To: cipher@mailman.xmission.com Subject: IEEE CIPHER, Issue 66, May 17, 2005, Part 2 --text follows this line-- [Because this issue of Cipher is over 100K bytes, the email version has been split into two parts. This is part 2] ==================================================================== News Briefs ==================================================================== ____________________________________________________________________ NITRD Releases PITAC Report Cyber Security: A Crisis in Prioritization Contributed by Gene Spafford ____________________________________________________________________ [As a member of the PITAC and a co-author of the report, I strongly encourage people will take time to read this and think about how to help carry out the recommendations. --spaf] MEDIA ADVISORY Contact: Alan S. Inouye March 18, 2005 inouye@nitrd.gov (703) 292-4540 PRESIDENT'S INFORMATION TECHNOLOGY ADVISORY COMMITTEE RELEASES NEW REPORT CYBER SECURITY: A CRISIS OF PRIORITIZATION Vital to the Nation's security and everyday life, the information technology (IT) infrastructure of the United States is highly vulnerable to disruptive domestic and international attacks, the President's Information Technology Advisory Committee (PITAC) argues in a new report. While existing technologies can address some IT security vulnerabilities, fundamentally new approaches are needed to address the more serious structural weaknesses of the IT infrastructure. In Cyber Security: A Crisis of Prioritization, PITAC presents four key findings and recommendations on how the Federal government can foster new architectures and technologies to secure the Nation's IT infrastructure. PITAC urges the Government to significantly increase support for fundamental research in civilian cyber security in 10 priority areas; intensify Federal efforts to promote the recruitment and retention of cyber security researchers and students at research universities; increase support for the rapid transfer of Federally developed cyber security technologies to the private sector; and strengthen the coordination of Federal cyber security R&D activities. To request a copy of this report, please complete the form at http://www.nitrd.gov/pubs/, send an e-mail to nco@nitrd.gov, or call the National Coordination Office for Information Technology Research and Development at (703) 292-4873. Cyber Security: A Crisis of Prioritization can also be downloaded as a PDF file by accessing the link at http://www.nitrd.gov/pubs/. ____________________________________________________________________ CERT Issues Report on Insider Sabotage contributed by Sven Dietrich ____________________________________________________________________ Insider Threat Study: Computer System Sabotage in Critical Infrastructure Sectors This report, http://www.cert.org/archive/pdf/insidercross051105.pdf , the second in a series presenting research conducted by the U.S. Secret Service and CERT, analyzes insider incidents across critical infrastructure sectors in which the insider's primary goal was to sabotage some aspect of the organization or to direct specific harm towards an individual. An executive summary is available at: http://www.cert.org/insider_threat/insidercross.html ____________________________________________________________________ Special to Cipher Recent IETF Progress in Standardizing the SSH Protocol by Chris Lovick (Cisco) and Russ Housley (Vigilsec, LLC) ____________________________________________________________________ SSH is a protocol for secure remote login and other secure network services. It was originally designed as a secure replacement for the rsh (remote shell) protocol and application. SSH has been extended in many ways and now includes capabilities to multiplex and tunnel arbitrary TCP ports. Over the years, SSH has gained in popularity, and it has eclipsed telnet as the way to access and administer remote devices. The original SSH protocol, widely known as SSHv1, was never formally documented so the IETF SecSH Working Group came together to produce a backwards-compatible upgrade to SSHv1. The new protocol, known as SSHv2, consists of three major components: the transport layer protocol, the user authentication protocol, and the connection protocol. Extensibility was one of the major goals in developing this new protocol suite. As a result, it is easy to add new ciphers, MACs and key exchange algorithms. Additional standard ones will be documented in future RFCs; however, anyone can add their own without going through the IETF process. This was accomplished by fully defining the namespace for the ciphers, MACs and key exchange algorithms. The mandatory-to-implement ones are defined in the recently approved documents, and instructions for the addition of new ones are defined in the Assigned Numbers document [SSH-NUMBERS]. The SSH protocol is described in a set of core documents. The first document, the Architecture document [SSH-ARCH], lays out the overall architecture for the SSH protocol and its application interfaces. A significant portion of this document deals with security considerations. Since SSHv1 has been available for many years, a great quantity of empirical knowledge/evidence was accumulated and placed in this document so that both implementors and people deploying SSH would know of the potential problems and pitfalls. To users, the major problem is in the distribution of the server key. This is significant since the acceptance of SSH is widely attributed to its ease-of-use. The Transport Layer Protocol [SSH-TRANS] provides server authentication, confidentiality, and integrity. It may optionally also provide compression. The transport layer typically runs over a TCP connection, but it could use any reliable data stream. It is essential that this protocol be initiated first. The other layers depend on its security services. To achieve the extensibility goal, the textual namespaces are used for all exchanged or negotiated parameters. For example, an SSH server proposes encryption algorithms in a comma delimited list. With the currently defined ciphers, this list may be: 3des-cbc,aes128-cbc,blowfish-cbc A non-standard encryption algorithm name is easily added to the list, but it must be differentiated from the standard ones by the inclusion of the "@" character. Let's say that Chuck Babbage of Example Corporation creates a new cipher that he calls chukscipher. Mr. Babbage can add this encryption algorithm to the proposal list as chukscipher@example.com, allowing the server to propose a list like: 3des-cbc,aes128-cbc,chukscipher@example.com,blowfish-cbc The client can search for matches, selecting the most preferred alternative that meets local policies. If the client does not recognize chukscipher, it is simply ignored. Yet, any SSH client that recognizes and implements chuckscipher can elect to use it. The Transport Layer Protocol document also specifies a negotiation method for SSHv1 and SSHv2 implementations to interoperate. However, in many cases, this interoperability is not desired for local policy reasons. The User Authentication Protocol [SSH-USERAUTH] authenticates the client-side user to the server. It runs over the transport layer protocol. There are some mandatory-to-implement authentication methods, and new authentication methods may be defined in future RFCs. Private use authentication methods may be defined by any practitioner. As an example, let's say that a new authentication method is devised called macarena by another group at Example Corporation. The server could propose the list of user authentication methods like: publickey,password,macarena@example.com If the macarena method is selected and the user successfully performs Macarena authentication, then access will be granted. The Connection Protocol [SSH-CONNECT] runs over the user authentication protocol, and it multiplexes the protected tunnel into logical channels. The two primary uses of this protocol are interactions with applications on the server and port forwarding for virtual private networking. Remote shell operations (remote interactive shell and remote command execution) use the "session" channel type. Secure X11 operations are performed through the "x11" channel type. The "forwarded-tcpip" and "direct-tcpip" channel types provide virtual private network access. The publication of these core documents as RFCs is eagerly awaited by the Internet community. The IETF SecSH Working Group is building on this foundation. Among other, an authentication method that uses X.509v3 certificates, a file transfer service, and a means to convey BREAK through a SSH session are being developed. SSH is also being viewed as a secure transport by other IETF Working Groups. For example, the Network Configuration Working Group (netconf) has selected SSH to fulfill their security requirements. For more information, contact Chris Lonvick (clonvick@cisco.com) or Russ Housley (housley@vigilsec.com). [SSH-ARCH] draft-ietf-secsh-architecture-22.txt [SSH-CONNECT] draft-ietf-secsh-connect-25.txt [SSH-NUMBERS] draft-ietf-secsh-assignednumbers-12.txt [SSH-TRANS] draft-ietf-secsh-transport-24.txt [SSH-USERAUTH] draft-ietf-secsh-userauth-27.txt ____________________________________________________________________ Seattle Intelligencer Reports on Security Study Announced at RSA Conference Funding by Microsoft Revealed March 23, 2005 ____________________________________________________________________ http://seattlepi.nwsource.com/business/217538_msftstudy25.html Two researchers, from the Florida Institute of Technology and Boston-based Security Innovation Inc., 'surprised the audience at a computer-security convention last month with their finding that a version of Microsoft Windows was more secure than a competing Linux operating system' according to the Seattle Post-Intelligencer. 