: There are value, origination, merchant, bank. Bank ones hold large money pots. Origination are bank withdrawal. Merchants are up to tens of thousands. There is a velocity of money control. Adam: there are many systems since ecash, yet these have found no traction. Why? Tim: Ecash has to be available everywhere. The hurdle to get people to adopt something extra is high. Vodephone and Orange have tried to get people sign up for a stored value account. This is because of the electronic money controls on ecash. Vodeophone and Orange cannot get people to open another account. Nicko: Can't you solve that by filling up the everything pot and then having the consumers pay for the telecom. Tim: No because a combination of accounting regulation and the fact that telephone companies are the most desperate and cash-strapped companies. Go in today and offer a telecom company the ability to have their cash be credited weeks later than the monies are credited today. It will be a very short conversation. One way to fix this is to allow the operators to credit the telephony portion to balance sheets at a high frequency. Richard: You are putting much weight on the prediction that people need privacy. Criminals will be the most attracted. Governments oppose it. Aren't you putting much weight on that guess? Tim: Proximity cash with a contactless card is more useful for something which is not always on the net. I do think the privacy argument will play through. The server cash will be there. But you can use the same brand and use both cards and tokens. There will be an increasing number of people interested in privacy. Ray: You mentioned the cards as anonymous but there is a purse id. Can you link serial transactions? Tim: The purse id follows the token one step. So some effort can create a layer of indirection by using a clean card. Q (from someone identifying himself as from Sandia); We have not seen any Mondex cards since the first ones out of curiosity. You said that we were the only people who loaded money onto it. But is that because we were smart enough or because we were interested and curious? Tim: We picked the best people we could find and tried to get them to break it. Many people tried to break it. There was a lot of noise, and there was interest. Ross Anderson claimed to break it but he never gave us a loaded card or a card id. Q (same person): But maybe it is just not yet worth breaking. Tim: Mondex does research on the dimensions of attack. Paul: So much of your panning about how this might fly invokes the privacy issue, yet your model seems to assume that there is no privacy in the network. If that happens your assumptions go away. But you seem sanguine about this. Tim: You are right. I am very sanguine because I am not part of it any more. Agoric Inc has some interesting ideas about peer economics. I think we need something that respects the fact that millions of copies can be sold. I argued at lunch that part of the reason Mondex was not cool was that it was closed, and a cool product would have gotten traction. He disagreed. I think it should be included as part of the cost -- that being closed by definition closes things off to you. I also argued that bankers have a risk-averse culture of integrity which is woefully absent in commercial computer programming and that an open system allows people to watch your suppliers. He maintains that they can watch their suppliers very well thank you, and closed does not imply trust in suppliers. Micropayments and E-cash Session Chair: Jacques Stern Using Trust Management to Support Transferable Hash-Based Micropayments Simon Foley A quick recap. A payer signs a contract promising to reimburse thru a hash chain. There is a hash chain of length n, issued to a principal payee. The first decision must be made by the payee is "is the payer trustworthy?" There is a series a payments. Then the payee seeks payment and the trustor asks if the request for payment is legitimate? Using these questions the has based micropayment scheme can be based on some trust calculus. Therefore Blaze & Jane's Keynote system can be applied in a valuable and consistent manner. The rest of the presentation is details of the application. We should think of a contract as a certificate that is being issued b the payor that authenticates the payee of having the right to assert demands for payment. Examples given are, trust a payee for up to some threshold. Or for a payor trust any request for payment based on verification of the contract. Payee compliance check can check is the payor is authorized to make the first payment. After that the KeyNote verification requires only checking the consistency of the hash chain. Richard: Is there a requirement for a pre-existence trust relationship? Why is there a policy question there? Simon: Because the trust question is based on the trust of the key. Richard F.: So when say trust the party you mean trust the key. In delegating hash chain contracts both the validity of the payment and the transfer of the payments must be trusted. How does the party that is receiving the delegated payment confirm that the delegator will not try to both delegate and obtain payment? Keynote can clarify and solve this problem by confirming that the first hash payment is valid and by verifying the contract of the delegator. Thus if the delegator cashed in there would be nonrepudiation when the final payee can prove rights to the payment. He applies KeyNote to show how the use of trust calculus and contracts can enable complex subcontract and subcontractors with limits by clarifying the trust dependencies understandable. One cool thing is that the credential in a subcontract then the subcontractor can break the has chain in a different manner (e.g. payee gets p^n, p^8n and can delegate p^4n for a second payment.) The need for and details of the contract are clarified by the use of KeyNote. A Micro-Payment Scheme Encouraging Collaboration in Multi-Hop Cellular Networks Markus Jakobsson, Jean-Pierre Hubaux, and Levente Buttyan You have a set of base stations and a set of mobile system moving around. In traditional systems the mobile station would reach the base station in a single hop. In multiple hop networks the base station can be reaching by using routing and sharing in the other mobile stations. Currently there are no created networks yet there are many research proposals in such a scheme. The major advantage is power. There is an advantage to transmit in multiple hoops, there are lower power requirements. Another advantage is cost as base stations are expensive, or extended capacities for the base station with no increased cost. We assume upstream is multihop but downstream is singlehop so this means that the power advantage stays but the cost advantages are decreased. Why should mobile nodes forward? Selfish behavior is optimal behavior. Therefore this paper proposes a micro-payment scheme. Marti et al proposed a watchdog and path rater which does not discuss misbehavior Buchegger looks are reputation-base collaboration which seems to be subject to pseudo-spoofing Rivest looked at aggregation requiring probabilistic payments (using lottery tickets as payments) but this has nor previously been applied to routing Micali and Rivest talked about probabilistic payments with deterministic debts. Again very useful but not previously used for routing. The general schemes is that the source sends a payment token with the packets. Each node interprets the token as a lottery ticket. If it is a winning ticket you submit the reward claim. In any case you forward the token and the packet. Assume the mobile devices are selfish and the base is honest. Attacks: taking only winning tickets sniff packets for other winning tickets crediting a friend (e.g., here send this msg, you'll win with this one) ticket pooling tampering with claims tampering with reward levels, particularly useful with near-source collusion Protocol requires a shared symmetric key for each mobile station and a base station. Each mobile device keeps track of immediate neighbors and the distance to the base station in hops. Packet dropping a higher receiving neighbor frequency than sending neighbor. Auditing technique in the spirit of fraud for existing telephony networks. No formal model or proofs given. These actions are for future research. Adam: What about the digital silk road paper? How does that relate? A: The main difference is that silk road is pure p2p and here we have an operator and take advantage of this. Roger: How can we detect someone who is cheating if there is a model for cheating. What about people framing others for cheating? A: We consider only selfish nodes but not malicious nodes. We consider strictly rational self-optimizing nodes. Paul: It could be beneficial is you could knock out competitors. A; Not in the general case On the Anonymity of Fair Off-line e-Cash Systems Matthieu Gaud and Jacques TraorŽ Franel, Tsiounis, Yung improved the security of Solages and Traore 98. Yet in neither case was either anonymity or security propertly proven. In this presentation those works are reviewed . Yet after examination it turns out that both are provable anonymous. Yet neither of these are provably secure because both depend on Chaum's blind signature problem. delayed: Retrofitting Fairness on the Original RSA-Based E-Cash Shouhuai Xu and Moti Yung moved up: How Much Security is Enough to Stop a Thief? Stuart Schechter and Michael Smith Instead of wondering how hard is it in technical terms to break a system think like an economist. Think about, "what it costs to find a vulnerability" and then think about, " What is the value for the adversary to break into a system?" In order to make the investigation of this model manageable we parse the paper by modeling the attacker as a thief. If the attacker is motivated by nationalism or ego it is much less feasible to evaluate the willingness to pay. By modeling a thief we can assume the thief only wants attacks that are valued more than they are worth. So a core of this model is the formalization of the outside threat using tools of economics. There has been some study about converting access to loot: steal data, sell it access data, encrypt it - resell a person their own data sell access - break into a machine and sell access So we can assume thieves are interested in a very high rate of return since they are, by definition, not legitimate business people. So consider the types of thieves. There are serial theft, parallel theft and one-time thieves. Well, the economics of stealing are not so different from the economics of honesty. So the greatest concern is the parallel and automated threat. Notice the concern is outside theft or social engineering because social engineering or insider theft do into scale. So the approach is to create the expected value for one thief (the one-time thief). Then expand it in time to the serial attack. Now when you add the second attack you have to consider the possibility that you attack no longer functions. So the probability of detection increases over time and the probability of failure increases over time. while a simple first sketch would show target independence, targets are not independent. Not only is there patching and increased observation but also the attacker learns some marginal amount during each attack. (This is shown in formal notation.) Note that doubling the probability of detection decreases the value of the vulnerability by half. Therefore this illustrates the value of both intrusion detection and the value of patching to decrease the value of a vulnerability. Using this model it is possible to make a business case for security. It is also the case that anonymity decreases risks to the thief. Increased anonymity decreases risks and non-revocable anonymity significantly reduces the expected cost or risk of being detected for the thief. Paul: what does this imply about sharing information? It seems that this model suggest that sharing information does not help the sharer. According to your model there is no risk in sharing. Scott: Currently people do not share because of stock market responses. Citibank did just this and their stock price took a hit but they increased overall customer trust. Rebecca: It is clearly an oversimplification to suggest that there is no increase in risk. Right now the common oversimplification is that sharing information creates only risk. What you hear now is a debate about responsible disclosure. There is a community of attackers who share information. Scott: When you find a vulnerability do you share it with everyone. But what if you have partial information? Most of the value is in victims' combining information to understand complete attacks more quickly. This is an area for further work to make this formal and prove it. Drew: What about stock manipulation attacks? Scott: Does the market act rationally adjusting stock based on vulnerability information? Large market fluctuations are based on lack of understanding. Understanding should be increased. Adam: Criminals like anonymity. They like that but they do it through identity theft and breaking into chains of machines. They avoid formal privacy systems which may be monitored. Does anonymity really help Scott: Breaking into a system requires a risk. A chain of servers creates a set of transactional risks. What I am saying is not that anonymity should not be built in but rather than anonymity should be revocable. Q: What about liability? Scott: I will talk about that tomorrow. Rachel G: You talk about sharing partial information, what good is partial information? Scott: How much do you want to use this attack against someone who has some clues and can know to watch you? Q: What's the use of this model? Scott: This model begins when crypto stops. There will always be implementations with millions of lines of code. There will always be integration. This is even being used to price brute force attacks. Panel: Does anyone really need MicroPayments? Moderator: Nicko van Someren (nCipher) Participants: Tim Jones (Ex Mondex) Andrew Odlyzko (University of Minnesota.) and Ron Rivest (MIT, PepperCoin), Duncan May (journalist at large) Andrew: Four Fundamental Reasons MicroPayments Will Never Happen 1. a gold dollar Americans go to Europe and say why don't we have a dollar. the Susan B Anthony failed and so the mint came up with a gold dollar. Three Americans have gold dollars. These have disappeared without a trace. Why? New payment schemes take a long time. Coins worked in Europe because the paper money was taken off the market. Credit cards took decades. Internet time is a myth when you are talking about changing the habits of millions of people who already have a good substitute. 2. enabling small transaction Sellers do not want small transactions. Sellers want large transactions. Bundling is common in software, subscription servers, bundling brings in more revenues because of the law of large numbers given the heterogeneity of preferences across the elements of a bundle. 3. Flat rate vs metering Flat rate prices are far preferable If you a producer of zero marginal cost goods you want people to use them and get value. Flat rate gets more customers and more use. 4, price discrimination Going back to the nineteenth century there is a large literature about the value of price discrimination. Price discrimination requires data about use. Greater gains can be achieved by matching user and price -- and anonymous systems prevent price discrimination. He has a paper on each one of these points on his web page. www.dtc.umn.edu/~odlyzko/ read 'em and weep. Ron Rivest Micropayments are for things when the cost of the transaction is so small and Micropayments exist as attention span (banner ads) and giving up data for small things. There was 300M $ of paid content on the net. Half of that was annual subscriptions. 