Computer Laboratory

Security Group

1998 seminars

Expand all Collapse all

View original page

8 December 16:15Realising security policy within the healthcare environment / Steve Furnell, University of Plymouth

Room TP4, Computer Laboratory

Information systems security represents a significant issue within the modern healthcare environment. Information technology now pervades virtually all aspects of operation and care provision, with a consequent need arising to preserve the confidentiality, integrity and availability of systems and data. The security policy is an essential element in ensuring that a consistent approach can be enforced and maintained across the establishment. I will discuss the areas that should be encompassed by any policy, as well as the typical constraints of the healthcare environment that may limit the practical approach. A further important consideration is how to ensure that all staff will know and observe the policy. I will address this through a discussion of security training and awareness initiatives.

The presentation will make significant reference to work that has been conducted at the European level, in particular the ISHTAR (Implementing Secure Healthcare Telematics Applications in Europe) project in which I have been involved under the EU `Telematics Applications for Health' programme.

View original page

1 December 16:15Secure sessions from weak secrets / Bruce Christianson, University of Hertfordshire

Room TP4, Computer Laboratory

Sometimes two parties who share a weak secret k such as a password wish to share a strong secret s such as a session key without revealing information about k to an active attacker. This talk describes some recent work in this direction, carried out jointly with Michael Roe and David Wheeler. We present some new protocols for secure strong secret sharing, including one based on RSA rather than Diffie-Hellman. As well as being simpler and quicker than their predecessors, our protocols also have slightly stronger security properties. In particular, they make no cryptographic use of s and so impose no subtle restrictions upon the use which is made of s by other protocols, and they do not rely upon the existence of hash functions with mystical properties. After rounding up the usual suspects, the talk will also consider some new attacks and how to frustrate them.

View original page

24 November 16:15Observations on the advanced encryption standard candidates / Mike Roe, Centre for Communications Systems Research

Room TP4, Computer Laboratory

The US government is running a competition to find a replacement for the data encryption standard. There are fifteen candidate algorithms now available for public analysis and comment. I have implemented a number of them from the published definitions, and in this talk I will discuss the lessons I learned in the process.

View original page

17 November 16:15Cryp, cip and cots: trusting cryptography in commercial-off-the-shelf systems / Bill Caelli, Queensland University of Technology

Room TP4, Computer Laboratory

Cryptographic (CRYP) sub-systems now play a vital role in the protection of "mission-critical" information systems and data networks, particularly those now being deployed for electronic commerce activities nationally and internationally. Such mission-critical information systems, and associated data networks, are, in turn, being used to control and monitor critical infrastuctures in modern society; infrastructures that need a high degree of protection (CIP). These include overall structures for water reticulation, electricity, finance, government, energy, transport and so on. However, under cost pressures those in charge of such infrastructures are moving to adoption of commercial-off-the-shelf (COTS) systems for the control and monitoring of such infrastructures, rather than "bespoke" solutions to information systems needs. With cryptography forming the main protection and trust mechanism to safeguard these controlling information systems, the trustworthy integration of cryptographic sub-systems into COTS becomes of paramount importance. This has a number of technical, business and political implications that need to be explored. This paper examines all three of these aspects of the cryptography integration problem.

View original page

16 November 16:15A hacker looks at cryptography / Bruce Schneier, Counterpane Systems

Room TP4, Computer Laboratory

Building a secure product is a lot more than reading a copy of Applied Cryptography, and then stringing a series of secure algorithms and protocols together. Many "buzzword compatible" products are insecure not because of faulty mathematics, but faulty implementation. Engineers misuse secure primitives, introduce security flaws elsewhere in the process, build bad user interfaces, don't allow for errors or failures, and generally fail to leverage the security of their cryptography. This talk is about what commonly goes wrong in cryptographic products.

View original pageView slides/notes

10 November 16:15Copyright control for digital image libraries / Glenn Hall, Hewlett-Packard Laboratories

Room TP4, Computer Laboratory

We will talk about copyright control for digital image libraries using high quality imaging systems, over the web. We have built a system, using on-the-fly watermarking, for a commercial image supplier, now on trial. This raises a number of interesting technical and business questions, such as watermark distrubution, and cascading permissions through business processes.

View original page

3 November 16:15Alpha pulse technology - a new concept for generating true randomness / Mark Shilton, Amersham Pharmacia Biotech

Room TP4, Computer Laboratory

The Alpha Pulse random generator is a miniature hardware device for triggering random events with a predetermined event probability. The device uses a miniature silicon photo diode detector incorporating a harmless quantity of a radioactive alpha emitting material. The device produces random voltage pulses when alpha particles are emitted within the photo diode. The device has been used to generate pure, unbiased, non-deterministic random numbers and also to trigger random win events with long odds for applications such as gaming. The event probabilities produced by the device agree very closely with the predictions of Poisson theory.