'This week, the researchers released their finished report, and it included another surprise: Microsoft was funding the project all along.' ____________________________________________________________________ DARPA Shifts Research Horizons From the Chronicle for Higher Education May 13, 2005 Contributed by Richard Schroeppel ____________________________________________________________________ The House Science Committee this week discussed the Defense Advanced Research Projects Agency's (DARPA) research priorities. DARPA is shifting its focus from basic research to projects with more immediate results. Anthony J. Tether, director of DARPA, deflected criticism of the agency's cybersecurity funding by saying that such projects were, in fact, being funded. He also offered his opinion that computer science research was funded from other allocations, notably microelectronics. Chronicle of Higher Education, 13 May 2005 (sub. req'd) http://chronicle.com/prm/daily/2005/05/2005051301t.htm ------------------------------------------------------------------- News briefs from past issues of Cipher are archived at http://www.ieee-security.org/Cipher/NewsBriefs.html ==================================================================== Conference and Workshop Announcements ==================================================================== ____________________________________________________________________ Cipher Event Calendar The Cipher event Calendar is at http://www.ieee-security.org/Calendar/cipher-hypercalendar.html ____________________________________________________________________ Date (Month/Day/Year), Event, Location, web page for more info. 5/17/05- 5/18/05: Workshop on Critical Information Infrastructures, Linkoping, Sweden http://www.ida.liu.se/conferences/CIIW05/ 5/22/05- 5/26/05: Eurocrypt Conference, Aarhus, Denmark http://www.brics.dk/eurocrypt05/ 5/24/05- 5/25/05: Workshop on Security In Information Systems, Miami Beach, FL http://www.iceis.org/workshops/wosis/wosis2005-cfp.html 5/25/05: Computer Network Forensics Research Workshop, Athens, Greece; Submissions are due http://www.ece.iastate.edu/cnfr/ 5/30/05: Workshop on Wireless Mobile Applications and Services on WLAN Hotspots, Cologne, Germany; Submissions are due http://wmash2005.ece.iastate.edu 5/30/05- 6/ 1/05: Workshop on Privacy Enhancing Technologies, Dubrovnik, Croatia http://petworkshop.org/2005/ 5/31/05: International School on Foundations of Security Analysis and Design, Cologne, Germany; Submissions are due http://www.sti.uniurb.it/events/fosad --------------- 6/ 1/05: Workshop on Security Issues in Concurrency, San Francisco, CA; Submissions are due, http://www.zurich.ibm.com/~mbc/secco05/ information: secco05-chairs-public@zurich.ibm.com 6/ 1/05: Digital Forensics Research Workshop, New Orleans, LA; Submissions are due http://www.dfrws.org 6/ 1/05- 6/ 3/05: Symposium on Access Control Models and Technologies, Stockholm, Sweden http://www.sacmat.org/ 6/ 2/05- 6/ 4/05: Workshop on the Economics of Information Security, Cambridge, MA http://www.infosecon.net/workshop/index.html 6/ 3/05: Workshop on Formal Methods in Security Engineering From Specifications to Code, Fairfax, VA;Submissions are due http://www.ti.informatik.uni-kiel.de/~kuesters/FMSE05/ 6/ 6/05: FloCon 2005 Analysis Workshop, New Orleans, LA;Submissions are due http://www.cert.org/flocon/ 6/ 6/05- 6/ 8/05: Workshop on Policies, Stockholm, Sweden http://www.sics.se/policy2005/ 6/ 6/05- 6/ 8/05: Information Hiding Workshop, Barcelona, Spain http://kison.uoc.edu/IH05 6/ 6/05- 6/ 9/05: Workshop on Security in Distributed Computing Systems, Columbus, OH http://securityworkshop.ece.iastate.edu 6/ 7/05- 6/10/05: Applied Cryptography and Network Security, New York City, NY http://acns2005.cs.columbia.edu/cfp.html 6/10/05: Workshop on Wireless Security, Cologne, Germany;Submissions are due http://www.ee.washington.edu/research/nsl/wise2005 6/10/05: Workshop on Quality of Protection, Milano, Italy;Submissions are due http://dit.unitn.it/~qop/ 6/13/05: Workshop on Trust, Security and Privacy for Ubiquitous Computing; Taormina, Italy http://www.iit.cnr.it/TSPUC2005/ 6/13/05: Workshop on Security and Trust Management, Milano, Italy; Submissions are due http://www-rocq.inria.fr/arles/events/STM2005/index.html 6/15/05: HICSS-39: Security and Survivability in Unbounded Networked Systems Minitrack, Kauai, Hawaii;Submissions are due http://www.cs.uidaho.edu/~krings/HICSS39.htm 6/15/05: Workshop on Digital Rights Management Impact on Consumer Communications, Las Vegas, NV;Submissions are due http://www.ieee-ccnc.org/2006/conf_program/drm_workshop/index.htm 6/15/05: Workshop on Systematic Approaches to Digital Forensic Engineering, Taipei, Taiwan;Submissions are due http://conf.ncku.edu.tw/sadfe/index.htm 6/15/05- 6/17/05: Information Assurance Workshop, West Point, NY http://www.itoc.usma.edu/workshop/2005/ 6/16/05: Cryptography and Network Security, Xiamen, China;Submissions are due http://math.fjnu.edu.cn/cans 6/20/05: Workshop on Protection by Adaptation, Kuala Lumpur, Malaysia; Submissions are due http://www.iiwas.org/workshops/pba-2005/ 6/20/05- 6/22/05: 18th Computer Security Foundations Workshop, Aix-en-Provence, France http://www.lif.univ-mrs.fr/CSFW18/ 6/23/05: Workshop on Rapid Malcode (WORM), Fairfax, VA;Submissions are due http://www1.cs.columbia.edu/~angelos/worm05/ 6/23/05- 6/24/05: ECRYPT Workshop on Hash Functions, Krakow, Poland http://www.impan.gov.pl/BC/05Hash.html 6/23/05- 6/24/05: Workshop on the link between formal and computational models, Paris, France (no refereed papers) http://www.loria.fr/~cortier/workshop.html 6/24/05: Workshop on Wireless and Sensor Networks Security, Washington DC; Submissions are due http://www.cs.wcupa.edu/~zjiang/wsns05.htm 6/28/05- 7/ 1/05: Dependable Systems and Networks, Yokohama, Japan http://www.dsn.org/ 6/29/05- 7/ 1/05: Applications and Services in Wireless Networks, Paris, France http://int-evry.fr/aswn2005/ 6/29/05- 7/ 1/05: Information Security South Africa Conference, Gauteng Region (Johannesburg), South Africa http://www.infosecsa.co.za 6/30/05: Conference on Distributed Computing & Internet Technology, Bhubaneswar, India;Submissions are due http://www.cse.iitk.ac.in/~rkg/ICDCIT05/ --------------- 7/ 1/05: Workshop on Security of Ad Hoc and Sensor Networks, Fairfax, VA; Submissions are due http://discovery.csc.ncsu.edu/SASN05/ 7/ 4/05- 7/ 6/05: Australasian Conference on Information Security and Privacy, Brisbane, Australia http://www.isrc.qut.edu.au/events/acisp2005/ 7/ 6/05- 7/ 8/05: Symposium on Usable Privacy and Security, Pittsburgh, PA http://cups.cs.cmu.edu/soups/ 7/ 6/05- 7/ 8/05: Conference on Detection of Intrusions & Malware, and Vulnerability Assessment, Vienna, Austria http://www.dimva.org/dimva2005/ 7/11/05: Storage Security and Survivability Workshop, Fairfax, VA; Submissions are due http://www.ncassr.org/projects/storage-sec/storageSS-2005/ 7/11/05- 7/15/05: Colloquium on Automata, Languages and Programming, Lisboa, Portugal http://icalp05.di.fct.unl.pt/ 7/14/05- 7/15/05: European Workshop on Security and Privacy in Ad hoc and Sensor Networks, Budapest, Hungary http://www.crysys.hu/ESAS2005/ 7/15/05: Cryptographic Hash Workshop, Gaithersburg, MD;Submissions are due http://www.nist.gov/hash-function 