14% were single purchase. 6% were some other subscription form. so 14-30% of sales would be single use. Some subscription services have failed. *69 failed as a subscription service, but it works well as 75¢ per use. We don't have a choice between subscriptions and pay per use. They work well together. Pay per use may bring in a subscriber. When diffusion is small subscription is not optimal. The killer ap for micropayments is music downloads. The music industry is in trouble. Their prices are too high. Their business model is weak. "Music users prefer pay-per-download to subscription." 60% of American have downloaded music, about 1% have paid. Many who did not pay would be prefer to pay rather than search. There are two parties. The sellers and the buyers. The buyers might prefer pay for download. The mobile ring-tone market is also pay for single use. in the NY Times they are trying to sell music on the web "Echo". Universal sells singles at 99¢ a song. Pay per use will always be available. To support this there is a need to keep transactions processing costs small. A founder of music sites found that credit card companies were charging 35¢ for each 99¢ transaction, By keeping the bank out of the loop it is possible to get substantial processing savings. You can do a RSA verification faster than a disk access. Since we don't have Hettinga to talk about bearer-based systems. I have concerns about these systems so I believe in a database and it is easier to have a per-user database. Tim Jones The range of transactions that are currently mediated is large. It is not self evident of why the share of physical money should collapse in favor of non-transactional subscription transactions. Why should the move to the electronic world fundamentally alter the payment choice that has been constant for hundreds of years? Those of us in the GSM world are very certain about "SMS was an afterthought in the GSM standard and children took it and created a new language and maybe a new culture." There are some new things that will come along and maybe anticipate. For example my daughter was passed on the M25 and some boys held up their cell phone number. They did SMS and ended up going clubbing that night. There are a number of people who are contributing to an open source computing environment which is growing in strength and scale. They are not being paid in an economically sound way. The range of payment options to reflect the value that people in this business world are creating is not adequate. This seems like a case where there are peers who appreciate value, and could assign it. In this case a large value can be created through a very small set of transactions. Think of beta wear where there is a free version and a pay version. If the option is to send 50¢ then there is no need to send a free one. That doesn't hurt you but if you think of the millions of desktops then it is incredibly valuable. We are not exploring properly the price elasticity of demand. In the word of real life cash there are many small transactions that occur every day. It would be a poorer world if we could not replicate the school bake sale where the purchaser is 7 and merchant 9. Duncan The reason I am here is I have followed the track of 28 systems. Some set of them have gone right into the ground. Nicko All the schemes seek the James Bond profile - they wanted to rule the world. So they failed the test of the playground and the cardboard box. I disagree with Andrew with his concept of flat rate. If you have a flat rate you could pay 10¢ a minute or $100 a month. If I can take an extreme example. The British domestic gas market is de-regulated. Customers used to have an account with British Gas. British Gas sends out 128M bills a year and the customers pay quarterly in arrears. New entrants are coming to the market. The only way they can compete with each other is to compete on the price of transactions. The largest cost is managing the customer account. If one could have networked meter where customers could pay as they go then you could cut out the cost. It could be a compelling economic case. So we don't have to think of the Internet as streaming video and download of video. The problem with beans is that the economic model is broken. You have to get the economics right. Richard: what can the 10 yr old sell on line for 10¢. Tim: The nine year old was a physical transaction. Mondex could have received 10¢ for each angel cake. (Is that a cupcake in the UK?) Richard: What about intangible goods? TIm: I see it in open source. What if you could charge 10¢ instead of open source being free? Right now we have two price points: free and widely high. Richard: Were you in the car with your daughter? Tim: I was driving a car. A week later I was at a Banker's cruise and I was the keynote and I told the story. And then one of the blokes in the car came up and was the driver? Drew: So when I was at security foundations Paul played hookie and we were at Italy and we needed to pay 1000 lira at a tollbooth. They took credit cards. I don't think the Italian government was paying a 25¢ overhead for that. Ron: Part of the transactions processing cost is fraud. As technology gets better the space for specialized transactions mechanisms decreases. Nicko: Credit card providers charge flat rate plus a percentage because they can. There is a fraud cost for the credit cards. There is a lower cost for the debit cards. Drew: It is highly amusing that CA has a $4 fee for any credit transaction because they don't want to figure out the fee. Paul: For the eight year old maybe she could sell her song for 10¢. That is a post-music model. The other thing is to reinforce this that they can live together for cell phones. I have paid per minute every single minute I have used on my cell phone and it works out for me. Nicko: In Europe the pay as you talk has passed the value of the subscription base. Andrew: Cell phone pricing had flat monthly rate and repaid plans. If you look at usage every day subscriber use is decreasing. We are looking at number of subscribers. So they are going for the marginal person. Users have overwhelmingly shifted to flat rate plan. This has caused a tripling when everyone else in the world is decreasing. The US is the world champion is wireless use per subscriber. per phone revenues are going. Tim: But per customer revenue will go down. But that does not mean that the average revenue for customer in the that set if going down. And there is a second major break on usage. And that is price point for pay as you talk is incredibly high compared with any steady state based on cost. This is in part based on transactions processing. Jean: Human management. Attention span. Andrew: There is evidence in it from the INDEX experiment (search terms: INDEX bandwidth Berkeley). I argue strongly for this in my paper. Another set of experiment that AT&T did was in the seventies on metered local rates. We did it on a state wide basis. Turned out that 70-80 who would have saved money for the metered rate hated it, because 1) insurance concept to know it is available to use if needed at no more cost 2) overestimate of usage. people overestimate their resources systematically 3) the hassle factor, they just did not want to worry about it for example just understanding it was hard for people. For example, people were played flat rate per call. There are too many choices and too much complexity. That is why flat rate is so good. Ron: If micropayments are going to pay it the ease of use has to be handled very well. Work by Dan Ariely at the Media Lab on micropayments talks about handling this. Tim: Jean has hit on a general issue on acceptance. Getting people to load some pot of money is terribly difficult. The prize strategically for those who could get people to do it is enormous. If you could do it you are suddenly in an extraordinary position like PayPal. PayPal got a certain amount of traction. Then EBay and Citibank all had a go and they all fell by the wayside because there was already an incumbent. So EBay ended up having to buy PayPal. The first set of corporations that can solve will find themselves starting with a small window. Duncan: People will not sign up for multiple payment systems. Only Paypal this morning pulled out. I would expect to see a large number of competing players so there must be very efficient settlement mechanisms so you there must be a very effective market for clearing. Richard: Can I make the case that 3% is competitive. Not that they are not making wads of money. It is easiest to ignore is that you have so many players and each of them absorbs some liability for what it does. If you don't have any players you don't have to worry about risk. Then there is the lenders' risk. The deal of the century is the global arbitration fee. Without that assurance neither you nor the merchant will give up your half. If a microcredit system is developed so that a million people lose their quarters, then that would be terrible. Duncan: There is a 90 day loss period where the arbitrate is huge. Adam: Micropayments can come in and be more effective Drew: If you have to download some software you lose 90% of your market. But micropayments have that problem. Adam: Paypal. Tim: Paypal is an extension of VISA to non-traditional merchants. PayPal is a B2B and C2B for non-traditional merchants. But the mobile phone companies have a very effective authorization mechanism. Ron: The future of micropayments is in M-space. Nicko: What about the great unbanked, people who cannot get credit. Ron: I think that is orthogonal. It depends upon how the system is built. Tim: Picking up Richard's point that the credit card world is a risk acceptance market. That is an interesting model that has done great things. But if you have a net connected world you can chain the transactions together and have settlement happen as the chain happens. I just offer it to spark thoughts in other folks. Current appliance delivery creates factory to distribution hub, management of hub, inter-hub transport, and hub to consumer. There is nothing in theory to prevent that from being a market that clears step by step instead of competing for the entire chain. Andrew: It will come on the back of mass transportation or cell phones. You already have something because it alone has value. It has to be added to one for those. Duncan: You have ot pay 250,000£ to talk to Mondex. We need a system that will start small, Ron: I have started a small company. PayPal shows that new mechanisms can work. We will grow the old-fashioned way based on demand. Paul: I agree with Andrew's conclusion but not with is inference. I say this as someone who buys rolls of gold dollars at the bank. The point I want to raise that this was supposed to be an illustration of the transitional threshold but that is not the case. But I talk to people in Europe in Canada. They are nostalgic for the era of bills. Bills have a superior interface - it is easier to carry 7 bills than 7 Nicko; The coin pound was accepted not only because ergonomics but because it was called a sovereign. That leveraged nostalgia. It was called a thatcher - it was thick, brassy and thought it was a sovereign.) Tim: Kuhnian paradigm shifts take decades. There are problems that ecash can solve like the queues in bars and it is impossible to purchase. He proposes a bar with vending machines where everything is on tap so there is no bar with a single point of failure. I strongly advocate dynamic vending machines so people pay for congestion. Using a smart card you can do a loyalty program and encourage ecash adoption. Yet that is in another mental space. Ron: Why is price discrimination impossible with micro payments? Andrew: Basically price discrimination is not incompatible with micropayments but it is harder. Most productive price discrimination is based on identity. That is a little harder for micropayments. Nicko closes an excellent panel. Security, Anonymity, and Privacy Session Chair: Gene Tsudik On the Economics of Anonymity Alessandro Acquisti, Roger Dingledine, and Paul Syverson Economics is about efficiency. Yet inefficiency is an inherent part of anonymity. Anonymity is a complex problem because of traffic issues users who use anonymous systems also provide anonymity to other users. That is users hide amongst each other thus by getting anonymity you provide anonymity. One solution to address this problem is for a large organization (corporation or government) to provide anonymity and require all its users. However, should this be used then any communication that is anonymous nonetheless comes from that organization. There are not yet decentralized trust algorithms, In economics consumers pay. Yet by its nature users of anonymity both use and provide anonymity. The hordes in coach are better off, privacy wise than the guys in first class. So the guys in first class have ot pay a premium for anonymity. Inefficiency costs that propagate back to the user chase users away. Usability is a critical usability suggestion. Under what conditions will a system with many players not implode? Public good with free riding. Yet in this case free riding is not strictly possible because inherent in the use of the system is providing anonymity to others. Thus those with great interest in anonymity could provide nodes and services. This is promising in that there is broad market support for low overhead services but inadequate support (at this time) for high cost anonymity. There is also the potential for altruistic agents. Public service entities Reputation and social capital may provide adequate awards (SETI @ home and remailer statistics). There can be an optimal level of free riding. An open problem is exit node liability. q: You were talking about free rides in that anonymous systems were providing free ride. IN p2p networks the sharing of files we can provide anonymous systems. Something like Kazaa could be used to optimize. Paul: Once you add the anonymity on top of it. You would have to add it for free. You get it because you are at GA Tech and you just want to do it. So there is free riding for users since it is bootstrapped in. Jean: Is the tendency of systems to implode a function of whether Metcalfe's Law applies (each free rider adds increasing value, the nth user adds n+1 value) or if it has decreasing returns so that as n gets large the value of the next ride is ever lower. Paul: We currently have existence results. That question could only be answered with analytic simulation. You would have to take a specific system and see how that plays out. Julian: Would there be a high correlation between value of anonymity and crime and this is a core problem? Are there legitimate users with high value? Don't you think the value if for the bad guy is a problem? Paul: But the bad guys can provide the resources for all the good guys. Stuart S: What about the value of concentrated trust in a case like ZKS where transparency allows for trust? Paul: You could do the same analysis for several nodes that you can do for one. Squealing Euros: Privacy Protection in RFID-Enabled Banknotes Ari Juels and Ravikanth Pappu Squealing is both a noise made by distressed animals and slang for exposure of private information. RFID radio frequency identification. Shows a picture like: : www.aurigintech.com/ smart-ID.gif at www.aurigintech.com/ Smart-ID-Auto.htm RFID tags are passive devices that identify themselves usually by simply shouting their identity. They have no battery but obtain temp power from the EMF produced by the reader. RFID tags will be the