The Alpha Pulse random generator is robust, durable, highly tamper resistant; it is unaffected by external influences and potentially can be made very small. Its operating principles, design, performance and applications will be reviewed.

View original page

27 October 16:15On the security of digital tachographs / Ross Anderson, University of Cambridge

Room TP4, Computer Laboratory

Tachographs are used in most heavy vehicles in Europe to control drivers' hours, and for secondary purposes ranging from investigating accidents and toxic waste dumping to the detection of fuel fraud. Their effectiveness is under threat from increasing levels of sophisticated fraud and manipulation. I will discuss this in the context of recent EU proposals to move to smartcard-based tachograph systems, which are aimed at cutting fraud and improving the level of enforcement generally. I will argue that the proposed new regime will be extremely vulnerable to the wholesale forgery of smartcards and to system-level manipulation; it has the potential to lead to a large-scale breakdown in control. I will then sketch some potential solutions.

View original page

20 October 16:15Secure implementation of channel abstractions / Cedric Fournet, Microsoft Research

Room TP4, Computer Laboratory

Communication in distributed systems often relies on useful abstractions such as channels, remote procedure calls, and remote method invocations. The implementations of these abstractions sometimes provide security properties, in particular through encryption. We study those security properties, focusing on channel abstractions. We introduce a simple high-level language that includes constructs for creating and using secure channels. The language is a variant of the join-calculus and belongs to the same family as the pi-calculus. We show how to translate the high-level language into a lower-level language that includes cryptographic primitives. In this translation, we map communication on secure channels to encrypted communication on public channels. We obtain a correctness theorem for our translation; this theorem implies that one can reason about programs in the high-level language without mentioning the subtle cryptographic protocols used in their lower-level implementation.

This is joint work with Martin Abadi (Compaq/SRC) and Georges Gonthier (INRIA Rocquencourt).

View original page

16 June 16:15Medical privacy protection - the xtrend project / Vaclav Matyas, University of Cambridge

Room TP4, Computer Laboratory

The Xtrend project involves collecting drug prescription (and collection) data from pharmacies and creating a database that supports evaluation of general practitioners' (GPs') prescription trends by district. The data is collected without patient identity information, but GPs' identity has to be protected carefully by subsequent processing - only some GPs have consented to their identity being known to data users (usually drug wholesalers or manufacturers) and the identity of the others has to be concealed.

The talk will analyse the problems in protecting the identity of the non-consenting GPs. The solution involves measures like setting a minimal number of participating GPs, practices and pharmacies in a district, and concealing the telltale signs of GPs moving between practices or going on holiday. Another interesting issue concerns the fact that the system is currently being built and this provides a certain level of `noise' against malicious data analysis. However, the situation once the system stabilises will almost certainly be different.

View original page

9 June 16:15The art of uncovering those well-hidden bits / Nick Howgrave-Graham, University of Bath

Room TP4, Computer Laboratory

The talk will be based loosely around the use of partial knowledge in solving bivariate Diophantine equations. Many interesting problems fall in to this category including factoring, and solving univariate modular equations, both of which have major implications in cryptography.

The methods are based on work by Coppersmith, and employ lattice basis reduction by the LLL algorithm. An interesting theoretical result concerning dual lattices and the LLL algorithm is shown along the way.

Finally a novel approach to fiding solutions to x^2+y^2=N is demonstrated, and applied (using the technique of Pinch and McKee) to breaking a recently proposed elliptic curve cryptosystem.

View original page

2 June 16:15A denotational definition of system integrity / Simon Foley, University College, Cork

Room TP4, Computer Laboratory

Conventional integrity models limit themselves to the boundary of the computer system and tend to define integrity in an operational or implementation oriented sense. For example, the Clark-Wilson model recommends that well-formed transactions, segregation of duties and auditing be used to ensure integrity. However, the model does not attempt to address what is meant by integrity - evaluating a system gives a confidence to the extent that good design principles have been applied. For instance, when we define a complex segregation of duty policy, we cannot use the model to guarantee that a user of the system cannot somehow bypass the intent of the segregation via some unexpected circuitous route.

Clark and Wilson informally identified segregation of duty as a mechanism that is used to control external consistency, which is described as the correct correspondence between the data object and the real world object that it represents. In this talk I will explore a formal definition for external consistency and illustrate how it is implemented in terms of segregation of duties. This denotational, rather than operational, definition is useful because it allows us to determine whether a particular segregation of duties configuration actually works, that is, whether it ensures that the system is externally consistent.