7/16/05: Workshop on Automated Reasoning for Security Protocol Analysis, Lisboa, Portugal http://www.avispa-project.org/arspa 7/18/05- 7/19/05: Workshop on Formal Aspects in Security & Trust, Newcastle, UK http://www.iit.cnr.it/FAST2005 7/19/05: Workshop on Rigorous Engineering of Fault-Tolerant Systems, Newcastle, UK http://www.csr.ncl.ac.uk/fm05/main_workshops.php? mode=info&language=english&workshop=10 7/20/05- 7/22/05: Workshop on Security in Networks and Distributed Systems, Fukuoka, Japan http://www.comp.polyu.edu.hk/SNDS05/ 7/20/05- 7/22/05: Audio- and Video-based Biometric Person Authentication Conference, Tarrytown, NY http://biometrics.cse.msu.edu/avbpa2005.html 7/21/05- 7/22/05: Conference on Email and Anti-spam, Palo Alto, CA http://www.ceas.cc 7/24/05: Workshop on Privacy-Enhanced Personalization, Edinburgh, Scotland http://www.ics.uci.edu/~kobsa/PEP05 --------------- 8/ 1/05: SKLOIS Conference on Information Security and Cryptology, Beijing, China;Submissions are due http://www.is.iscas.ac.cn/cisc/index.htm 8/ 1/05- 8/ 5/05: 14th USENIX Security Symposium, Baltimore, MD http://www.usenix.org/events/sec05/cfp/ 8/11/05- 8/12/05: Workshop on Selected Areas in Cryptography, Ontario, Canada http://www.ece.queensu.ca/sac2005/ 8/14/05- 8/18/05: CRYPTO 2005, Santa Barbara, CA http://www.iacr.org/conferences/c2005/index.html 8/21/05- 8/22/05: Workshop on Security Issues in Concurrency, San Francisco, CA http://www.zurich.ibm.com/~mbc/secco05/ 8/22/05- 8/26/05: Conference on Trust, Privacy, and Security in Digital Business, Copenhagen, Denmark http://www-ifs.uni-regensburg.de/trustbus05/ --------------- 9/ 2/05- 9/ 3/05: Workshop on Secure Data Management, Trondheim, Norway http://www.extra.research.philips.com/sdm-workshop/sdm05.html 9/ 5/05- 9/ 9/05: Conference on Security and Privacy for Emerging Areas in Communication Networks, Athens, Greece http://www.securecomm.org 9/ 5/05- 9/ 9/05: SECOVAL Workshop: The Value of Security through Collaboration, Athens, Greece http://www.secoval.org 9/ 7/05- 9/ 9/05: Symposium on Recent Advances in Intrusion Detection, Seattle, Washington http://www.conjungi.com/RAID/conf web page 9/14/05- 9/16/05: 10th European Symposium on Research in Computer Security, Milan, Italy http://esorics05.dti.unimi.it/ 9/19/05- 9/21/05: Workshop on Elliptic Curve Cryptography , Copenhagen, Denmark http://www.cacr.math.uwaterloo.ca/conferences/2005 /ecc2005/announcement.html 9/19/05- 9/21/05: 9th IFIP TC-6 TC-11 Conference on Communications and Multimedia Security, Salzburg, Austria http://cms2005.sbg.ac.at/call.html 9/20/05- 9/22/05: Information Security Conference, Singapore http://www.sait.fsu.edu/madnes/cfp.shtml 9/20/05- 9/23/05: Secure Mobile Ad-hoc Networks and Sensors workshop, Singapore http://isc05.i2r.a-star.edu.sg/ 9/20/05- 9/23/05: New Security Paradigms Workshop, Lake Arrowhead, CA http://www.nspw.org 9/21/05- 9/23/05: Workshop for Applied PKI, Singapore http://iwap05.i2r.a-star.edu.sg/ 9/24/05- 9/28/05: Workshop on Mathematical Methods, Models and Architectures for Computer Networks Security, St. Petersburg, Russia http://space.iias.spb.su/mmm-acns05/ 9/28/05- 10/ 1/05: Conference on Cryptology in Malaysia, Kuala Lumpur, Malaysia http://www.niser.org.my/mycrypt2005/ --------------- 10/15/05: Security in Pervasive Computing, York, UK;Submissions are due http://www.cs.york.ac.uk/security/spc-2006/spc-2006-cfp.html 10/26/05: Workshop on Visualization for Computer Security, Minneapolis, MN http://www.cs.ucdavis.edu/~ma/VizSEC05/ --------------- 11/ 7/05- 11/11/05: Conference on Computer and Communications Security, Alexandria, VA http://www.acm.org/sigsac/ccs/ 11/ 8/05- 11/11/05: Symposium on Software Reliability Engineering, Chicago, IL http://rachel.utdallas.edu/issre 11/30/05- 12/ 2/05: Conference on Automated Production of Cross Media Content for Multi-channel Distribution, Florence, Italy http://www.axmedis.org/axmedis2005/call4papers.html ____________________________________________________________________ Journal, Conference and Workshop Calls-for-Papers New since last Cipher issue The complete Cipher Calls-for-Papers is located at http://www.ieee-security.org/CFP/Cipher-Call-for-Papers.html ____________________________________________________________________ International Journal of Wireless and Mobile Computing (IJWMC), Special Issue on Security of Computer Network and Mobile Systems, Issue 1, 2006. (Submission due 1 June 2005) Guest editors: Feng Bao (Institute for Infocomm Research, Singapore), Colin Boyd (QUT, Australia), Dieter Gollmann (TU Hamburg, Germany), Kwangjo Kim (ICU, Korea), Kaoru Kurosawa (Ibaraki Univ., Japan), Masahiro Mambo (Tsukuba Univ., Japan), Chris Mitchell (RHUL, UK), Yi Mu (Univ. of Wollongong, Australia), Phillip Rogaway (UC Davis, USA), Willy Susilo(Univ. of Wollongong, Australia), Vijay Varadharajan (Macquarie Univ., Australia), Moti Yung (Columbia Univ., USA), and Fangguo Zhang (Sun Yat-Sen Univ., China) Computer networks play an important role on connecting resources and people. Advances of computer technology have been pushing forward computer networks for high speed and broad bandwidth. Security must be enforced to suit the emerging technologies. With the emergence of wireless technologies, such as IEEE 802.11 and Bluetooth, mobile users are enabled to connect to each other wirelessly. It can be realized with or without any networking infrastructure (ad-hoc mode). Wireless access networks are rapidly becoming a part of our everyday life. However, the security concerns remain a serious impediment to widespread adoption. The underlying radio communication medium for wireless network provides serious exposure to attacks against wireless networks. Research on security in computer networks and mobile systems covers many issues. There are many open issues to be solved. Areas of interest for this special journal issue include, but are not limited to, the following topics: - Ad hoc network security - Authentication in network and wireless systems - Cryptographic algorithms and applications - Denial of service - Distributed system security - Encryption in network and wireless systems - Fast cryptographic algorithms and their applications - Firewall and distributed access control - Identity-based cryptography in network and mobile applications - Intrusion Detection and Response - Key management - Multicast security - Mobile Communications Security - Privacy Protection - Wireless security and algorithms - Secure routing protocols - Security in Peer-to-Peer networks For more information, please see http://www.sitacs.uow.edu.au/ijwmc/. ____________________________________________________________________ CNFR 2005 Computer Network Forensics Research Workshop, Held in conjunction with the 1st International Conference on Security and Privacy for Emerging Areas in Communication Networks(SECURECOMM 2005), Athens, Greece, September 5-9, 2005. (Submissions due 25 May 2005) [posted here 3/5/05] The First Computer Network Forensics Research Workshop will bring together researchers and practitioners of computer network forensics to further define and refine field while sharing their research results. Goals of CNFR '05 are (a)disseminate New and in-progress research in network forensics, (b) define Network Forensics as an area, how it relates to other areas and what new problems are to be faced, and (c) build a community of those interested in network forensics. Topics of interest to the workshop include, but are not limited to: - Defining/Modeling Network Forensics - Legal/Practical Challenges to Network Evidence - Application of Traditional Security Tools - Network Forensics Architectures - Traceback & Attribution - Evidence Collection/Storage - International/Internet Legal Issues/Case Studies - Problems with Use of Traditional Network Tools - Law Enforcement/Legal Perspectives - Other Digital Forensics-related Research For more information, please see http://www.ece.iastate.edu/cnfr/. ____________________________________________________________________ WMASH 2005 3rd ACM International Workshop on Wireless Mobile Applications and Services on WLAN Hotspots, Held in conjunction with ACM MOBICOM 2005, Cologne, Germany, September 2, 2005. (Submission due 30 May 2005) [posted here 3/4/05] The goal of the workshop is to address and discuss the technical and business challenges, ideas, views, and research results in providing public wireless Internet services and applications for nomadic users in small, highly-populated, public spaces (wireless LANs and "hotspots"). We are specifically