ubiquitous replacement for the bar code. Gillette has ordered half a billion. (This is because in retail drug stores razors are the most frequently stolen item.) Inventory control and failure rates of scans drive this interest. PRADA use described. Here is a PRADA description : www.aurigintech.com/ smart-ID.gif and he discusses the cases from the autoID http://www.autoidcenter.org/main.asp Pets from MA shelters now have RFIDs to locate lost kitties (thru a cat scan ha ha). (Ron Rivest's cat, Jack, has one so they call it the Lojack chip.) European Central Bank plans to put RFIDs in euro notes. Let me repeat that in case all the implications of suddenly non-anonymous cash are not clear: European Central Bank plans to put RFIDs in euro notes. Here are some bonus uses: -more efficient mugger (we offer detailed information about our purses) -viruses or attacks based on product choice ECB is prototyping advanced systems without public discussions. Then there is security by obscurity. Yet reverse engineering a RFID is fairly trivial. If you encrypt the serial number of the banknote then the encrypted ID becomes the serial number. What about LE access key? Then the tag broadcasts its jurisdiction information. This also requires extremely secure key. RFID have little or no processing power so crypto is not an option. What they have is the ability to control read and write access on the basis of static keys. Use and El Gamal system with group G of order q. Published generator g. Key generation public key is y, private x. Each note has a signed ciphertext number that can be re-encrypted upon bank use, some number is C=Ey[ID,r] One innovative idea in this is to restrict access by requiring physical optical access. So each note would have a printed number that provides access that allows reading. Shops currently have these. Thus illegitimate reprogrammers would have to have visual access. There can still be rogue readers. But using connectivity the supervision can be of the readers, so that each reader confirms that the previous reader has done its job correctly. Cloning attacks are still possible but it is more easily detected. Re-encrypted readers can be authenticated and makes tracking easier. Solution is not ideal but there is work in progress at RSA labs and in the EU. Nicko: A re-writable id is dangerous from from a forgery point of view. Could you now do something that does not require it given that you have hundreds of bits. You could generate many random bits in write-only and have a sequence number in the r/w system. Ari: That is a solution we are discussing. Adam: This might just be a investment wrt counterfeiting. delayed by travel: Retrofitting Fairness on the Original RSA-Based E-Cash Shouhuai Xu and Moti Yung If we have no anonymous cash maybe it's not a problem (that's a joke). review of Fairness in this framework means revocable anonymity when the user re-spends a coin. Fairness has been implemented in discrete log systems using both on-line and off-line trusted third parties. So the question of interest here is it possible to implement fairness using an off-line party and preserving the fundamental RSA scheme. Some systems have used (Chaum Fiat Naro Crypto '88) on which we can build. Review CFN 88 and simplify. 1: security parameter H, H1: hash functions 3, N: 3 is public exponent and N is bank secret Coins: x = H1(...), y = H(..) coin = {H (x1, y1) x .. x H(x.5I, y.5I)}^.33333333 mod N at least one (x,y) tuples valid You can view each pair as one-time Lomberg signatures. reveal signatures by showing x,y Use El Gamal with two generators to embed user key. TTP obtains user key. Provide that key to a trusted third party. During withdrawal the key of the trusted third party is made available to the bank. Coins can be traced to withdrawal sessions or all coins provided by one user. Bank is trusted only not to use customer's money but is not trusted not to abuse customer anonymity. TTP is trusted to revoke customer anonymity but is not trusted with customer's money. open research problems include unforgeability because hardness one-more-RSA inversion is not known and RSA-based revocation. 11:00 - 12:30 Attacks Session Chair: Andrew Odlyzko Cryptanalysis of the OTM signature scheme from FC'02 Jacques Stern and Julien Stern Authentication is proof by a user that he knows a secret. A proof may be transferable or not. Asymmetric systems require that no secret be exposed for authentication. Symmetric requires secret exposure or sharing for authorization but it is very fast. There is no such thing as symmetric signatures because the secrets must be shared. Symmetric authentication is in some ways superior to asymmetric authentication while asymmetric signatures are better (by definition) than the (nonexistent) symmetric signatures. First example: Access Control Some devices only need to grant access to authorized persons: example a car park reader. Symmetric: device contains all secretes Asymmetric: device need recognize access request secret 2nd: Access on Payment (toll booth) Symmetric: impossible because non-reputation is required Asymmetric: device contains only a public key and users perform costly operations What is needed is a pre-processing step where costly message-independent data are generated combined with a low-cost on-the-fly final step. on-line/off-line signatures Previous work: Schnorr 88: one modular multiplication 92, 96, 99 Girault et al: one regular multiplication 02 Okamoto et al: one modular reduction of a small number 90: Even et al.: one multiplication 01: Shamir: the core operation is one modular reduction of a very small number, extremely efficient and a small signature block produced Overview of the GPC protocol. The OTM scheme is a small change in terms of processing power from GPS. The number of messages is very low, except instead of r+e*s send r+e mod s. But the problem is that the reply step will not hold because there are limits on the size of the reply in the GPS protocol. So guess the part of e so that it is sufficiently small. So use the least significant bits of e. Pick a random r. Then compute x= g (truncated e) mod n We receive the challenge and check our guess. Repeat as necessary. OTM is not inherently flawed. But the parameters were too small to prevent effective attack. If the parameters size of the key, the number of digits in e, and challenge size are increased then the system becomes secure against guessing attacks. So how does this change the parameters? With correct parameters OTM authentication still is 100 bits smaller than GPS However: OTM requires a modular reduction of 320 bits by 160 bits GPS requires a regular multiplication This means GPS is twice as fast as OTM. dovetailing (r,e) wrt x Add r to a small multiple of s so the least bits or r are equal to e If the core operation in OTM is replaced by dovetailing this requires another verification check then this requires three verification operation. Implementation is a simple loop. Using dovetailing with increased OTM parameters the implementation can be as efficient as GPS. "Man in the Middle" Attacks on Bluetooth Dennis KŸgler Attacks: unit keys are used for eavesdropping and impersonation (aka cloning) PIN guessing: used for recovering link key Cipher is weak. Privacy: device tracking is possible. Add to these the man in the middle attack. These are based on page hopping and channel hopping sequence. This is based on a slave ID and clock setting. So this is a periodic sequence of 32 frequencies. Channel hoping is used for communication. Page requests consists of master repeatedly sending slave ID. Slave scans for own id. SLave sends an ID packet in response. Master sends FHS. Slave resends ID. So all the attacker has to do is respond more quickly than the slave, and then reconnect the slave using the same master id but a different offset so the slave and master do not detect each other. If slave and attacker respond at the same time the communications is jammed. Then only the attacker repeats, because only the attacker understands what happened. Another attack: Since the initiation is a 3 way handshake, the attacker can use the half-open connection to generate a timeout so the slave ceases scanning. (Attacker initiates with slave ID). Another think is master clock is sued for both frequency hopping and cipher initiation. It is possible to inject a Man in the middle during an encrypted communication due to cipher weaknesses and the information in the packet header. Since the same information is used for encryption and decryption it is possible to insert altered packets. Compare this with other attacks. Jakobsson-Wetzel establish a connection to both devices and pretend to be the other device this attack fails if encryption is turned on or one device is non-connectable (because the attacker becomes master and both victims must be slaves). This attack can be expanded using the techniques here to implement an attack when one attack is the master. Proposed solutions are end-to-end security => integrating mac in every packet. Or wired equivalent security which requires point-to-point security. Even with this the cipher is based on the clock. Inherent in frequency hopping is the ability to create mis-synchronization. Encryption is needed, with full synchronization including frequency synchronization. Unencrypted packet headers with important ACK information are a problem. Nicko: Your conclusion should be if you want to use Bluetooth for finance the encryption should be in the application layer A; You should use SSL equivalent. Nicko: My sell phone has a decent amount of computing power. You should not reply on transport for financial cryptography. A; Both are required. And the power limits of the mobile devices must be acknowledged. Fault based cryptanalysis of the Advanced Encryption Standard (AES) Johannes Blšmer and Jean-Pierre Seifert This includes fault attacks and errors, physical fault generation. For the AES specifically the time operation is vulnerable. An investigation of an unskilled textbook implementation vulnerable to attack by fault generation. Fatal attacks on DEX include breaking a sealed tamper-proof device and putting in wrong ciphertext. To begin an description of what a fair smart card attacker might do to alter and disturb the calculation by altering only the external contacts. An attacker can vary the voltage input and, if it does not cause a card reset. However, the power supply is assumed to suffer from natural spikes. For each card there is a range of parameters that would cause a faulty output that would be, for example, generating an extended pulse that does not spike quickly but rather increases the input some voltage about the specified tolerance but not so high as to reset, say 118% expected voltage. Similarly with the clock can be finely tuned the execution can be altered by causing the CPU to omit instructions. Concentrated optical attacks (for example a focused camera flash) on the right places on a controller it is possible to alter any bit of an EPROM by altering the CMOS path (remember c means complementary) to creating a lower resistance channel on the preferred path. This requires removing the surrounding casing but not physical contact. Another attack uses a inductor to read the events occurring inside the smart card. By charging the inductor (also known as an active coil) the reverse can be true -- you can use the coil to cause events inside the chip. He offers a nice table for attacks on smart cards. This is all of interest because AES is most commonly implemented on bank smartcards using 8 bit CPUs. The speaker illustrates how the general smart card attacks can be used on the most common implementation of AES. For example, using timing attacks critical steps in AES in particular critical XOR operations is that the ciphertext is quite weak. The concern is that counteracting fault attack is usually done by some naive countermeasures. Hardware manufacturers should be aware and use: carefully developed logic families, sensors for light and temperature, etc. Only such hardware countermeasures can counteract the source of the attack because once the attack has been made trying to defend against it by calculations is not feasible. 14:00 - 15:30 Panel: Economics of Security Moderator: L. Jean Camp Participants: Drew Dean (SRI), Andrew Odlyzko (University of Minnesota) and Stuart Schechter (Harvard) Do we spend enough on electronic security? How can we judge when we are spending too much? Is there any way to evaluate expenditure? Is the value of cryptography subject to economic measurement? Economics of Security Panel Notes 1/28/03 Jean Camp, moderator Notes by Rebecca Wright Panelists: Drew Dean Andrew Odlyzko Stuart Schechter Initial presentations Brief intro from Jean: what is security market? Andrew Odlyzko We are techies, used to formal models. Most people are not as sophisticated, and need simpler explanations and descriptions. Example: Honor System Virus This virus works on the honor system. Please forward this message to everyone you know and then delete all the files on your hard disk. Thank you for your cooperation. This is a joke to us, but close to something that happens in reality. Also, necessary to recognize needs of organizations and people in organizational contexts. Example: a major problem with secure systems is that secretaries could not forge their bosses' signatures. When systems that require this are implemented, bosses share their passwords with their signatures. Similarly, adoption of provably secure time-stamping systems does not work well with intuitive flexible ideas that back-dating is appropriate in some cases. Delegation: ask neighbor - please let the plumber in to fix the leaky faucet. Expectations: let the plumber in. If related business occurs, like electrician shows up, can probably let the electrician in. But if electrician and plumber start taking out your furniture, your neighbor would probably call you or the police. A certain amount of human judgment is expected. (This is why you don't ask your neighbor's 6 year old.) Intentional ambiguity: proposed SEC rule alternate wordings. The desire for human and ambiguousness can limit the adoption of security technologies. Example of successful adoption of security technologies: HP9000 After market Rampup (graph). Printer manufacturers make the money on the toner cartridges more than the printers themselves. Competitors can also make compatible toner cartridges. Printer manufacturers have started to put security measures in to prevent/slow other manufacturers. Very quantifiable example. He thinks we'll see more examples like this: manufacturers using very specific solutions to improve answer to specific question. Speed bumps on the information superhighway. Cp - criminals will always find a way to make money. Security can be a speed bump to slow them down. (Rather than provably or certifiably secure systems.) Also cp - use of vaccinations, where a small percentage of vaccinations in the population can make a dramatic difference in lowering the spread of a disease. Stuart Schechter Measuring Security: are we spending enough on security? What we don't know: How secure is a system? What we're getting for our money What we would get if we spent more What we mean by security, anyway? As a result, we spend too much on some systems and too little on others. Why measure? Determine which systems/components incur the most risk. Build/purchase systems that are more secure. Measure risk (essential to getting better insurance rates) The security process: figure. Scope of this talk: measure security What is security? Process of inhibiting those who would attack your valuables (i.e. make it harder, like the speed bumps Andrew