View original page

27 May 16:15Attacks on copyright marking systems / Fabien Petitcolas, University of Cambridge

Room TP4, Computer Laboratory

In the last few years, a large number of schemes have been proposed for hiding copyright marks and other information in digital pictures, video, audio and other multimedia objects. I will describe some contenders that have appeared in the research literature and in the field; I will then present a number of attacks that enable the information hidden by them to be removed or otherwise rendered unusable.

View original page

26 May 16:15Differential-linear weak key classes of idea / Philip Michael Hawkes, University of Queensland

Room TP4, Computer Laboratory

The International Data Encryption Algorithm (IDEA) is a well known block cipher which is used, for example, in the Pretty Good Privacy (PGP) package. In this talk, the largest known weak key classes of IDEA and reduced-round IDEA are constructed. For some of these classes, membership is determined by a differential-linear test while encrypting with a single key. In particular, $8.5$-round IDEA has a weak key class of $2^{63}$ keys (one in every $2^{65}$ keys) for which membership is determined in such a manner. A related-key differential-linear attack on 4-round IDEA is presented which is successful for all keys. Large weak key classes are found for 4.5- to 6.5-round and 8-round IDEA for which membership of these classes is determined by similar related-key differential-linear tests.

View original page

19 May 16:15Confessions of a red box builder / David Biggins, Rhea International Ltd

Room TP4, Computer Laboratory

In the world of commercial product development, even in a hi-tech environment, there are many conflicting factors that go to make up the success or otherwise of a product - technical, commercial, political, and just plain luck (good or bad).

Balancing these factors requires the patience of Job, the discretion of Caesar's wife, the judgement of Solomon (not Alan), the technical knowledge of Turing (Alan), the deviousness of the Borgias, the ruthlessness of Genghis Khan, the showmanship of PT Barnum, and the financial acumen of J Paul Getty - none of which I have...

So how DO you take a security product to market these days?

This talk aims to cover many of the factors, technical and otherwise, encountered so far in the development of the Latches for Windows product, and the ways we have managed to hang on to the tiger's tail...

12 May Cryptology, technology and policy / Susan Landau, University of Massachussetts

View original page

5 May 16:15The corba security service specification and corba security in practice / Ulrich Lang, University of Cambridge

Room TP4, Computer Laboratory

This seminar will first give a brief introduction to CORBA, and then focus on the CORBA Security Service Specification. The security functionality provided by the Security Service and its relevance to distributed systems security in general will be described on an abstract level. The seminar will also try to compare the Security Service Specification to CORBA security in the real world; issues like trust boundaries, Java security, business requirements etc. will be briefly put into context.

View original page

29 April 17:30Pgp and resistance to key escrow / Phil Zimmermann, Network Associates Inc.

Hopkinson Lecture Theatre, New Museums Site

This week's political developments highlight the trap of buying into a top-down key management infrastructure. I will talk about the new features of PGP's evolving architecture which we have specifically designed in order to make it resistant to key escrow while enhancing its scalability in large organisations.

NOTE: this week's seminar has been arranged at short notice in response to the government's U-turn on crypto policy. It is thus at a non standard time and a nonstandard venue. Maps and travelling directions can be found here.

Other relevant seminars this term include a talk on the 12th May by Susan Landau of the University of Massachussetts on `Cryptology, Technology and Policy' (Susan is one of the authors of `Privacy on the Line' which documents the crypto policy struggle in the USA) and another on the 19th by David Biggins of Rhea International Ltd entitled `Confessions of a Red Box Builder' (Rhea designed the new electronic red boxes used by some ministers). Both these talks are at the usual 4.15PM in room TP4.

View original page

10 March 16:15Priority driven protocol design / Bruce Christianson, University of Hertfordshire

Room TP4, Computer Laboratory

Priority Driven Communication Protocol Design was a methodology for designing communications protocols which was introduced about fifteen years ago. In this seminar I shall attempt to rehabilitate PDCPD in the context of security protocols, arguing that treating PDCPD as a conceptual framework for reasoning about the design and optimization of protocols (rather than as a design methodology per se) can provide insight into managing the effects of laying off tasks to only partially trusted third parties in order to improve performance: the analagous design problem in 'conventional' communications protocol design is de-layering.