interested in work dealing with network layer and above (layers 3-7). However, cross-layer solutions including MAC interaction as well as ESS management via IAPP are welcome. Within the context of interest to this workshop, a list of topics includes, but is not limited to: - Applications and services - New service and business models - Public WLAN and hotspot architectures - Community-owned WLAN infrastructures - WLAN-based ad-hoc network service creation and management - Metro-area hotspots using 802.11/802.16 mesh - Multi-radio mesh node designs - Self-configuring mesh networks for public hotspots - Mobile routers for transient, portable hotspots - Application case studies of mobile routers - Interworking with other wireless systems, e.g., 3G, 802.16 - Mobility, roaming, and handoff management - Context-aware services and technologies - Location-aware applications and services - Multimedia wireless applications, e.g., Voice over WLAN (VoWLAN) - Authentication, accounting, billing and payment issues - Security and privacy in public WLANs - Middleware support - Service location and discovery - Traffic measurements and modeling - Case studies on deployed platforms and experimental testbeds For more information, please see http://wmash2005.ece.iastate.edu. ____________________________________________________________________ SecCo 2005 3rd International Workshop on Security Issues in Concurrency, San Francisco, CA, USA, August 21-22, 2005. (Submissions due 1 June 2005) [posted here 5/10/05] The 3rd International Workshop on Security Issues in Concurrency (SecCo'05) follows the success of SecCo'03 (held in conjunction with ICALP'03) and SecCo'04 (held in conjunction with CONCUR'04). New networking technologies require the definition of models and languages adequate for the design and management of new classes of applications. Innovations are moving in two directions: on the one hand, the Internet which supports wide area applications, on the other hand, smaller networks of mobile and portable devices which support applications based on a dynamically reconfigurable communication structure. In both cases, the challenge is to develop applications while at design time there is no knowledge of the availability and/or location of the involved entities. Coordination models, languages and middlewares, which advocate a distinct separation between the internal behaviour of the entities and their interaction, represent a promising approach. However, due to the openness of these systems, new critical aspects come into play, such as the need to deal with malicious components or with a hostile environment. Current research on network security issues (e.g. secrecy, authentication, etc.) usually focuses on opening cryptographic point-to-point tunnels. Therefore, the proposed solutions in this area are not always exploitable to support the end-to-end secure interaction between entities whose availability or location is not known beforehand. Topics of interest include, but are not limited to: - authentication - integrity - privacy - confidentiality - access control - denial of service - service availability - safety aspects - fault tolerance in - coordination models - web service technology - mobile ad-hoc networks - agent-based infrastructures - peer-to-peer systems - global computing - context-aware computing - ubiquitous/pervasive comp - component-based systems For more information, please see http://www.zurich.ibm.com/~mbc/secco05/. ____________________________________________________________________ DFRWS 2005 5th Annual Digital Forensics Research Workshop, New Orleans, LA, USA, August 17-19, 2005. (Submissions due 1 June 2005) [posted here 5/2/05] The purpose of this workshop is to bring together researchers, practitioners, and educators interested in digital forensics. We welcome the participation of people in industry, government, law enforcement, and academia who are interested in advancing the state of the art in digital forensics by sharing their results, knowledge, and experiences. We are looking for research papers, demo proposals, and panel proposals. Major areas of interest include, but are not limited to, the following topics: - Incident response and live analysis - OS, application, and multimedia analysis - File system analysis - Physical analysis (magnetic, optical, electrostatic, etc.) - Memory analysis - Network forensics - Traceback and attribution - Data hiding and recovery - Event reconstruction - Large-scale investigations - Data mining techniques - Tool testing and development - Legal issues - Case studies and trend reports - Non-traditional approaches to forensic analysis For more information, please see http://www.dfrws.org. ____________________________________________________________________ FMSE 2005 3nd ACM Workshop on Formal Methods in Security Engineering From Specifications to Code, Held in conjunction with the 12th ACM Conference on Computer and Communications Security (CCS 2005), Fairfax, VA, USA, November 11, 2005. (Submissions due 3 June 2005) [posted here 4/18/05] Information security has become a crucial concern for the commercial deployment of almost all applications and middleware. Despite this commonly recognized fact, the incorporation of security requirements in the software development process is not yet well understood. The deployment of security mechanisms is often done in an ad-hoc manner only, without a formal security specification, often without a thorough security analysis and almost necessarily without a formal security validation of the final product. That is, a process is lacking for making the transition from high-level security models and policies through development to code. We aim to bring together researchers and practitioners from both the security and the software engineering communities, from academia and industry, who are working on applying formal methods to designing and validating large-scale systems. We are seeking submissions addressing foundational issues in: - security specification techniques - formal trust models - combination of formal techniques with semi-formal techniques like UML - formal analyses of specific security properties relevant to software development - security-preserving composition and refinement of processes - faithful abstractions of cryptographic primitives and protocols in process abstractions - integration of formal security specification, refinement and validation techniques in development methods and tools For more information, please see http://www.ti.informatik.uni-kiel.de/~kuesters/FMSE05/. ____________________________________________________________________ FloCon 2005 2nd Annual FloCon 2005 Analysis Workshop, New Orleans, Louisiana, USA, September 20-22, 2005. (Submissions due 6 June 2005) [posted here 2/14/05] FloCon is an open workshop that provides a forum for researchers, operational analysts, and other parties interested in the security analysis of large volumes of traffic to develop the next generation of flow-based analysis. Flow is an abstraction of network traffic in which packets are grouped together by common attributes over time. In security, flow has been used to survey and analyze large networks and long periods of time, but the field is still in its infancy. FloCon 2005 will have an active workshop structure: our goal is to have presentations coupled with working breakout sessions on specific topics. Based on submissions and suggestions, we will develop a three-day track. Appropriate topics include, but are not limited to, the following: - Experience reports in flow analysis - Operational security analysis using flows - Advanced flow analysis techniques - Expanding the flow format for security needs - Integrating flows into other security analysis - Facilitating data sharing/public repositories - Flow collection technologies - Network traffic modeling for security - Alternative traffic abstracts for services For more information, please see http://www.cert.org/flocon/. ____________________________________________________________________ WiSe 2005 ACM Workshop on Wireless Security, Held in conjunction with ACM MobiCom 2005, Cologne, Germany, August 28 - September 2, 2005. (Submissions due 10 June 2005) [posted here 4/11/05] The objective of this workshop is to bring together researchers from research communities in wireless networking, security, applied cryptography, and dependability; with the goal of fostering interaction. With the proliferation of wireless networks, issues related to secure and dependable operation of such networks are