Unix file system semantics, applied to the host/network interface for a wide area network, lead to a compact definition of a communications service and provide a versatile framework for privacy in computer communications. Flows are named connections between processes, and a network is a flow that contains other flows. Hierarchical design limits the scope of a name, and access permissions put limits on flow access. Services publish their names on the network. Pure clients, who by default have no need of a public name, are invisible and are not vulnerable to direct attack.

Processes communicate through Orion: a file system-like interface that hides details of network operation from applications and users alike. Many different implementations are possible, and can coexist behind this unifying interface. Not only is this architecture a substantial step towards a network that can evolve independently of its users, it is also a framework under which disparate internets can coexist behind a single user interface.

There is a huge demand for fully automated semantic video content analysis due to massive increase of video media in the last decade. However, there is also a lack of effective analytical tools to extract automatically the most relevant information in context and in good time, especially when dealing with CCTV video data of public space. Significantly, human attention span usually lasts no more than 15-20 minutes resulting in highly inconsistent and error-prone manual based content labelling and extraction of CCTV video. Furthermore, the lack of any structured script or embedded meta-data in security and surveillance video, as is present in most commercial and entertainment video, makes the task of automated semantic content analysis of such video data extremely difficult.

In this talk, I will present recent results on activity event and behaviour based video content analysis of security and surveillance video. I will highlight that some of the fundamental problems in security video content analysis are more than merely object tracking and trajectory matching. I will address the problem of modelling and recognising complex activities involving simultaneous movement of multiple overlapped objects. Dynamic probabilistic graph models are exploited for modelling the temporal relationships among a set of different object temporal events and are used to profile and index salient event and behaviour patterns captured in CCTV video, and for the detection of atypical and abnormal behaviours. I will also briefly discuss the problem of extracting and synthesising high-resolution image patches of saliency in low-resolution CCTV content under motion blur, especially in the context of face recognition in low-resolution CCTV video.

*
Shaogang Gong is Professor of Visual Computation at Queen Mary, University of London, elected a Fellow of the Institution of Electrical Engineers, a member of the UK Computing Research Committee, and Head of Queen Mary Computer Vision Research Group he founded in 1993. He received his DPhil in computer vision from Oxford in 1989 with a thesis on the computation of optic flow using second-order geometric analysis. He is a recipient of a Queen's Research Scientist Award in 1987, a Royal Society Research Fellow in 1987 & 1988, and a GEC-Oxford fellow in 1989. He twice won the Best Science Prize of the British Machine Vision Conferences (1999 and 2001) and once won the Best Paper Award (2001) of the IEEE International Workshops on Recognition, Analysis and Tracking of Faces and Gestures. He is the principal author of a book on Dynamic Vision: From Images to Face Recognition (Imperial College Press, 2000). His work focuses on visual motion and video analysis with applications to the detection, tracking and recognition of vehicles and human objects, activity profiling, behaviour recognition and abnormality detection in CCTV & live video. A current significant focus is in security for crime prevention and detection funded by the MOD, EPSRC, DTI and industry.

Voting systems provide the bedrock of democracy. Recently, voting systems and technologies have been the subject of considerable attention, for example, the concerns raised about the legitimacy of the 2000 and 2004 US presidential elections or about postal voting in this country. Designing voting technologies and systems that are trustworthy, practical and acceptable to the various stakeholders (electorate, politicians, election officials, security experts etc.) raises formidable challenges.

In this talk I will describe the Prêt à Voter scheme. This scheme, based on an earlier scheme due to Chaum, has the surprising property of voter-verifiability: voters can confirm that their vote is accurately included in the tally, whilst at the same time preserving ballot secrecy. This is achieved with minimal dependence on components of the system by providing maximal transparency within the constraints of ballot secrecy.