discussed). Measuring difficulty: social sciences may be helpful here. Prices can be useful as a measure of difficulty as a cost. How hard is it for a society to make certain things happen? The Market Assumption A market for vulnerabilities will emerge when one individual finds it easier to find one, the other has more to gain from doing so. If you pay a fixed price to find a flaw, the adversary could do it too. The security or robustness of a system against a mode of failure can eb measured economically, in units of dollars. Ie, the market price to find a flaw. Security fails in different ways or failure modes - how system failure can be induced, what is lost. Different sites have different requirements as different 'valuables' are there with different implications of different kinds of failure. Must measure two products against same mode of failure in order to compare which is better (figure). Bounding security Placing an upper bound (e.g. on competitors system): offer to sell a vulnerability. Offering price is upper bound until vulnerability fixed. Placing a lower bound (e.g. on your own system): offer to buy all vulnerabilities offered at a given price. Opportunity cost bounds security. BUT this can be very expensive if the system isn't secure. Security experts are regularly asked: which product is more secure? If we can agree on a measure of security, companies may invest in using it. Need to establish trust between buyers and sellers - must actually deliver money in above scenarios. Drew Dean On the economics of computer security Thesis: High assurance, secure systems are luxury goods. Look at how they are built: Lovingly crafted by hand by Math/CS PhD:s Fewer features than mass market systems Slower to market Extremely expensive Only appeal to a small niche These are features of luxury goods, not mass market goods. Market-wise, you get trapped in a feedback cycle: Assurance isn't a checkbox feature Hard to tell if you have it Difficult to explain to customers Result: little demand, small market, high unit prices Options w/formal methods (graph) cost x assurance for different formal methods We're now in the lower left hand corner (low cost methods, low assurance results). We don't need to get all the way to the upper right hand corner (high cost methods, high assurance results). But he'd like to see us move to higher assurance, recognizing that higher costs result. Current economic climate makes proactive expenditures difficult. Costs of nothing are hard to quantify, so don't get compared to. Predictions: nothing happens w/respect to security until a "train wreck" occurs. Intel got serious about formal methods after writing off $467M for the FDIV bug. Discussion Q: Andrew, re your printer graph and Stuart's talk - is there something in the graph that could be considered an "upper bound"? A: not sure Q: re: lemon market. Computers are not less complex than cars. Can we hope to succeed in removing lemons from computer market as it was removed from new car market (and now only a problem in used car market? A (Stuart): quantification is a requirement to make this happen (analogous to consumer reports). Q: luxury markets tend to evolve into necessity markets. Will this happen here? A (Drew): analogy - security market would be like airplane makers needing to know how rivets work at the level of quantum mechanics. Non- composability of security is an issue. Q: (to Stuart) question of market for vulnerabilities vs. blackmail. A: need for a trust to develop in the market. When introduced by company (e.g. RSA) can be successful. Q: (from Adam Shostak) Most current attacks are using known vulnerabilities. Researchers move on to sexier problems even though solutions to the easier problems are not yet affecting practice. What will happen 5 years out? A (Andrew): Not sure buffer overflows will be a problem in 5 years, but also practice will be slow to adopt. They're doing quite well already, thank you very much, and don't really need to pay for your security solutions. Systems are in fact robust, in a different way than we usually mean, but sufficient for their uses. Eg faxing signatures around. We will continue to operate "at the edge of frustration" When things are too complicated, people don't accept them. Q: (Jean) Some people do prepare for the worst-case scenarios. Ex - NY new where every school and day care center was in the WTC debris zone and was able to contact them. A: (Andrew). Yes, such things are a part of any infrastructure, and people will overcome certain kinds of competitive instincts and using reserves in response to emergencies. This is part of the human ambiguity we live with. A: (Drew, to Adam's question). Buffer overflow attacks took off after publication (when??), known since 60's. Lots of research work in 1990's or so, now tailing off because we have the techniques (even though they aren't much deployed). Drew thinks that buffer overflows will be solved by deployment, but that we'll see race conditions rise to dominance again. Q: (Paul Syverson). To Drew: question analogies to airline and automotive industry. E.g. flight controller for 777 was triple redundant and formally verified. Also, in 1930's, car crash implied death. This is where we are now in the computer industry. Role of insurance, govt regulation, consumer pressure in going through this process. Q: (unknown speaker, French). Requirements of different agencies are different from each other and differ over time. How can you balance security needs w/needs to reduce costs? Biodiversity will be discussed after its lack causes a failure, but probably not before, as it would require additional resources to deploy. (And even if you get it in there, you have to constantly fight the efficiency guys who will come in to cut unnecessary expenses). A: (Drew) yes, to some degree you're right. Quote - a program which has not been specified can not be incorrect, it can only be surprising. The company must understand its requirements in order to solve them (though of course the process must be iterative to deal with changing environment), No generic answer. A (Stuart) Requirements and security get put to the side because the market doesn't "want a secure product". Need to get product to market dominates discussion. Only would need to put in security if competitors did, which they don't. (Chicken and egg problem?) Q: (Rivest) Discussion has been focused on cost to developers of putting in security. What about cost to society of not having it? A (Drew) Good question. Lately the idea of strict liability has been thrown around. Tragedy of the commons. All of society pays when latest virus goes around, but nobody wants to pay to solve the problem. Eventually something will happen, but doesn't know when. A (Stuart) society is a general term, which makes this hard to answer. Rational consumers do want to buy something that is better. But, consumers and society don't know how to get to next step. Need an understanding of risk assessment to help consumers understand when one solution is better than another. (Rivest) My running an insecure system can hurt others, not just me. Q (Adam) Do you really think consumers are making an irrational decision today, or are they just valuing security less than we do (and realistically assessing the cost of current secure solutions as too high)? A (Stuart) Yes, they are making rational decisions because cost to even assess security is high, as well as those to use potentially more secure nonstandard solutions (which are incompatible with ominant solutions). A (Andrew) Example, complexity of installing patches, when most consumers aren't attacked anyway. They are behaving rationally and selfishly. Q (Richard Field) Expand on Ron's point. Understands Drew's point that a catastrophe would be required to make something happen. What are roles of external entities such as insurers, lenders, politicians, end users, regulators, critical infrastructure people, investors, venture capitalists, etc. Will they drive those decisions even though security is hard to measure? A (Drew) Answer to question "which system is better, A or B" is currently that they are both bad. On the other hand, if we could just get rid of buffer overflows and race conditions, we'd be in a substantially improved situation. From research perspective, need incremental solutions but need them to be actually deployed. Without market choices, external factors won't have too much influence. A (Stuart) Seeing it start to happen, e.g. Counterpane and monitoring firms are working out some deals with monitoring and liability rates (more into??) Q (Rachel from Harvard): I don't run a Microsoft SQL server and don't know anyone who does. Yet, there was a cost to me and many I knew to not be able to read mail because of an SQL security problem. How can I hope to address a problem outside of my domain, and how does it fit in any model? A (Stuart) Part of the problem is that we expect to be able to use networks for very low flat rate cost, which doesn't give an incentive to the providers to fix things. And adversaries have same cheap access we do. Economic design of systems can have security implications. A (Drew) DDOS zombie attacks are even harder because a longer chain is involved. Q: (Jean) Would the security in software market work if there were a market in security? We have a monopoly in software. Is this the problem? A (Stuart) Contends that Microsoft has more lines of code out there than anyone else. If you could measure security of systems, Microsoft would be at a larger disadvantage because their insecurities would be clear and their cost to improve is higher. Plus they have to constantly build more features and compete, so hard to also add security at the same time. A (Andrew) There is a danger in monoculture, though there are also advantages which they exploited to become a monopoly. What we are seeing know is the interplay between these conflicting concerns. A (Drew) Not clear to me that an absence of a monopoly would change things. Look at subset that is competitive, such as database market - even there, security is not very high of any of the competing products. Would perhaps give more choice to the small number of sophisticated consumers who care. Wouldn't have huge swing otherwise. Rump Session Rump Session Chair: Juan Garay, Roger Dingledine Discusses attacks on mixnets, and pseudonym nets. Described the trust that is committed to the mixnet provider. real anonymity requires that forward and reverse packets be indistinguishable. It requires availability of multiple sources for lists of mixnets. Glen Nuckolls: Efficient multi-source data query Currently users query a single data source to get a query. How does the user know the response is from the server? Data provider computes a digest and sends it to untrusted publisher. Query can then be verified. The digest functions as cryptographic checksum. Advantages are the untrusted publisher and allows an increase in unreliable communications. Implemented with a binary source tree sorted at the leaves so the verification is feasible. Can apply to a general class of structures. Secure assuming collision-free in hash function. Benny Pinkas Protocol based key hiding YAKE? - yet another key escrow system this is protocol-based and does not depend on the particular cipher or hash applies to SSL, TLS, SSH2 Interoperable with current implementations and therefore supports incremental introduction. Key recovery is done doing hidden channels so it is impossible to filter it. The only way to find it is to examine the source. So it is not a good idea to trust closed source implementations of security protocols. Furthermore only one side needs to run this protocol. Applications: governments can add hidden recovery to existing systems. hackers: can patch servers with this and obtain keys Closed source providers: only reverse engineer reveals the attack. The attacker changes implementation of client or server. New implementations generates a EAF: encryption recovery key with public key or recovery agency. The data would look like a random nonce to any but the escrow agent. Implementation issues: low capacity channels, available fields are shorter. SSL example: client randomness (public) server randomness (public) premaster secret (PMS) 46 bytes of secret data RSA is used, PMS is generated by client Client can generate PMS from short seeds embed encryption in client randomness SSL 3.0 padding for the block encryption (8 bytes) SSL 3.0 only checks last byte of decrypted pad. so set length to 8 bytes embed EAF in 52 bits of encrypted pad FInd a 12bit suffice st when the entire block is decrypted last byte has correct value Implemented, modified ssldump for key recovery. SSH2 is even easier. Have not looked at IPSEC Paul Syverson: Universal Encryption for Re-encryption of RFID tags with Markus Jakobsson, Ari Juels, Philippe Golle mixnets takes in msgs and reorders and encrypts them. Basic chaumiam mix review. If a server goes away then people keep encrypting messages and other msgs cannot be obtained. new idea: mixing without keys - no need for PKI, no key protection El Gamal with re-encryption Universal re-encryption means providing an encryption of the message and an encrypted message of the number one and can be re-encrypted because E(1) is the universal blank (cool). any message resent thru the network will look different every time. Alice can go to supermarket and at home the frig re-encrypts A reader can re-encrypt all tags a user is carrying universal re-encryption is a new primitive with nice applications open issues: universal semantic security, existential construction resistance Gene: what if the reader is dishonest Paul: You can detect it with shuffle proofs Shin'ichiro Matsuo: TIcket scheme for an Intelligent transportation NTT web site has more information Digital signature schemes take too long for a high speed transportation system. require challenge-and-response to prevent abuse. this takes too long. thus introduce a ticket system that uses hashes and requires only a single communication for use with a tamper-resistant device The ticket issuer issues a ticket seed. The ticker is the hash of the ticket seedded and the GPS location. THe hop sends a receipt to the traveler. The traveler can verify the shop then confirm. Neither knows the seed so forgeries have a low degree of probability of success. The hash-based ticket system requires less communication (1 less msg) and less computation. Implemented the ticket with a Pentium moving on the car 50mph. There is a full paper and information about the prototype available on the NTT web site. Makoto Yokoo Mechanism Design and Information Security NTT Mechanism design is about designing an incentive mechanism so that individuals share preferences. Yet sharing a preference disadvantages an individual. Pareto optimal Desirable outcome: the one who values the outcome most highly will get it. Second price auctions have been shown to result in optimal price. Revelation principle: if we can design a mechanism that achieves a certain property then we can achieve the same property by a strategy-proof direct mechanism. Example: Government using second price auction (remember a second-price auction means that winner pays the second bid. so bids are b1>b2>b3>b4... then the party bidding b1 wins and pays b2). Secure combination auction protocol papers that describe the entire system is available. Nicko van Someren: Digital Signed Physical Bearer Notes work from Ncipher Physical notes are protected by work factor based on complexity of construction. Yet they must be reproducible (so the treasury can print them) so any party with adequate skill and investment can reproduce them. Digital signatures have