gaining importance. Topics of interest include, but are not limited to: - Key management in wireless/mobile environments - Trust establishment - Computationally efficient primitives - Intrusion detection, detection of malicious behavior - Revocation of malicious parties - Secure PHY/MAC/routing protocols - Secure location determination - Denial of service - User privacy, location privacy - Anonymity, prevention of traffic analysis - Dependable wireless networking - Identity theft and phishing in mobile networks - Charging in wireless networks - Cooperation in wireless networks - Vulnerability modeling - Incentive-aware secure protocol design - Jamming - Monitoring and surveillance For more information, please see http://www.ee.washington.edu/research/nsl/wise2005. ____________________________________________________________________ QoP 2005 1st Workshop on Quality of Protection, Held in conjunction with ESORICS 2005 and METRICS 2005, Milano, Italy, September 15, 2005. (Submissions due 10 June 2005) [posted here 4/29/05] Information Security in Industry has matured in the last few decades. Standards such as ISO17799, the Common Criteria (ISO15408), a number of industrial certification and risk analysis methodologies have raised the bar on what is considered a good security solution from a business perspective. However, even a fairly sophisticated standard such as ISO17799 has an intrinsically qualitative nature. Notions such as Security Metrics, Quality of Protection (QoP) or Protection Level Agreement (PLA) have surfaced in the literature but still have a qualitative flavour. The QoP Workshop intends to discuss how security research can progress towards a notion of Quality of Protection in Security comparable to the notion of Quality of Service in Networking, Software Reliability, or Software Measurements and Metrics in Empirical Software Engineering. Topics of interest include, but are not limited to: - Industrial Experience - Security Risk Analysis - Security Quality Assurance - Measurement-based decision making and risk management - Empirical assessment of security architectures and solutions - Mining data from attacks and vulnerabilities repositories - Security metrics - Measurement theory and formal theories of security metrics - Security measurement and monitoring - Experimental verification and validation of models - Simulation and statistical analysis, stochastic modeling - Reliability analysis For more information, please see http://dit.unitn.it/~qop/. ____________________________________________________________________ STM 2005 1st International Workshop on Security and Trust Management, Held in conjunction with ESORICS 2005, Milano, Italy, September 15, 2005. (Submissions due 13 June 2005) [posted here 5/10/05] STM (Security and Trust Management) is a recently established working group of ERCIM (European Research Consortium in Informatics and Mathematics). It is planned to organize STM workshops on a yearly basis. This will be the first workshop in this series. The focus of this first workshop will coincide with the research topics of the STM working group. These comprise: - To investigate the foundations and applications of security and trust in ICT - To study the deep interplay between trust management and common security issues such as confidentiality, integrity and availability - To identify and promote new areas of research connected with security management, e.g. dynamic and mobile coalition management (e.g., P2P, MANETs, Web/GRID services) - To identify and promote new areas of research connected with trust management, e.g. reputation, recommendation, collaboration etc. - To provide a platform for presenting and discussing emerging ideas and trends. The topics of interest of this workshop include but are not limited to: - Rigorous semantics and computational models for security and trust - Security and trust management architectures, mechanisms and policies - Networked systems security - Privacy and anonymity - Identity management - ICT for securing digital as well as physical assets - Cryptography For more information, please see http://www-rocq.inria.fr/arles/events/STM2005/index.html. ____________________________________________________________________ HICSS-39 Security Minitrack 2005 Security and Survivability in Unbounded Networked Systems Minitrack, Part of the Software Technology Track, 39th Hawai'i International Conference on System Sciences (HICSS-39), Kauai, Hawaii, USA, January 4-7, 2006. (Submissions due 15 June 2005) [posted here 3/14/05] This minitrack addresses issues of security and survivability in large, non-trivial, unbounded networked computer systems, with an emphasis on recovery and adaptation. It considers systems and networks, including dynamic paradigms based on migratory agents, ad-hoc networks or grid computing. Papers on resistance and recognition that address the need or capability for safety critical software systems to "fail-safe" and "fail-secure" are also desired. Submissions will be sought from researchers in the area of system survivability, software dependability, computer and network security, fault-tolerance and intrusion tolerance, and economic or statistical modeling of secure/survivable systems. Topics include, but are not limited to: - Survivability in unbounded systems - Software survivability and its measurement - Safety critical failure modes - Network or system intrusion tolerance - Tolerating attacks in grid computing - Modeling malicious behavior or attacks - Survivability and security issues of mobile agent based systems - Survivability and security issues of ad-hoc networks - Models for verification of vulnerability to malicious acts - Models for measurement, evaluation, or validation of survivability - Software and hardware fault-tolerance - Design for dependability and/or survivability - PRA & hybrid fault models accounting for malicious acts and events For more information, please see http://www.cs.uidaho.edu/~krings/HICSS39.htm. ____________________________________________________________________ DRM 2005 2nd Workshop on Digital Rights Management Impact on Consumer Communications, Held in conjunction with IEEE Consumer Communications and Networking Conference (CCNC 2006), Las Vegas, Nevada, USA, January 10, 2006. (Submissions due 15 June 2005) [posted here 4/22/05] Consumers and consumer electronics are increasingly using the Internet for distribution of digital goods, including digital versions of books, articles, music, and images. The ease with which digital goods can be copied and redistributed makes the Internet well suited for unauthorized copying, modification and redistribution. The rapid adoption of new technologies such as high-bandwidth connections, wireless networks, and peer-to-peer networks is accelerating this process. This half-day workshop on Digital Rights Management Impact on Consumer Communications addresses problems faced by rights holders (who seek to protect their intellectual property rights) and by end consumers (who seek to protect their privacy and to preserve access they now enjoy in traditional media under). The workshop seeks submissions on all theoretical and practical aspects of DRM, as well as experimental studies of fielded systems on topics including, but not limited to, those shown below: - DRM protocols - architectures for DRM systems - interoperability - auditing - business models for online content distribution - copyright-law issues, including but not limited to fair use - digital policy management - information ownership - privacy and anonymity - risk management - robust identification of digital content - security issues, including but not limited to authorization, encryption, amper resistance, and watermarking - threat and vulnerability assessment - usability aspects of DRM systems - web services - CAPEX, OPEX, TCO examples/ estimations/models - computing environments and platforms for DRM (TCP - Trusted Computing Platform) - Implementations and case studies For more information, please see http://www.ieee-ccnc.org/2006/conf_program/drm_workshop/index.htm. ____________________________________________________________________ SADFE 2005 1st International Workshop on Systematic Approaches to Digital Forensic Engineering, Taipei, Taiwan, November 7-10, 2005. (Submissions due 15 June 2005) [posted here 5/12/05] The SADFE (Systematic Approaches to Digital Forensic Engineering) International Workshop is intended to further the advancement of computer forensic engineering by promoting innovative & leading-edge systematic approaches