I will discuss some of the assumptions underlying the current scheme, and associated potential vulnerabilities, and describe possible countermeasures. I will also describe coercion-resistant adaptations of the original, supervised scheme to the remote voting context.

slides

When cybercrimes crimes are carried out, the ability of law enforcement agencies to investigate and prosecute the perpetrators will be driven by the availability and accessibility of data to the investigators, whether as intelligence gathering, evidential retrieval or subsequent analysis and presentation. Any criminal investigation interferes with the rights of others, whether the person is the subject of an investigation or a related third party. In a democratic society any such interference must be justifiable and proportionate to the needs of society to be protected. This presentation will consider the problems raised by data for law enforcement agencies investigating cybercrime. It will examine recent legislative measures and proposals in the UK and Europe to address some of these problems of criminal procedure and the extent to which such measures achieve an appropriate balance between potentially conflicting interests.

From a security perspective, command and control of nuclear weapons presents a challenge. The security mechanisms are supposed to be so good that they're impossible to bypass. But how do they work? Beyond that, there are reports linking these mechanisms to the early history of public key cryptography. We'll explore the documented history of both fields, and speculate on just how permissive action links — the "combination locks" on nuclear weapons — actually work.

Memory-programmed FPGAs are loaded on power-up from an external non-volatile memory. An attacker can intercept the bitstream at that point, modify it, reverse-engineer it or make unauthorized copies of it. Since the introduction of Virtex-II, Xilinx has offered the option to encrypt bitstreams to ensure data privacy. This presentation describes the design decisions, features and restrictions of the Virtex-II bitstream security.

Biography:

Steve Trimberger received his PhD from Caltech at the dawn of the VLSI era, working with Carver Mead and Ivan Sutherland at Caltech, and Lynn Conway and Doug Fairbairn at Xerox PARC. Dr. Trimberger was a member of the original Design Technology group at VLSI Technology and joined Xilinx in 1988.

At Xilinx, Dr. Trimberger was a member of the architecture definition group for the Xilinx XC4000 FPGA and the technical leader for the XC4000 design automation software. He led the architecture definition group for the Xilinx XC4000X device families. He managed the Xilinx Advanced Development group for many years and is currently Distinguished Engineer in Xilinx Research Labs in San Jose where he leads the Circuits and Architectures Group. His research interests include low-power FPGAs, novel uses of reconfiguration, and cryptography.

Dr. Trimberger has written three books and dozens of papers on design automation and FPGA architectures. He is an inventor on more than one hundred patents in the fields of integrated circuit design, FPGA and ASIC architecture, CAE and cryptography. He has served as Design Methods Chair for the Design Automation Conference, Program Chair and General Chair for the ACM/SIGDA FPGA Symposium and on the technical programs of numerous Workshops and Symposia.

We have found [1] that almost all paper documents, plastic cards and product packaging contain a unique physical identity code formed from naturally-occurring microscopic imperfections in the surface. This covert 'fingerprint' is intrinsic, robust and virtually impossible to modify controllably. It can be considered as a biometric identifier for inanimate objects. It can be rapidly read using a low-cost portable laser scanner, which uses the physics of laser speckle in order to probe the surface with sub-micrometre accuracy. Many forms of document and branded-product fraud could be rendered obsolete by use of this code.

[1] Nature 436, 475 (2005)

* Russell Cowburn obtained his PhD in condensed matter physics from the University of Cambridge in 1996. He then joined the Nanoscale Science Group in Cambridge University Engineering Department, where he worked as a post-doc for 1 year and as a Research Fellow of St John's College for 3 years, before being appointed to a faculty position at the University of Durham in 2000. In January 2005 he became Professor of Nanotechnology in the Department of Physics at Imperial College London, where he leads a large research group studying applications of nanotechnology to computer memory, cancer treatment and fraud prevention. He is Director of two high technology spin-out companies working in the area of nanotechnology.

Over the past year, attacks on SSH have compromised major supercomputing facilities, educational institutions, and national laboratories. These attacks have proven inadequate our current mechanisms for authenticating users and then isolating them from each other.