their security based on hard computations verifiable without sufficient knowledge. It would be nice to have digital signatures on physical notes. But simply applying a digital signature to a note is a problem because you cannot tell it is the original. You could just run it thru photocopier. So you need a way to make notes unique. Random unique tags: numbers, paint dots, metal strips, entropy in some biometrics Tags must be irreproducible. Pappu et al provides microscopic properties created by lattice interference amorphous light polarization (A physical one-way function) strong soup: take advantage of randomness of physical mixing (Making snowflake) Randomness is not adequate there must be a template, biometrics have templates to use Using convolution optical templates may be created. Take a unique physical tag that cannot be reproduced. Then write a digitally signed contract linked to that snowflake. Combining those allows a functionally unforgeable banknote. Thus high value physical bearer devices could be made more useful. Ron: There was an early RSA licensee who took the randomness of the fibers in the paper bill itself and then signed the bill. They went under. oh well. Moti: This is a flaky idea but it might work. Moti Young: Cryptographic protocols for markets with price discrimination We should use crypto to implement price discrimination as well as auction design. Economics is a colonial field every-economics, let's call this crypto economics. Seller: good production requires $1500 Buyers: would pay <400, 600, 800> with min price the good would not be offered. with dis. the good would be offered Price discrimination is good economics but bad business: unfairness, re-selling up So maybe incent customers: once seller price point has been met refund to customers. Price discrimination requires users and sellers share information simultaneously. Commitment and hidden information help. Secure function evaluation. there are n people. each buyer computes payment. seller computes price at selling points. each buyer pays via a fulfillment server. no one else learns individual price Vi election techniques can be used to prevent reselling prices Paillier cryptosystem we can implement efficient protocols to solve oblivious market. Juan Garay: Strengthening ZK protocols using signatures with Phil MacKenzie, Ke Yang Non-malleability from Unforgeability this coming Eurocrypt, making ZK more robust ZK is an interactive protocol of proving knowledge of a secret without sharing any knowledge of the secret ZK secure in isolated or controlled synchronous systems ZK in the real world means multiple parties, not always reliable communications, malicious parties Non-malleable ZK means that a man-in-the-middle cannot prove a secret the MitM does not know universally composible ZK -arbitrary/composed protocols remains secure and non-malleable (think object-oriented and thread safe) [Ca '00] Concurrent ZK -logarithmic number of rounds and lots of other SK work Start with ZK commit-challenge-response and use the known random public verification key then wrap the protocol with a freshly generated key pair then bind signature wrapper to proof (also allows concurrency) also include the initial claim of the user before the challenge in the wrapper Wednesday, 29-Jan-2003 09:00 - 10:00 Keynote talk: Listening In on the UN: Technology Lessons from the Diplomats Richard Field (U.S. Delegate, UNCITRAL E-Commerce Working Group; Secretary, Am. Bar Assoc. Section of Science & Technology Law). Session Chair: Jean Camp. Abstract: Enabling rules on electronic signatures and records, international registry systems and electronic documents of title have all been the topics of recent international negotiation--at the U.N., the Hague Conference, UNIDROIT and other international diplomatic bodies. This talk will look at recent successes, failures and ongoing global harmonization work that have a direct bearing on the development of payment and financial systems. I am here to tell you what the diplomats are thinking. Not the standards people but the diplomats. While you think transferable paper is not money to a diplomat it all the same questions. Ten years ago I sat down with the technology people and it took two years to understand what each other were thinking. Now there is a global UN awareness of what a certificate authority is. When a country comes into the UN there is a heavy cultural You need to be aware because the law will drive what you can do. You have to pay attention because the law will shape the market and the market will shape your solutions. Finally you can affect the process that is going on. Out of the Hague the US pushed something called the judgments convention -- a country must enforce the judgments in other countries. As e-commerce started two consumer people Jamie Love and his spouse have single-handedly stopped that convention in its tracks. Whether you stop something or not you can affect. There are NGO's and people who need expertise. If you have something to say you can say it. What causes an issue to get to the top of the international agenda? It is very expensive it is very slow. Really slow. But the process does lend itself to one thing --problems end up making themselves known. The issues out in the world where some group is having a problem The international maritime community has problem with paper and ownership. Documents of title were getting there after the goods. The finance people have come. The international votaries are having serious problems. These are trade issues where it is slowing down development. Liability is always a lurking elephant. There were 6,000 references to the MA code alone, the legal formalities, to writing and signatures. How can you sell a product and get financed for your risk if there are a thousand laws. Evidence rules vary wildly. What is the value if a s ignature gets past the front door. The law is trying to leave this to the process of judicial resolution because it is changing so quickly. There is variation, the US approach and the EU approach. Harmonization is a tremendous problem. Social passionate issues: gambling, Nazi, explicit sexuality. The general solution is these international trade barriers is not to address consumers, but it is getting harder and harder. In e-commerce incorporation by reference requires the ITC was planning to do an eterms repository. Should it be on your own server. Should standard terms be legislated. Standard short form standard of attorney has one line "do my banking" referencing three pages. What about when the reference is in a different language? What is a guarantee on a check? What is a limited endorsement? Do you want enabling rules or regulatory rules? Enabling lets business do more certain things with predictability reliability. What click-wrap. Contracts have eliminated all fair use and right to criticize a product. Is this is enforceable? This tends to be US vs EU with the EU advocating regulation. Limits of contracts will be the major battleground for the next decades. Why doesn't technology solve these problems? Why doesn't Palladium and DRM solve all of these problems? The legal and diplomatic communities do not know how to approach it. How has this be approached? 1. get rid of formalities 2. applications relating to formalities 3. build real business applications general principles of technology neutrality and party autonomy with a ideal functional equivalence between paper and electronics. The diplomatic instinct is to avoid two sets of rules. The instinct is to stay technologically neutral and define the old technology as neutral (paper in therefore neutral). On paper you have biometrics identification (face to face) tied to the paper contents usually providing integrity. So recipient is liable for fraud. Yet when you are not face to face the liability changes. If you mail check the bank is responsible for authenticating and if the signer were irresponsible then the signer is liable if negligent. So paper rules change. Electronic agents, lawyers call them 'automated electronic systems'. Agents can enter into a contract on your behalf. A contract is a meeting of the minds in many countries. So if you download an agent audit makes a contract is that your intent? The diplomatic impulse is "yes". Is that fair? WIll that work in the future? The diplomats need to hear from you if it is right or fair. A core desire is you want to recognize if something is foreign. We have seen most of this in UNCITRAL. Basically the global rule is that "Don't say it does not have affect just because it is electronic." This was a radical change. The failure so far with this is that there is no global law on authentication, non-repudiation, and liability. In the US we have Reg E, Reg Z. Why do people use cards in the US? Because the consumer is protected the banks face a strict liability. B2B is different. If there is a commercially agreed upon legal procedure the company is liable. Technological neutrality - Baum and Froomkin set up the PKI group. The rest of the ABA hated it. Therefore everything we have is technically neutral. No state can write a law requiring a PKI. The Europeans love that PKI. Paul: Doesn't the PKI raise constitutional questions Richard: everything the US has done in the past five years has Constitutional implications. This one is on safe ground because of the Commerce Clause. Not to 2, the applications. Where are they coming from? In 1980s there was a convention on bills of exchange and promissory notes. That was all paper. Should we adjust this for electronic notes. Transferable payment instruments and negotiable payment instruments. The UN also has a convention on the international carriage of goods: sea, roads, etc. What about on-line? How do you prove an electronic message represents goods? Well, what kind of goods? Tangible goods, intangible, international on-line arbitration. The Hague has a law on the international transfer of securities. No longer do people get a certificate. Then it became the fact that GM would record your ownership. Now Merrill Lynch has 1M shares and each customer has 50 shares. The US solved this by declaring a new kind of property. ML goes bankrupt. What do you own? We invented it. All the conference wanted to say was what is it, and where are the goods. We are going to define where it is? So the UN has only decided where it is and that is grossly abused. UN has been have been having a new transaction on mobile receivables. Think about where a bank wants to lend you money and take an interest in something of yours. If you do not pay back the loan they get priority over others. How do you set priority? It has to be public knowledge so you file in a jurisdiction. So what about mobile equipment? Aircraft frames and aircraft engines and space ships all have their own regimes. Think about the financing for the aircraft industry - it is huge. So there is a global electronic registry that places mobile things in a jurisdiction. It will not be in the US or France. The convention does not talk about authentication or non-repudiation. So they have ignored that issue. The international civil aviation authority owns all the data and they are indemnified but the registry is liable for its own mistakes. OAS is active in the Organization for American States. Negotiable bills of lading for roads but have not gotten on electronic bills of lading. The US and Mexico agree but Canada disagrees. While Brazil follows a more European approach. Goods can be tangible intangible and mixed goods. Money is just a form of intangible goods. Buy a car. And it has software in it and GPS access. The Uniform Electronic Transactions Act says that there is such a thing as a negotiable instrument. IT says it has to be secure. The assumption was that it was an electronic token as opposed to a registry. Now they want it to be a registry. UETA came from the mortgage industry that wants to trade mortgages electronically more effectively. States can enact UETA only as it was originally adopted (token based). When there is a registry it will be centralized. Negotiable instruments are converted from physical to electronic. When does one cease to be the item of interest? Incentives to improve security - how do you improve the system over time? You shift liability to the party best able to improve it. The Australian have adopted a new EFT. They said if you use PIN security and the user writes the PIN number then the user writes his or her number. This suggests that there will never be a better system because there is no incentive. Closing: participate. contact Richard. This talk suggested that next years' papers might include: maritime digital titles transferable and negotiable electronic records (token mortgages) international digital votaries this are some real world problems with specific risks and data characteristics for FC. Fair Exchange Session Chair: Ari Juels Timed Fair Exchange of Standard Signatures Juan Garay and Carl Pomerance Fair exchange is focused on the ability to recover and it is also difficult to do massive parallel. Some of these solutions put a bid burden on the prover, for example requires the prover generate a puzzle The goal is to create a bounded computationally system with timing. The contribution of this work is timed fair exchange of standard signatures which admit blinding -new time structure called mirror time-lines -protocol timed for fair exchange of arbitrary values There is prior work on time -Cypherpunks mailing list sends material into the future. (May 93) There are time capsules for key escrow so that you get verification at escrow time (Bellare & Goldwaaer 96 97) (Rivest Shamir Wagner) building secure puzzles to hold secrets - computationally intense Boneh& Naor 00) time commitments extension to standard signatures - not for standard signatures authors' previous work include time-released signatures. So square a number some (mod N), you can do this is a series so the distance grows exponentially so you can release the information by reversing roots beginning with the greatest distance from the initial variable. Time lines created for g, g^2, ...., g^2^k. You You can create time line values by multiplication by R. So you begin the exchange by committing to a time line-hidden value. Security constraints: binding to value, privacy...... *privacy here is specialized to mean that the data owner can set an initial time and within that computational time the data are hidden The creation here is a time line that has first increasing and then decreasing distance. This means a time line can be defined by the initial point, the median, and the end. The initial act is to prove knowledge of the first point. Asynchronous Optimistic Fair Exchange Based on Revocable Items Holger Vogt revocable items are digital items. detailed descriptions exist for both items and the items can be checked when the descriptions are given. exchanges without trusted third parties have been limited to specialized applications. the general fair systems have used a TTP Some solutions have no automated dispute resolution. Those that do include TTP. Then some solutions where the third party is involved in every exchange and have problems with scalability. There are also optimistic protocols meaning that the trustee is needed only for dispute resolution. In terms of transaction costs and scalability optimistic fair exchanges are optimal. Of optimistic exchanges the are synchronous and asynchronous. This proposal is for items where generatability is required. Generatability means that the trustee can generate the item i.e., escrow systems. Weak generatability means that the trustee can know if the user is cheating. Auctions Session chair: Ari Juels imho: Auctions