to cyber crime investigation. The workshop brings together top digital forensic researchers, advanced tool/product builders, and expert law enforcement from around the world for information exchange and R&D collaboration. SADFE 2005 solicits broad-based, innovative digital forensic engineering technology, practical experience & process related submissions in the following areas: - Systematic engineering processes & methodologies for computer forensic - Advanced techniques in evidence collection, search, analysis, correlation, handling and preservation - Progressive cyber crime scenario analysis and reconstruction technology - Legal case construction & digital evidence support - Legal and technical collaboration - Legal and technical aspects of tool validation - Courtroom expert witness and case presentation - Intrusion detection systems (IDS) for computer forensic - Forensics of embedded devices (e.g. digicams, cell phones) - Innovative forensic engineering tools and applications - Attack strategy analysis & modeling - Privacy, legal and legislation issues - Monitoring and incident response - Forensic-enabled architectures and processes - Advanced system and application log analysis For more information, please see http://conf.ncku.edu.tw/sadfe/index.htm. ____________________________________________________________________ CANS 2005 4th International Conference on Cryptography and Network Security, Xiamen, Fujian Province, China, December 14-16, 2006. (Submissions due 16 June 2005) [posted here 4/22/05] The main goals of this conference are to promote research on all aspects of network security and to build a bridge between research on cryptography and network security. So, we welcome scientific and academic papers that focus on this multidisciplinary area. Topics of interest include: - Denial of Service - Intrusion Detection - Router Security - Spam - Spyware - Scanning - WWW Security - Anonymity and internet voting - Broadcast and Multicast Security - DNS Security - Firewalls - Information Hiding - International Standards - (IP) Spoofing - PKI - Secure E-Mail - Secure protocols, (SSH, SSL, ...) - Security of Ad Hoc Networks - Session Hijacking - Virtual Private Networks - Wireless Security - cryptology For more information, please see http://math.fjnu.edu.cn/cans. ____________________________________________________________________ PBA 2005 International Workshop on Protection by Adaptation, Held in conjunction with the 7th International Conference on Information Integration and Web Based Applications & Services (iiWAS2005), Kuala Lumpur, Malaysia, September 19-21, 2005. (Submissions due 20 June 2005) [posted here 3/9/05] For most people, security refers to cryptographic algorithms, biometric authentication techniques, passwords, etc. Beyond these intuitive notions, security is rather a very broad topic and may be viewed from a variety of other perspectives, including new access control models, software architectures for security systems, and security policies specifications. Emerging applications are subject to a high number of attacks due to the distributed nature of these new environments, mobility of users and devices, services heterogeneity and the different capabilities of devices used to access these services. The aim of this workshop is to encourage the research community to better consider context-based security as a new trend that may face future more subtle security attacks. We believe that the force of a good security system should not rely only on the force of security protocols but also on the way it copes with new and completely unpredictable situations or at least learn from new situations and updates its behavior accordingly. This goal can be reached by making future security solutions freely adaptive. We look for original submissions on the following topics (but not limited to): - Security in mobile, wireless and ad hoc environments - Dynamic security policies - Context-based access control - Context in security - Agile encryption - Artificial intelligence and security - Adaptive security solutions - Middleware for context-based security systems - Conflicting norms issues in security policies - Flexible security architectures for pervasive applications - Security contexts discovery, retrieval, representation and modeling - Modeling users' security profiles - Metrics for evaluating security infrastructures - Testing of adaptive security systems - Software architectures for adaptive security (design patterns, etc) - Adaptive security levels in heterogeneous environments - Enforcing applications security semantics - Metrics for predicting security threats For more information, please see http://www.iiwas.org/workshops/pba-2005/. ____________________________________________________________________ WORM 2005 3rd Workshop on Rapid Malcode (WORM), Held in conjunction with the 12th ACM Conference on Computer and Communications Security (CCS 2005), Fairfax, VA, USA, November 11, 2005. (Submissions due 23 June 2005) [posted here 2/27/05] In the last several years, Internet-wide infectious epidemics have emerged as one of the leading threats to information security and service availability. The vehicles for these outbreaks, malicious codes called "worms", take advantage of the combination of software monocultures and the uncontrolled Internet communication model to quickly compromise large numbers of hosts. Such worms are increasingly being used as delivery mechanisms for various types of malicious payloads, including remote-controlled "zombies", spyware and botnets. Recent incidents have also reveals the use of new propagation techniques as well as the use of worms to target small user communities or specific applications. Current operational practices have not been able to manage these threats effectively. This workshop continues the efforts of the previous years to provide a forum to bring together ideas, understanding and experiences bearing on the worm problem from a wide range of communities, including academia, industry and the government. We are soliciting papers from researchers and practitioners on subjects including, but not limited to: - Automatic detection and characterization - Reactive countermeasures - Proactive defenses - Threat assessment - Email and web-based malcode - Measurement studies - Testbeds & evaluation - Reverse engineering - Significant operational experiences - Surveys of the field - Analysis of worm construction, current & future - Modeling and analysis of propagation dynamics - Forensic methods of attribution - The combination of different types of malware For more information, please see http://www1.cs.columbia.edu/~angelos/worm05/. ____________________________________________________________________ WSNS 2005 2005 International Workshop on Wireless and Sensor Networks Security, Held in conjunction with the 2nd IEEE International Conference on Mobile Ad-hoc and Sensor Systems (MASS 2005), Washington DC, USA, November 7-10, 2005. (Submissions due 24 June 2005) [posted here 5/12/05] Wireless networks have experienced an explosive growth during the last few years. Nowadays, there is a large variety of networks spanning from the well-known cellular networks to non-infrastructure wireless networks such as mobile ad hoc networks and sensor networks. This workshops aims to bring together researchers and practitioners from wireless and sensor networking, security, cryptography, and distributed computing communities, with the goals of promoting discussions and collaborations. We are interested in novel research on all aspects of security in wireless and sensor networks and tradeoff between security and performance such as QoS, dependability, scalability, etc. We are seeking papers that describe original and unpublished contributions addressing various aspects of secured wireless/sensor networks. Topics of interest include, but are not limited to: - Authentication and Access Control - Cryptographic Protocol - Experimental Studies - Key Management - Information Hiding - Intrusion Detection and Response - Privacy and Anonymity - Secure Localization and Synchronization - Security and Performance tradeoff - Security Policy and Enforcement Issues - Security Protocols Design, Analysis and Verification - Secure Routing/MAC - Surveillance and Monitoring - Trust Management For more information, please see http://www.cs.wcupa.edu/~zjiang/wsns05.htm. ____________________________________________________________________ ICDCIT 2005 2nd International Conference on Distributed Computing & Internet