View original page

3 March 16:15Videocrypt - past, present, and future / Yossi Tsuria, News Datacom, Israel

Room TP4, Computer Laboratory

VideoCrypt, with 9 million subscribers on 4 continents, is without doubt one of the most successful conditional access systems in the world. It also enjoys numerous attacks by the pirate community.

The presentation will describe the origins of the system and its key technology elements, and will discuss past and present security issues. It will also tackle future plans and challenges in the fields of interactive TV, copy protection and data broadcasting.

View original page

24 February 16:15Supporting dynamic security labels in multilevel secure object stores / Simon Foley, University College, Cork

Room TP4, Computer Laboratory

Mandatory label-based policies may be used to support a wide-range of application security requirements. Examples of these policies include Chinese Walls and Dynamic Segregation of Duties (see the seminar I gave on the 28th October 1997). Labels encode the security state of system entities and the application security policy specifies how these labels may change.

I will describe a framework, based on the Jajodia-Kogan message-filter model, that can support these policies in a multilevel secure OODBMS. This framework can support any (dynamic) label-based policy so long as the effect of a high-level request to relabel a low-level label cannot be detected at the low level. A sample policy will be described whereby high-level users can mark low-level objects, indicating that the object should be migrated to the high-level when deleted (at low).

The framework provides what is essentially an interpreter of multilevel programs: programs that manipulate multilevel data-structures that define the security labels of objects. This enables application functionality and security concerns to be developed (and verified) separately, bringing with it the advantages of a separation of concerns paradigm.

View original page

17 February 16:15Tamper resistant structured magnetics / Ed White, Thorn Secure Science International

Room TP4, Computer Laboratory

Security, and particularly 'Smart Card' security has become a very hot topic in the 1990's. We have been constantly 'educated' that Smart Cards are secure, and this series of seminars has spent much time examining the various claims and potential flaws in those claims. This talk will take a step back from the detail of smart card security, encryption algorithms etc. and examine the basic elements of security, It will briefly examine the various strengths and vulnerabilities of different approaches and present some ideas on how combining technologies can offer great benefits in reducing threats of security breaches.

View original page

10 February 16:15What are the wild waves saying? / Owen Lewis and Keith Penny, TEL

Room TP4, Computer Laboratory

So often overlooked by those who would maintain the confidentiality of their dealings, is that much of the most sensitive and most valuable information first occurs as the act of speech, a personal dialogue. If uninhibited speech can be eavesdropped as it is created, then there is no panoply of technical security that can subsequently make good that breach of security. Even in this computer age, the eavesdropping of speech in sensitive areas remains important in intelligence gathering, commercial as much as state.

This presentation outlines the main varieties of the electronic eavesdropping threat to confidential discussions and looks at advanced countermeasures to bugging where RF transmission is used to extract sensitive conversation from secured premises.

Until starting a technical surveillance countermeasures business in 1991, Owen Lewis was a signals officer in the British Army for 22 years. For some years, he was a visiting lecturer to the NATO Joint Services Advanced Electronic Warfare courses. Keith Penny is an engineer with 20 years of experience of the design, manufacture and systems deployment of a range of electronic surveillance and countersurveillance equipment. They have developed the SysRx system for RF spectrum monitoring, which is to be launched at the Police Scientific Development Branch closed exhibition in March 1998 and is first presented at this seminar.

View original page

4 February 16:15Hardware security: smartcards and other tamper resistant modules / Markus Kuhn, University of Cambridge

Babbage Lecture Theatre

Many computer security applications depend on the secure storage of secret key material. The processors storing these keys cannot be protected by walls and guards in applications such as digital purses or pay-TV encryption systems; often the key memory has to be given into the hands of the attacker. Smartcards and other tamper-resistant processors are frequently quoted as a solution for this problem, but there is little published material about how difficult it is for attackers to circumvent the physical protection of these low-cost devices. The talk will discuss various techniques that have been applied to break the security processors used in pay-TV encryption systems and digital purses with much less effort then the manufacturers had hoped.

View original page

28 January 16:15Security protocols and their correctness / Larry Paulson, University of Cambridge

Babbage Lecture Theatre

Security protocols are used in the Internet, mobile phones, digital payment systems, etc. Their goals may be to keep data secret, to preserve it from tampering, or to prevent intruders from assuming somebody else's name. A faulty protocol can be attacked by simple means, such as replaying parts of old sessions, without brute-force codebreaking.

Researchers have developed tools to search for such attacks. However, failure to find attacks does not mean that a protocol is correct. Protocols and their goals are seldom specified formally, which makes it hard to say whether they are correct, even when possible attacks are pointed out.

The speaker will outline recent approaches to showing correctness, taking as an example a simple public-key protocol.