are of increasing importance in the policy world. Privacy in auctions yields stronger auctions because in public auction design price is often used to signal out-of-band and manipulate the auction. Some solid overviews of the economics of auctions can be found at: Arrow, ÒThe Economics of Agency,Ó Chapter 2, in Principals and Agents, pp. 37-51. Telecom companies use of open information to communicate in high value spectrum auctions is a chronic and systemic problem for public agencies trying to capture the value of the spectrum for the public. An good place to look at the problems with auction design and what crypto might contribute is at http://www.nuff.ox.ac.uk/users/klemperer/papers.html A classic example is the use of least significant digits in a bid to signal to other bids the plans in the next round. You can see this in Mercury in 1997. For example are there anonymous descending price repeated round auctions? Fully Private Auctions in a Constant Number of Rounds Felix Brandt A fully private repeat round auction. Note that this is implemented using an ElGamal with a public key that all bidders participate in creating. (This would be optimal for governments since all telecom bidders are known well in advance and makes charges against gov't easier to defend against.) By using repeated round the protocol can combine the advantages of an open auction (as bids are exposed and the winner's curse problem is mitigated) and help prevent next-round signaling by removing the identity of the signaler. (For example a BTT signal to fight hard for a particular spectrum segment has true meaning, Bob's Excellent Phone Company does not have the same force.) Secure Generalized Vickrey Auction using Homomorphic Encryption Koutarou Suzuki and Makoto Yokoo A solid overview on the types of auctions using homomorphic encryption. Determine how to take price without revealing price. GVA is a generalization of Vickrey (aka second price) auction for a combinatorial auction and is incentive compatible. The implementation shown here is a secure GVA that hides prices. Thursday, 30-Jan-2003 09:00 - 10:30 Panel: Trusted Computing Platforms: The Good, The Bad and The Ugly Moderator: Moti Yung Dirk Kuhnman (HP), Paul Kocher (Cryptography Research), Marc Briceno (independent security researcher) TCPA and Palladium "trusted platform" activities have raised many questions and objections. In this panel, we will confront the proponent and opponents of these ideas and raise more awareness regarding ways of use and abuse of these ideas. The good part is all good. The keys can be protected. The bad is that the corporate alliances e.g. Microsoft and Intel can exert undue control, and kill open source Dirk Kuhnman About the corporate position and the labs position. The HP corporate is that we will sell whatever Microsoft offers. As to what extent HP has influence as to whatever comes up Palladium, there is little. As for the labs which has the technical directorship of the TCPA committee. There is a book on Trusted Computer by HP labs. O am one of the proofreader of this book. Apart from this I have been mostly involved in developing and researching open source software systems. I have helped to kick off the HP lab for secure Linux that was marketed for a year and then taken off the market. 1. The unavoidable 2. the questionable why is it not always good to be good why trusting yourself may not be good enough why openness is not always trustworthy 3. The avoidable 3. The Unavoidable IT technology is neither a tool nor a medium but something else. Telephones and mail the medium does not itself alter the messages. Computers on the other hand alter the message. Agents on the computer can obfuscate or modify the actions so that the user's goals are undermined by the active nature of the computer. So how can we create a tool so that the tools does not alter our intents when it transfers our knowledge? AS these machines perform billions of operations per second there is no way the user can supervise the processor. So a hardware platform is required. Dirk's Q why it is not always good to be good? Technically savvy people want to have total control over all the elements of their own computers. Yet when your machine is communicating with others you are always facing a situation where there are implicit agreements with others. There is no cultural framing to communicate the implicit baseline. So when you communicate it is simply necessary that each user give up some freedom to allow the larger network to work. 2 Q Why trusting yourself is not good enough Here is the hypothesis is that if you are very capable then you should be trusted to be the capable administrator that you are. Here you will solve the trustworthiness for your own system. But you cannot communicate the trustworthiness of yourself to others. The system must verify itself. Attaching the trustworthiness to human operators or brands is flawed, it must be attached to a computer. This is not democratic since only the established players will be trusted. So TPCA Is an empowerment technology not a control technology. 2Q why openness is not always trustworthy In order to have assurance you have to walk thru the code and have procedures. But if someone could alter the code then it would no longer be trustworthy. Security is orthogonal to licensing. According to GPL you can alter code but altering security code removes it assurance. The users who have secure Linux are banks and companies that invest for themselves. And this is not distributed. The open source has to have a model that allows sharing and confirms trustworthiness. <> He says big vendors and companies have not stepped in to give assurances. But probably the government will have to tax and generate secure software. <> 3. The avoidable There is a virtue in not controlling something is that if a user cannot alter the behavior of his or her computer to be untrustworthy then the user should be trusted by virtue of the users loss of autonomy. Much of the discussion of TCPA is about what a major company will build on it - how Microsoft will leverage this to control users. If code is law then it must be validated by public discourse. So components that are not controlled must be open source so they can be vetted. Therefore TCPA makes open code much mor important. Conclusion Instead of fighting this technology the community should focus on supporting the software and building something on it because openness is a necessary but not sufficient condition for creating a trustworthy TPCA. Paul Kocher The company I work for has done work for the RCAA and the EFF. From a business perspective we can see both sides. Whoever will pay use we will work for them. What is trustworthy computing: can you build a computer a user can trust? can you build a computer a networked anonymous person can trust? We are doing a terrible job of building machines worthy of a user trust because the complexity of a system is continuously increasing. It is no longer possible for a single person to know all things and all bits inside a machine. So even experts can no longer be certain. For Disney and RCAA they want to control high value commodity content on the machines of remote users. What are intellectual property rights and are they a good thing? Among technical people the notion of intellectual property rights is one that people meet with hostility. Intellectual property is the ability to dictate your own work. << intellectual property is property and by definition property is the right to exclude others from access. refusing access to words means limiting speech rights. so intellectual property is a passionate debate because it a conflict between the two core American rights: the right to property and the right to speech>> Intellectual property owners have a right to remove the autonomy of users so they can be certain about the use of their content. As cryptographers we have failed to developed workable business requirements for intellectual property systems. Practical applied research should solve Hollywood's problems or they will push for additional controls. So we will turn over to Lucky. I would argue that power always increases the desire for control and Hollywood is exerting because they can not need to. technology will never offer a static certainty business model change. reality TV has changed video entertainment market. it dynamic industry all legislative in world change that. I would argue that power always increases the desire for control and Hollywood is exerting because they can not need to. technology will never offer a static certainty business model change. reality TV has changed video entertainment market. it dynamic industry all legislative in world change that. Marc Briceno aka Lucky Green In my statements you will hear quite a bit of intent. Because trusted computing is ensuring your betrayal. I want trusted computing very very badly. I know I cannot trust my computer. I would love to be able to tell what state my computer is in. Let us look at public statements about what the technology is intended to do. TCPA is supposed to make the PC the core of the home entertainment industry. The head of TCPA made five or six comments about how TCPA is absolutely not for DRM. The head of TCPA has said, "There is certain content that owners will not make available on the PC platform. That is unacceptable and we will solve this problem one way or another." This was the second TCPA working group. The business objective of TPCA is DRM first and foremost. AS was said at USENIX security that the contents providers will never see anything over NTSC resolution unless they plug the 'analog hole", meaning make it impossible Microsoft claims it losses millions from illegal copying and Microsoft wants to end that. TCPA will do this. TCPA is about defining the future of the PC. Anyone who would purchase a machine has done so. So how does one grow the market? According to the PC industry the market is saturated. Another market is the home entertainment center. At the center of the home entertainment system can be Sony 5.0 or something Microsoft. Sony sells more consumer electronics than MS have ever sold software. This market is giant and will be hotly contested. Microsoft believes that TCPA is the only way to win its coming battle with Sony for the heart of the home. The objective it prevent user autonomy. This enforces three levels of access: 1. highest level access you can see everything going on, you can know what is happening and you know the state this is reserved for owners of high value content not users 2. user access 3. minimal access Trustworthy computing now means that third parties can trust the computer to enforce rules in opposition to the desire of the users. Gates: Control of our own documents is much more interesting Levy: You can cause Word to create documents that can only be read for the next week without additional payment Quiz: What does a federal prosecutor call a bit of software that inter-operates with DRM protected file formats? A: A DMCA violation! Meaning five years if you create software that reads DRM protected formats so that creating interoperable technology is a felony. $50,000 per device This will allow the feds MS media player license agreement: Microsoft reserves the right to disable your ability to use other software on your computer. When soliciting members the proposal was to enable secure boot. Within the working groups the purpose was to enable DRM to serve the MPAA Later the pitch was to enable DRM for everybody Now TPCA is to eliminate all spam viruses and hacking. Next pending is the architecture if being pitched to Office of Homeland Security. MSFT: Palladium will not be required to read files created prior to the introduction of Palladium. Potential countermeasures To reject TCPA. Demand owner override. the security of simple trusted system depends on the owner not having access to the keys. if you do not have access to all the keys then you cannot control your own machines. caveat emptor: if a system tells you that you are loading keys make sure it the use is not flagged to enable enforcement. Kocher: laws are on the books. Philosophical question: do intellectual property owners have the right to provide content for proprietary platforms? Currently several examples, such as cable boxes, copy-protected software, etc. His sense is there's nothing inherently wrong with this. He believes is the functioning of the market. Marc: I made no issues of the IP issues because I do not think they are relevant for the property debate. I know that intellectual property is on people's minds. I do not care if content providers include various restrictions that content owners use. What concerns me is that the content providers through the operating system providers are turning the general purpose machine into a a machine with a platform for a back door that I cannot control or close. I care because TCPA is designed to make computers less secure. Dirk: I was worried about a Palladium discussion. Palladium isn't Palladium anymore. Palladium is not TCPA. There was a point about preventing root access on your machine. This is about preventing root access while engaging in communications with another entity. After this you will have access on your system. This is about contractual agreements in communications situations. Now the good guys don't want to do any harm but they cannot prove they don't want to do any harm. User override will be possible. Conceptually and technically TCPA clearly allows user override. If user override means key access - then lack of user access is very good because loss of user autonomy makes users trustworthy. Migratable keys can come with different security classification. Paul: One comment providing user override with the platform previously known as Palladium, well, there are so many changes you have to change all the architecture and they keyboard and everything else I cannot see how anyone could come up with a such a strong PC. It will not exist. Marc: I would also like to have 20 devices of perfect security devices. TCPA takes root access from a user - if you are root then you determine which instructions your CPU sees and executes. Under the TCPA regime the system cannot work. It requires removal of user autonomy. TCPA is about protecting content from others who believe the information must be protected from you after you purchase it. Paul immediately proposed an override that was an off button. Dirk proposed that you can turn it off if you are not on line and not using any Microsoft software. Moti: Before questions I have something to say about what Paul said: the research community failed to create a DRM solution. No we cannot solve the DRM problem. Drew: To Dirk, I was at the DRM workshop last year. The EU will get the same horrible laws we are. Consumers will refuse to purchase DRM products. They are not serving a market so purchasers will not sell. Paul: I think market driven systems are the way to go. If users don't like it they will avoid it. Ray: TCPA tries to solve the problems of content owner. Can we make the problem of content owners and machine users distinct? Dirk: researchers have tried to come up with the min amount of crypto primitives that allow for a secure boot. If you can find out that a simple mechanism is possible to have monitored boot then let us know. Can we allow for a secure boot without allowing things? Not possible now. Paul: Users want to be able to put information in front of a website and know what the remote computer is what they think. Adam: In regards to Drew's comment about a pocket veto it will be difficult to buy a system which does NOT have TCPA elements built in. I bought this machine so