Technology, Bhubaneswar, India, December 22-24, 2005. (Submissions due 30 June 2005) [posted here 3/21/05] Mobile communication and Internet technology together have played key role in connecting people across the globe for sharing and trading information. This information globalization has forced us to think about the integration of applications running at geographically dispersed locations. The spin off of these developments have led to some interesting and serious research on issues pertaining to distributed computing, web services, system security and software engineering. ICDCIT series is a forum for interactions of researchers working in the above mentioned areas. For more information, please see http://www.cse.iitk.ac.in/~rkg/ICDCIT05/. ____________________________________________________________________ SASN 2005 3rd ACM Workshop on Security of Ad Hoc and Sensor Networks, Held in conjunction with the 12th ACM Conference on Computer and Communications Security (CCS 2005), Fairfax, VA, USA, November 7, 2005. (Submissions due 1 July 2005) [posted here 3/10/05] Ad hoc and sensor networks are expected to become an integral part of the future computing landscape. However, these networks introduce new security challenges due to their dynamic topology, severe resource-constraints, and absence of a trusted infrastructure. SASN 2005 seeks submissions from academia and industry presenting novel research on all aspects of security for ad hoc and sensor networks, as well as experimental studies of fielded systems. This one-day workshop builds on the success of SASN 2003 and SASN 2004. Topics of interest include, but are not limited to, the following as they relate to mobile ad hoc networks or sensor networks: - Security under resource constraints (e.g., energy, bandwidth, memory, and computation constraints) - Performance and security tradeoffs - Secure roaming across administrative domains - Key management - Cryptographic Protocols - Authentication and access control - Trust establishment, negotiation, and management - Intrusion detection and tolerance - Secure location services - Secure clock distribution - Privacy and anonymity - Secure routing - Secure MAC protocols - Denial of service - Prevention of traffic analysis For more information, please see http://discovery.csc.ncsu.edu/SASN05/. ____________________________________________________________________ StorageSS 2005 The Storage Security and Survivability Workshop, Held in conjunction with the 12th ACM Conference on Computer and Communications Security (CCS 2005), Fairfax, VA, USA, November 11, 2005. (Submissions due 11 July 2005) [posted here 3/25/05] There has been an evolution of protection solutions mirrored in both the security and survivability research communities: (1) from physical protection solutions targeting people, (2) to system protection solutions targeting networked-systems, (3) and now the new emerging paradigm of information-centric solutions targetting the data itself. This workshop focuses on stimulating new ideas in order to reshape storage protection strategies. Clearly storage security and survivability is a complex, multi-dimensional problem with dynamics over time so a large variety of approaches may be appropriate including prevention, monitoring, measurements, mitigation, and recovery. We bring Storage-SS to the ACM CCS 2005 Conference to foster a greater exchange between computer protection researchers/professionals and computer storage researchers/professionals. In this vein, we seek submissions from both research and industry presenting novel ideas on all theoretical and practical aspects of protecting storage systems. Specifically we seek submissions in two types distinct paper categories: Regular Paper (12 page maximum) and Work-In-Progress/Short Paper (6 page maximum). A list of potential topics includes but is not limited to the following: - storage protection tradeoffs - storage protection deployment (including case studies) - smart storage for security/survivability - analysis of covert storage channels - storage leak analysis - mobile storage protection - novel backup protection techniques - storage versioning protection techniques - storage encryption techniques (both key mgmt and crypto algorithms) - tamper-evident storage protection techniques - immutable storage protection techniques - storage threat models - storage intrusion detection systems - storage area network (SAN) security/survivability - security/survivability for storage over a distance - security/survivability with Internet storage service providers - storage security/survivability in an HPC environment For more information, please see http://www.ncassr.org/projects/storage-sec/storageSS-2005/. ____________________________________________________________________ HASH WORKSHOP 2005 Cryptographic Hash Workshop, Gaithersburg, Maryland, USA, October 31 - November 1, 2005. (Submissions due 15 July 2005) [posted here 5/9/05] Recently a team of researchers reported that the SHA-1 function offers significantly less collision resistance than could be expected from a cryptographic hash function of its output size. NIST plans to host a Cryptographic Hash Workshop on Oct. 31-Nov. 1, 2005 to solicit public input in how best to respond to the current state of research in this area. The workshop has the following goals: - Assess the status of the current NIST-approved hash functions, i.e., the SHA-256 and SHA-512 families in addition to SHA-1 - Discuss short term actions to mitigate the potential problems with the various applications of the approved hash functions - Discuss the conditions that would warrant an early transition away from any of the approved hash functions - Discuss the potential replacement options for any of the approved hash functions - Clarify the properties of unkeyed cryptographic hash functions required for different applications For more information, please see http://www.nist.gov/hash-function. ____________________________________________________________________ CISC 2005 SKLOIS Conference on Information Security and Cryptology, Beijing, China, December 15-17, 2005. (Submissions due 1 August 2005) [posted here 4/22/05] The SKLOIS conference on information security and cryptology seeks full papers presenting new research results related to cryptology, information security and their applications. Areas of interest include, but are not limited to: - Access Control - Authentication and Authorization - Biometric Security - Distributed System Security - Database Security - Electronic Commerce Security - Intrusion Detection - Information Hiding and Watermarking - Key Management and Key Recovery - Network Security - Security Protocols and Their Analysis - Security Modeling and Architecture - Provable Security - Multiparty Security Computation - Foundations of Cryptography - Secret Key and Public Key Cryptosystems - Implementation of Cryptosystems - Hash Functions and MAC - Modes of Operation - Intellectual Property Protection - Mobile System Security - Operating System Security - Risk Evaluation and Security Certification - Malicious Codes and Prevention For more information, please see http://www.is.iscas.ac.cn/cisc/index.htm. ____________________________________________________________________ SPC 2006 3rd International Conference on Security in Pervasive Computing, York, UK, April 18-21, 2006. (Submissions due 15 October 2005) [posted here 5/9/05] The security of pervasive computing is a critically important area for commerce, the public sector, academia and the individual citizen. Although pervasive computing presents exciting enabling opportunities, the benefits will only be reaped if security aspects can be appropriately addressed. Threats exploiting vulnerabilities of new kinds of user interfaces, displays, operating systems, networks, and wireless communications give rise to new concerns about loss of confidentiality, integrity, privacy, and availability. How can these risks be reduced to an acceptable level? Original research contributions are sought in all areas relating to the security of pervasive computing. Topic include (but are not restricted to): - Models for access control, authentication and privacy management - Biometric methods in pervasive computing systems - Tradeoffs between security and other criteria (e.g. due to deployment on resource constrained devices) - Protocols for trust management in pervasive computing networks - Analysis of protocols for pervasive computing - Hardware security issues for pervasive computing - Audit and accountability in pervasive systems - Non-technical implications of pervasive computing For more information, please see http://www.cs.york.ac.uk/security/spc-2006/spc-2006-cfp.html. ____________________________________________________________________ Journal, Conference and Workshop Calls-for-Papers ____________________________________________________________________ ==================================================================== Conferences and Workshops (the call for papers deadline has passed) ==================================================================== ==================================================================== Listing of academic positions available by Cynthia Irvine ==================================================================== RWTH Aachen University Aachen, Germany Research positions for PhD students or PostDocs Position announcement until filled http://www-i4.informatik.rwth-aachen.de/~mantel -------------- http://cisr.nps.navy.mil/jobscipher.html This job listing is maintained as a service to the academic community. If you have an academic position in computer security and would like to have in it included on this page, send the following information: Institution, City, State, Position title, date position announcement closes, and URL of position description to: irvine@cs.nps.navy.mil ==================================================================== Interesting Links and Reports Available via FTP and WWW ==================================================================== "Reports Available" links from previous issues of Cipher are archived at http://www.ieee-security.org/Cipher/NewReports.html and http://www.ieee-security.org/Cipher/InterestingLinks.html ==================================================================== Information on the Technical Committee on Security and Privacy ==================================================================== ____________________________________________________________________ Information for Subscribers and Contributors ____________________________________________________________________ SUBSCRIPTIONS: Two options, each with two options: 1. To receive the full ascii CIPHER issues as e-mail, send e-mail to cipher-admin@ieee-security.org (which is NOT automated) with subject line "subscribe". OR send a note to cipher-request@mailman.xmission.com with the subject line "subscribe" (this IS automated - thereafter you can manage your subscription options, including unsubscribing, yourself) 2. To receive a short e-mail note announcing when a new issue of CIPHER is available for Web browsing send e-mail to cipher-admin@ieee-security.org (which is NOT automated) with subject line "subscribe postcard". OR send a note to cipher-postcard-request@mailman.xmission.com with the subject line "subscribe" (this IS automated - thereafter you can manage your subscription options, including unsubscribing, yourself) To remove yourself from the subscription list, send e-mail to cipher-admin@ieee-security.org with subject line "unsubscribe" or, if you have subscribed directly to the xmission.com mailing list, use your password (sent monthly) to unsubscribe per the instructions at http://mailman.xmission.com/cgi-bin/mailman/listinfo/cipher or http://mailman.xmission.com/cgi-bin/mailman/listinfo/cipher-postcard Those with access to hypertext browsers may prefer to read Cipher that way. It can be found at URL http://www.ieee-security.org/cipher.html CONTRIBUTIONS: to cipher @ ieee-security.org are invited. Cipher is a NEWSletter, not a bulletin board or forum. It has a fixed set of departments, defined by the Table of Contents. Please indicate in the subject line for which department your contribution is intended. Calendar and Calls-for-Papers entries should be sent to cipher-cfp @ ieee-security.org and they will be automatically included in both departments. To facilitate the semi-automated handling, please send either a text version of the CFP or a URL from which a text version can be easily obtained. For Calendar entries, please include a URL and/or e-mail address for the point-of-contact. For Calls for Papers, please submit a one paragraph summary. See this and past issues for examples. ALL CONTRIBUTIONS CONSIDERED AS PERSONAL COMMENTS; USUAL DISCLAIMERS APPLY. All reuses of Cipher material should respect stated copyright notices, and should cite the sources explicitly; as a courtesy, publications using Cipher material should obtain permission from the contributors. ____________________________________________________________________ Recent Address Changes ____________________________________________________________________ Yvo Desmedt BT Chair of Information Security WWW: http://www.cs.ucl.ac.uk/staff/Y.Desmedt/ Main Campus Address: Department of Computer Science University College London Gower Street London WC1E 6BT United Kingdom tel: +44 (20) 7679 0430 fax: +44 (20) 7387 1397 Main Campus Office: Room 8.14, Malet Place Engineering Building, 8th floor Postgraduate Adastral Campus: Adastral Campus UCL, Adastral Park Campus Ross Building Adastral Park Martlesham Heath Ipswich, Suffolk, IP5 3RE United Kingdom Tel: +44 (1473) 66 3709, fax: +44 (1473) 635199 Tom Van Vleck SPARTA Tom.VanVleck @ sparta.com (Several people in the security research community are part of the move of NAI Labs to SPARTA, and they have similar address changes) Address changes from past issues of Cipher are archived at http://www.ieee-security.org/Cipher/AddressChanges.html _____________________________________________________________________ How to become <> a member of the IEEE Computer Society's TC on Security and Privacy _____________________________________________________________________ You may easily join the TC on Security & Privacy by completing the on-line for at IEEE at http://www.computer.org/TCsignup/index.htm ______________________________________________________________________ TC Publications for Sale ______________________________________________________________________ IEEE Security and Privacy Symposium The 2005 Symposium proceedings are available for $25 plus shipping and handling. The 2004 proceedings are $20 plus shipping and handling; the 2003 proceedings are $15 plus shipping and handling. A CD of the 2000-2001 proceedings is $15 plus shipping and handling. Shipping is $4.00/volume within the US, overseas surface mail is $7/volume, and overseas airmail is $11/volume, based on an order of 3 volumes or less. The shipping charge for a CD is $1 per CD (no charge if included with a hard copy order). Send a check made out to the IEEE Symposium on Security and Privacy to the TC treasurer (see officers, below) with the order description, including shipping method, and send email to Hilarie Orman (see below) with the shipping address, please. IEEE CS Press Back issues of TC publications may be available; contact Jonathan Millen for information about the Computer Security Foundations Workshop. ______________________________________________________________________ TC Officer Roster ______________________________________________________________________ Chair: Past Chair: Jonathan Millen Heather Hinton The MITRE Corporation IBM Software Group - Tivoli Mail Stop S119 11400 Burnett Road 202 Burlington Road Rte. 62 Austin, TX 78758 Bedford, MA 01730-1420 + 1 512 838 0455 (voice) 781-271-51 (voice) hhinton@us.ibm.com jmillen@mitre.org Vice Chair: Chair, Subcommittee on Academic Affairs: Prof. Cynthia Irvine Prof. Cynthia Irvine U.S. Naval Postgraduate School U.S. Naval Postgraduate School Computer Science Department Computer Science Department Code CS/IC Code CS/IC Monterey CA 93943-5118 Monterey CA 93943-5118 (831) 656-2461 (voice) (831) 656-2461 (voice) irvine@cs.nps.navy.mil irvine@cs.nps.navy.mil Chair, Subcommittee on Standards: Chair, Subcomm. on Security Conferences: David Aucsmith Jonathan Millen Microsoft Corporation The MITRE Corporation One Microsoft Way Mail Stop S119 Redmond, WA 98052 202 Burlington Road Rte. 62 425-706-9225 (voice) Bedford, MA 01730-1420 425-936-7329 (fax) 781-271-51 (voice) awk@microsoft.com jmillen@mitre.org Treasurer: Newsletter Editor: Tom Chen Hilarie Orman Department of Computer Science Purple Streak, Inc. and Engineering 500 S. Maple Dr. School of Engineering Salem, UT 84653 Southern Methodist University (801) 423-1052 (voice) P.O. Box 750122 cipher-editor@ieee-security.org Dallas, TX 75275-0122 (214) 768-8541 (voice) http://www.engr.smu.edu/~tchen ________________________________________________________________________ BACK ISSUES: Cipher is archived at: http://www.ieee-security.org/cipher.html