you need to have office to create complex Microsoft documents. I am a technical person and I explored all the available alternatives so my ability to packet veto that I don't want and don't like is not there. Marc: This loops around to the market force in TCPA in Palladium. As HP has said, HP ships whatever Microsoft desires. I asked a senior AMD person if they would support TCPA because Microsoft and Intel decided on the feature so they had to include it. The market force are distorted. Those who work in large MS environments know that they build incompatibilities so that one person's upgrading forces anyone who would communicate to upgrade. The current goal is to mandate the use of this technology by the Federal government. Dirk: It is likely that TCPA systems may be cheaper than others. As for plans to embed TCPA on chip then there would be a requirement to cut off TCPA. It is possible to run Linux on TCPA if it is loaded on the box at the vendor. Getting technology without TCPA in the future may not be possible. As for the comments that TCPA is actually pushed it is only pushed because the original intent of this technology is DRM. IBM sells TCPA computers where losing a laptop does not mean using their data. HP will sell a similar thing. There is a nice business without TCPA. In fact the original intention is to work through the corporate space for road warriors or teleworkers. This market is already there. We are facing groups that are fighting TCPA on political grounds. Drew: I was talking about mass media and office is completely different. Let me remind the panelists of CT by 92. I do not believe in the power of mandates. Julian: TPCA is giving up your rights on your own computer so others can trust you. What do I gain if I give up control? What if something goes wrong? Then it is all my fault. THen if there is a bug who should I blame. Drew: Worse yet if you broadcast viruses to many users are you liable. Paul: We have reached a point regardless - you have no control over your PC anyway. Julian: You decide which applications you run. But you know what applications you run. Paul: An install program is to install whatever you want. Right now consumers have lost power in dictating what goes into technology. People accept the worse material. What is needed is the consumers' union which revolutionized non-technical goods that altered the sale of unsafe products. Users should have products that meet their needs. Dirk: The evolving area of computer security economics is dealing with this question I doubt agencies cannot work because they cannot access the software. They are not able to verify the software. Closed code is not good enough for this community and not good enough for government. It takes along time to understand this and individual consumers cannot do this. I know one thing if we just say we cannot do this then we have given up our control of technology. We should go back to paper. 10:30 - 11:00 Coffee Break 11:00 - 12:30 Cryptographic Tools and Primitives Session Chair: Benny Pinkas On The Computation-Storage Trade-offs of Hash Chain Traversal Yaron Sella Nice overview of hash chains and their use in authentication. There are two naive approaches to traverse a hash chain you can store only the root and then compute all others, causing storage of O(1) and computation O(n). A second is to store all the links with computation O(1) and storage (n) Last year there was a FC paper to traverse a hash train so that storage is O(log n) and computation is O(log n). Here the focus is on O(c) computation for some storage trade-off. For example, heavily loaded servers. The hash tree traversal protocol provides with a constant O(M) computation and storage requirements O(kn^1/k) Then starting with the case n=1 then illustrates that length optimality is an interesting and open question wrt this protocol. Yaron starts with a "B partition" and divides the chain in subsections and stores the left-most link of subsection. Then recursively b partition and shows an example. Then shows it so that the root is the base of the first b partition and then the partition creates new trees/subsections. The protocol begins with a b partition. each time a b partition occurs there is a pebble placed in the subsections left neighbor. The pebble induces b partition at its node. A pebble is a dynamic storage element that dies after it is done. Very nice dynamic illustration of the general protocol on a short hash chain. He expands it nicely in double hash chains for the case of two parties committing. The use of simple visual aids is very effective but cannot be reflected in the notes. Verifiable Secret Sharing for General Access Structures, with Application to Fully Distributed Proxy Signatures Javier Herranz and Germ‡n S‡ez This work is related to secret sharing , threshold protocols and proxy signatures. This protocol allows delegation of signing capabilities from one distributed entity to another. Illustrates some interesting applications and use with three types of delegation: full delegation, proxy-protected delegation and proxy-unprotected delegation. (Fits well with Richard Field's point about the meaning of power of attorney and how we don't know how that might map. This work expands that understanding.) He wants to expand this work to other signature schemes in the future. Non-interactive Zero-Sharing with Applications to Private Distributed Decision Making Aggelos Kiayias and Moti Yung Private distributing decision making is a core problem in cryptography. It requires security, privacy, efficiency and trust. Generic protocols are not efficient especially as the number of participants expands or as the group members change. This work builds on previous e-voting work and proposes applications of PDDM. These applications take more narrowly defined crypto protocols and systems and, with small reconfiguration, apply them to a far larger and arguably more realistic set of general problems. Closing Remarks Phong Nguyen, General Co-Chair Please fill out the feedback. Taxi coordinating list. Thanks. Figures on conference. 40% non-US. 6% Asian. 40% academic, 40% industry, 20% students. By hours Internet surfing was more popular than physical surfing. T shirts are still available. Jean's Closing Remarks Every time I leave I come away with six papers I want to do. A paper on the possible implications of Euro RFID for the policy audience. An analytic simulation of different anonymous systems. A survey paper on all the micro-payment systems used in transit system. A risk analysis about the change of keys based on the lifetime cycle of money assuming that banks can re-encrypt. (e.g., in Russia dollars are held a very long time as insurance against ruble failure. In the US most dollars go from ATM > consumer >merchant > bank. US solutions would be damaging for Russia.) ____________________________________________________________________ NewsBits Announcements and correspondence from readers ____________________________________________________________________ Februray 5, 2003 Eugen Bacic (ebacic@rogers.com) wrote the memoriam below about the loss of our colleague Milan Kuchta last November. Milan Steve Kuchta In Memoriam Born 22 December 1950, Chatham, Ontario. Died 14 November 2002 at home in Ottawa, Ontario. Milan attended the University of Western Ontario, obtaining an Engineering Science degree in 1972. He later followed this with a Masters degree in Electrical Engineering from Carleton University in 1982. However, in spite of his training in engineering, Milan considered himself a scientist, rather than an engineer. He found that his academic background and work experience further strengthened his beliefs and faith in God, and he was unimpressed by quasi-intellectual theories. Although he shied away from public demonstrations of affection, Milan was a very warm-hearted and generous person, giving freely of his time to assist others. He had a strong sense of family, greatly enjoying all his nieces and nephews and spending time teaching and encouraging them. With his ever-present positive synergy, loyalty and willingness to provide assistance, whatever the challenge, not only was Milan well liked and admired by his colleagues, but regarded as a wonderful mentor. Everyone who knew Milan appreciated his laugh, accepting the fact that Milan's jokes were usually funnier to Milan than to anyone else. Yet they were always based upon his in-depth knowledge and understanding of the world as a whole. He could, however, be quite persistent, as was the case when he insisted that his eyes were fine, but that the lighting in restaurants was getting dimmer every year. In 1974 Milan joined the Communications Security Establishment (CSE) and within a year was heading up the Cryptographic Design and Evaluation Unit. Realizing that information security was a new and rapidly emerging field Milan grew his section into the security authority in Canada and began making CSE's presence known in the field of information security. A regular at those early computer security conferences, Milan would in later years introduce new employees to the storied names of computer and information security. Anyone walking the halls of the Baltimore Congress Centre during the annual U.S. security conference would immediately realize that Milan not only knew security but was known in security. By the mid 80's Milan began to realize that the CSE required an even larger presence in the Information Security arena and began drawing up plans for what was to become, in 1987, the Canadian System Security Centre (CSSC). His vision entailed hiring motivated staff willing to push the envelop in security, R&D, training, and criteria. Milan's desire to share ideas and see them come to fruition resulted in him granting his staff a huge degree of freedom. Working closely with various research laboratories at the NRC and Defence Research as an equal Milan was able to fund advanced projects that would result in the emergence of some of the best known names in computer security. Milan left lasting impressions on staff and colleagues the world over. He knew and had the respect of leading computer security scientists in every industrialized nation on Earth. When, in the early 90s, Milan decided to host a series of workshops to fine tune what was to become the Canadian Trusted Computer Product Evaluation Criteria there was more than ample interest. In fact, dozens of the best security minds came up to Ottawa at Milan's bequest, in the middle of February, to assist Milan in his endeavour to create a modern evaluation criteria. With the assistance of his team Milan realized that vision, and many others. The work on the Canadian Criteria went on to be used as the basis for the US Federal Criteria and finally as the cornerstone for the Common Criteria. On both projects members of Milan's team were lead authors and contributors. To this day Milan is fondly remembered as someone who understood security and was willing to look far down the road and make security an enabling technology, something to improve everyone's life. In 1995 Milan left the CSE and began research in the field of network autonomy and security as an independent consultant. He spent the next eight years of his life working on his vision of intelligent, interconnected network security components known as Ironman. Perhaps the most fitting tribute to him is the fact that on the day he died he excitedly discussed the possibilities his technology offered to the security world with an old colleague. He was looking forward to sharing his years of research with those that he respected and admired for nearly thirty years -- his second family, those individuals the world over that make up the information security community that he'd been a part of since 1974. One of Milan's colleges from the U.S. National Institute of Standards and Technology wrote: "Milan Kuchta was truly a pioneer and visionary in the field of computer and information security. His passion for his work and vision touched those around him and extended into the international community. Milan's leadership and spirit of cooperation significantly influenced the direction and outcome of some of our most important international information security standards and standards-related projects". Growing up on a farm in southern Ontario Milan developed the interests, beliefs, and values that would form the guiding principles in his life. From his rural roots he gained an appreciation for nature, the outdoors, and wide-open spaces. The last seven years of his life were spent surrounded by nature in a house nestled on the shores of the Rideau River, a tranquil spot where he continued his work on computer security research. Although Milan's interests ranged from playing and recording music to fast cars to computers it was his love of computer security that will be remembered by most who knew him. It is, therefore, with deep sadness that all of us in the security community wish to extend heartfelt sympathies to his family for their untimely loss. ____________________________________________________________________ Correspondence from the Zurich Information Security Center March 14, 2003 Dear Colleague The Zurich Information Security Center (ZISC) is happy to make three announcements: 1. The ZISC Announcements Mailing List 2. The ZISC Fall School on Formal Security Engineering 3. The ZISC Information Security Colloquium We would appreciate if you would forward this message to colleagues interested in information security, potentially through mailing lists you are subscribed to. This will allow us to only send messages to parties interested in ZISC events in the future, once they have had a chance to subscribe to the mailing list presented below. 1. The ZISC Announcements Mailing List The ZISC Announcements mailing list is a moderated, low-traffic mailing list for ZISC-related announcements such as this one. Its main purpose is to inform its subscribers about upcoming events such as talks in a timely manner. You are invited to subscribe to it at http://www.lists.inf.ethz.ch/mailman/listinfo/zisc-announcements 2. The ZISC Fall School on Formal Security Engineering In late September, the ZISC is organizing a one-week course for scientists and engineers working in the field of information security. The speakers come from both academia and industry, including Freiburg University, the German Research Center for Artificial Intelligence (DFKI), IBM Research, Siemens, SRI International, Sun Microsystems Laboratories, and the Swiss Federal Institute of Technology Zurich (ETHZ). The school is sponsored by the ETHZ. The fee for participants from industry is 1000 Swiss Francs, and there is no fee for participants from academia. Further information, including registration material, can be found at http://www.zisc.ethz.ch/events/fallschool2003.html 3. The ZISC Information Security Colloquium In the summer semester 2003, we are organizing an information security colloquium with 4 to 6 talks at the ETHZ. The talks are public, free of charge, and require no application. Date, speaker, title, and abstract of the talks can be found at http://www.zisc.ethz.ch/events/istalksss2003.html Thank you for taking the time to read this message. Paul E. Sevinç, Zurich Information Security Center Paul E. Sevinç, Dipl. El.-Ing. ETH E-Mail: paul.sevinc@inf.ethz.ch Phones: +41 1 632 7250 (office) +41 1 450 8578 (home) +41 78 854 1773 (cell) http://www.infsec.ethz.ch/~sevinc/ ____________________________________________________________________ February 21, 2003 Correspondence from Zena Matilde Ariola [ariola@cs.uoregon.edu]: Summer School on the Foundation of Security Eugene, Oregon, USA June 16 - 27 , 2003 Organizers: Martin Abadi University of California at Santa Cruz Zena M. Ariola University of Oregon Hugo Herbelin INRIA John Mitchell Stanford University Scientific committee: Luca Cardelli Microsoft Research, Cambridge Pierre-Louis Curien University of Paris 7 Robert Harper Carnegie Mellon University Catuscia Palamidessi INRIA Frank Pfenning Carnegie Mellon University Benjamin Pierce University of Pennsylvania The summer school on the Foundation of Security is a two week course for computer scientists and mathematicians interested in formal methods applied to software security. The program runs from Monday, June 16 to Friday, June 27, 2003. Graduate students who wish to attend should send an application consisting of a short description of their educational background and one letter of reference to summer-school-security@cs.uoregon.edu. We anticipate making available a number of grants to cover travel and lodging costs for qualified graduate students. For more information see http://www.cs.uoregon.edu/activities/summerschool/summer03/. You can access information (including great pictures!) on last year summer school at http://www.cs.uoregon.edu/activities/summerschool/summer02/ Preliminary program - Type Systems Robert Harper - Carnegie Mellon University - Inductive Types Christine Paulin - INRIA - Linear Logic Pierre-Louis Curien - University of Paris 7 - Coinduction and bisimulation Roy L. Crole University of Leicester - Formal methods and security Catherine A. Meadows - Naval Research Laboratory - Cryptographic Protocols Cedric Fournet - Microsoft Research, Cambridge - Language Based Information Security Steve Zdancewic - University of Pennsylvania - Typed Assembly Languages and Proof Carrying Code David Walker - Princeton University - Global Computing Vladimiro Sassone - University of Sussex - Linear Logic and Security Iliano Cervesato - Naval Research Laboratory ___________________________________________________________________ February 21, 2003 Correspondence from Jamil Farshchi [jfarshch@hq.nasa.gov]: Hello, I recently wrote an article about Statistical Intrusion Detection systems. It explains the difference between a Rule-based and Statistical IDS, tells of the benefits of a stat IDS, as well as how to implement one with snort -- This document is currently being posted on the SANS web site but I can write a variation of it (or you can link to it http://www.sans.org/resources/idfaq/statistic_ids.php) if you so choose. I have attached the document for you to review in the event that you or your readers would be interested. I am also working on a wireless (802.11b and 802.11a) security document that may interest you as well. Thanks, -jamil Jamil D. Farshchi Information Technology Security NASA Office of Inspector General Washington, DC 20546 Phone: 202.358.1897 Fax: 202.358.2990 ____________________________________________________________________ February 5, 2003 Correspondence from Dr. Gerald Masson, Johns Hopkins Univeristy: The Carolyn and Edward Wenk, Jr. Lecture in Technology and Public Policy Date: Tuesday, April 22, 2003 Time: 3-4 PM, reception to follow Location: Hodson Hall, Room 110, Homewood Campus Speaker: Ross Anderson, University of Cambridge Title: "Information Security and Public Policy" Sponsors: JHU Whiting School of Engineering, Information Security Institute and Department of Computer Science For info: www.jhuisi.jhu.edu RSVP: 410-516-4250 ____________________________________________________________________ ____________________________________________________________________ News Bits contains correspondence, interesting links, non-commercial announcements and other snippets of information the editor thought that Cipher readers might find interesting. ==================================================================== Reader's Guide to Current Technical Literature in Security and Privacy, by Anish Mathuria ==================================================================== The Reader's Guide from Past issues of Cipher is archived at www.ieee-security.org/Cipher/ReadersGuide.html ==================================================================== Listing of academic positions available by Cynthia Irvine ==================================================================== http://cisr.nps.navy.mil/jobscipher.html Distributed Systems Architecture Laboratory France Telecom Research and Development Grenoble, France Postdoctoral Research Position on Operating Systems Security for Embedded and Mobile Devices Position to start on April 15, 2003 Contact: marc.lacoste@rd.francetelecom.com Êor Êjeanphilippe.fassino@rd.francetelecom.com Florida International University Miami, Florida Assistant/Associate Professor of Computer Science Evaluation begins January 9, 2003 and continues until the positions are filled. http://www.cs.fiu.edu/cgi-bin/portal/index.pl?iid=9668&isa=Bulletin&op=show The George Washington University Computer Science Dept. Washington DC 20052 202 994-4955 fax 202 994-4875 Two full-time security assistant professor faculty positions Fall 2003 - Open until filled Contact Prof. Lance J. Hoffman lhoffma1@gwu.edu http://www.cs.gwu.edu/prospective/faculty2/ GWU is recognized by the National Security Agency as a Center of Academic Excellence in Information Assurance Education Foundations of Programming Languages Research Group School of Computer Science, Telecommunications and Information Systems DePaul University Chicago, IL, USA Postdoctoral Research Associate on NSF-funded Trusted Computing project Cryptyc: Cryptographic Protocol Type Checker Position to start on 1 January 2003 Details at http://cryptyc.cs.depaul.edu/hiring.html Information Security Group, Laboratories for Information Technology Singapore Postdoc/Associate Research Staff Cryptography and Information Security Contact email: baofeng@lit.org.sg CASE Center Syracuse University, Syracuse, NY 13244-4100, USA Visiting SUPRIA position http://www.ecs.syr.edu/dept/eecs/positions/supria.html Max-Planck Institute for Computer Science Saarbruecken, Germany Postdoc / Research associate position Areas of particular interest: static program analysis, verification, security, cryptographic protocols, and critical software. Applications begin immediately. http://www.mpi-sb.mpg.de/units/nwg1/offers/positions.html James Madison University, Harrisonburg, VA Department of Computer Science Tenure-Faculty position The James Madison University Department of Computer Science is seeking applications of faculty that specialize in INFOSEC or closely related areas. http://www.cs.jmu.edu/faculty_openings.htm Vrije Universiteit, Amsterdam, The Netherlands Postdoc / Assistant Professor Internet security. Position is available immediately. http://www.cs.vu.nl/~ast/jobs Department of Information and Software Engineering George Mason University, Fairfax, VA 1 Tenure-track, 1 visiting position Positions are in security. Areas of particular interest: Computer security, networking, data mining, and software engineering. Search will continue until positions are filled. http://ise.gmu.edu/hire/ Purdue University, West Lafayette, IN Department of Computer Science Emphasis on Assistant Professor Positions, but more senior applicants will be considered. Areas of particular interest: Computer security and INFOSEC. Positions beginning August 2000. http://www.cs.purdue.edu/announce/faculty2001.html Renesselaer Polytechnic Institute Troy, NY Department of Computer Science Tenure Track, Teaching, and Visiting Positions Areas of particular interest: Computer security, networking, parallel and distributed computing, and theory. Positions beginning Fall 2000. http://www.cs.rpi.edu/faculty-opening.html Swiss Federal Institute of Technology Lausanne (EPFL), Switzerland/Eurecom/Telecom Paris General Director Areas of particular interest: Education and research in telecommunications. Applications begin immediately. http://admwww.epfl.ch/pres/dir_eurecom.html Florida State University, Tallahassee, FL Department of Computer Science Tenure-track positions at all ranks, several positions available. Available (1/00) Areas of particular interest: Trusted Systems, security, cryptography, software engineering, provability and verification, real-time and software engineering, provability and verifications, real-time and safety-critical systems, system software, databases, fault tolerance, and computational/simulation-based design. http://www.cs.fsu.edu/positions -------------- This job listing is maintained as a service to the academic community. If you have an academic position in computer security and would like to have in it included on this page, send the following information: Institution, City, State, Position title, date position announcement closes, and URL of position description to: irvine@cs.nps.navy.mil ==================================================================== Interesting Links and Reports Available via FTP and WWW ==================================================================== "Reports Available" links from previous issues of Cipher are archived at www.ieee-security.org/Cipher/NewReports.html and www.ieee-security.org/Cipher/InterestingLinks.html ==================================================================== Information on the Technical Committee on Security and Privacy ==================================================================== ____________________________________________________________________ Information for Subscribers and Contributors ____________________________________________________________________ SUBSCRIPTIONS: Two options: 1. To receive the full ascii CIPHER issues as e-mail, send e-mail to cipher@issl.iastate.edu (which is NOT automated) with subject line "subscribe". 2. To receive a short e-mail note announcing when a new issue of CIPHER is available for Web browsing send e-mail to cipher@issl.iastate.edu (which is NOT automated) with subject line "subscribe postcard". To remove yourself from the subscription list, send e-mail to cipher@issl.iastate.edu with subject line "unsubscribe". Those with access to hypertext browsers may prefer to read Cipher that way. It can be found at URL www.ieee-security.org/cipher.html CONTRIBUTIONS: to cipher@issl.iastate.edu are invited. Cipher is a NEWSletter, not a bulletin board or forum. It has a fixed set of departments, defined by the Table of Contents. Please indicate in the subject line for which department your contribution is intended. For Calendar entries, please include a URL and/or e-mail address for the point-of-contact. For Calls for Papers, please submit a one paragraph summary. See this and past issues for examples. ALL CONTRIBUTIONS CONSIDERED AS PERSONAL COMMENTS; USUAL DISCLAIMERS APPLY. All reuses of Cipher material should respect stated copyright notices, and should cite the sources explicitly; as a courtesy, publications using Cipher material should obtain permission from the contributors. ____________________________________________________________________ Recent Address Changes ____________________________________________________________________ Address changes from past issues of Cipher are archived at www.ieee-security.org/Cipher/AddressChanges.html Entered March 15, 2003 Robert H. Deng Principal Member, Research Staff Manager, Infocomm Security Department Institute for Infocomm Research 21 Heng Mui Keng Terrace, Singapore 119613 Tel: (65) 6874-7862 Fax: (65) 6775-5014 E-mail: deng@i2r.a-star.edu.sg Home page: www.i2r.a-star.edu.sg/icsd/staff/Robert/ ______________________________________________________________________ How to become <> a member of the IEEE Computer Society's TC on Security and Privacy ________________________________________________________________________ You may easily join the TC on Security & Privacy by completing the on-line for at IEEE at http://www.computer.org/TCsignup/index.htm. _____________________________________________________________ TC Publications for Sale _____________________________________________________________ Proceedings of the IEEE CS Symposium on Security and Privacy The Technical Committee on Security and Privacy has copies of its publications available for sale directly to you. You may pay for Proceedings by credit card or check. Proceedings of the IEEE Symposium on Security and Privacy Year(s) Format Price 2001 Hardcopy $25.00* 2000 Hardcopy $15.00* 1999 Hardcopy SOLD OUT 1998 Hardcopy $10.00* 2000-2001 CD-ROM $25.00* * Plus shipping charges Payment by Check: Please specify the items and quantities that you wish to receive, your shipping address, and the method of shipping (for overseas orders) Mail your order request and a check, payable to the 2002 IEEE Symposium on Security and Privacy to: Terry L. Hall Treasurer, IEEE Security and Privacy 14522 Gravelle Lane Florissant, Mo 63034 U S A Please include the appropriate amount to cover shipping charges as noted in the table below. Domestic shipping: $4.00 per order for 3 volumes or fewer Overseas surface mail: $6.00 per order for 3 volumes or fewer Overseas air mail: $12 per volume Credit Card Orders: For a limited time, the TC on Security and Privacy can charge orders to your credit card. Send your order by mail to the address above or send email to terry.l.hall2@boeing.com specifying the items and quantities that you wish to receive, your shipping address, method of shipping (surface or air for overseas orders) along with * the name of the cardholder, * credit card number, and * the expiration date. Exact shipping charges will be charged to your credit card and included in your receipt. Shipping charges may approximated from the table above. IEEE CS Press You may also order some back issues from IEEE CS Press at www.computer.org/cspress/catalog/proc9.htm. The most recent Computer Security Foundation Workshop (CSFW15) took place June 2002 (soon: June 2003). Topics included formal specification of security protocols, protocol engineering, distributed systems, information flow, and security policies. Copies of the proceedings are available from the publications chair for $25 each. Copies of earlier proceedings starting with year 3 (1990) are available at $10. Photocopy versions of year 1 are also $10. Checks payable to Jonathan Herzog for CSFW may be sent to: Jonathan Herzog, MS S124 The MITRE Corporation 202 Burlington Rd. Bedford, MA 01730-1420 USA jherzog@mitre.org ________________________________________________________________________ TC Officer Roster ________________________________________________________________________ Chair: Past Chair: Mike Reiter Thomas A. Berson Carnegie Mellon University Anagram Laboratories ECE Department P.O. Box 791 Hamerschlag Hall, Room D208 Palo Alto, CA 94301 Pittsburgh, PA 15213 USA (650) 324-0100 (voice) (412) 268-1318 (voice) berson@anagram.com reiter@cmu.edu Vice Chair: Chair,Subcommittee on Academic Affairs: Heather Hinton Cynthia Irvine IBM Software Group - Tivoli U.S. Naval Postgraduate School 11400 Burnett Road Computer Science Department Austin, TX 78758 Code CS/IC (512)436 1538 (voice) Monterey CA 93943-5118 hhinton@us.ibm.com (408) 656-2461 (voice) irvine@cs.nps.navy.mil Chair, Subcommittee on Standards: Chair,Subcomm.on Security Conferences: David Aucsmith Jonathan Millen Intel Corporation SRI International EL233 JF2-74 Computer Science Laboratory 2111 N.E. 25th Ave 333 Ravenswood Ave. Hillsboro OR 97124 Menlo Park, CA 94025 (503) 264-5562 (voice) (650) 859-2358 (voice) (503) 264-6225 (fax) (650) 859-2844 (fax) awk@ibeam.intel.com millen@csl.sri.com Newsletter Editor: Jim Davis Department of Electrical and Computer Engineering 2413 Coover Hall Iowa State University Ames, Iowa 50011 (515) 294-0659 (voice) davis@iastate.edu BACK ISSUES: Cipher is archived at: www.ieee-security.org/cipher.html ========end of Electronic Cipher Issue #53, March 20, 2003===========