I will describe the mechanisms that have been used to attack SSH and other remote execution mechanisms, and then present data to help explain why these attacks have been so successful. I will describe countermeasures that can be used to make SSH more resilient to some of these attacks. However, other attacks require us to rethink our entire approach to authenticating ourselves to remote hosts and services and authorizing other hosts to perform tasks on our behalf.

Wireless sensor networks represent an interesting environment for a number of problems related to distributed systems. They have got specific restrictions (power consumption), unusual routing requirements (nodes/motes have no idea about the network topology when deployed), and the information produced by nodes gains value when aggregated, a space for new security protocols exist. We have put some effort into simulating security of key agreement protocols against an attacker controlling only a fraction of the network (key infection, secrecy amplification). The talk will briefly survey several existing key management schemes and highlight some interesting results we have obtained for key infection protocols.

We are reasonably effective at catching the 80-90% of simple cyber-attacks. But what about the others? What about the sophisticated attackers who might plant an exploit today, with a view to reaping the rewards in five years.

Trust is a key component in any ubiquitous computing system. Users have to trust the devices to be secure, devices have to authenticate the users in order to trust their inputs and devices have to trust each others' identity and authorisation. A central question in dealing with trust is how to distribute copies of a user's public key in such a way that other users can verify that it does, indeed, belong to the user that claims ownership. Traditional answers to this question have involved using a trusted Certificate Authority (CA) to generate and distribute digitally signed certificates that bind a user's name to his public key (and any other data that may be required). However, the centralised CA model is particularly unsuited to the rapidly changing, ad hoc network topologies that are associated with ubiquitous computing environments.

Our solution to the problem of running a CA in a ubiquitous computing environment is to allow every user in that environment to download a ``CA applet'' – a self-contained application that will run on the user's SEE and will issue certificates for that user's public keys (and, potentially, other users that have been authorised by a pre-determined policy). Furthermore, that applet may, optionally, take the role of the directory service and make these certificates available to other network users. Hence, these CA applets may be placed anywhere within a network's topology, as required by either the user or by some sort of controlling entity.

This talk discusses methods whereby a CA-applet scheme can be implemented, the situations where it might be useful to do so and the problems that are present with this approach.

The use of embedded devices present on a network as a vector for attacks against endstations is a threat that has not yet been realized, despite the knowledge of a number of vulnerabilities affecting such devices. This is probably due to the resistance of such devices to reverse engineering: they frequently run custom operating systems on obscure architectures.

Using embedded devices as a vector for attack does, however, have two significant advantages:

• Detection of the code running on the embedded device is much harder than it would be on a general purpose computer: few tools are available, and a severely limited interface is presented to the end user
• Embedded devices in the form of network infrastructure provide an excellent platform for attack, because they are ideally placed for covert monitoring and insertion of traffic

When hard-to-detect malicious code can be uploaded to embedded devices on a network, a number of different attacks become feasible. A packet sniffer running on a network switch itself could be used to forward packets matching a particular signature to a third party. Packets could also be generated on the device itself, perhaps in order to mount attacks on end-systems. An attack mounted in this manner would be far harder to contain than one initiated from an normal PC, especially if the ability to reflash the firmware on the device were disabled by the inserted code.

I am currently working on reverse engineering the firmware present in a widely-used switch based around a Motorola 68EC020 processor, and aim to present a demonstration of the insertion of custom code into this device.

Since January 2004, many major graphics software and hardware manufacturers have included anti-counterfeiting measures in their products (including Adobe Photoshop, JASC Paint Shop Pro, HP Printers and Canon scanners). The feature operates by detecting characteristics of banknotes and preventing a suspicious image from being processed. The software is developed by the G10 Central Bank Counterfeit Deterrence Group and provided to manufacturers as a compiled library. No details of the what features the system detects are publicly available, and it has been established that it does not use the same counterfeit-deterrence technique used in colour photocopiers.

Firstly the lecture will include background information on existing counterfeit deterrence systems, designed to prevent currency being copied on conventional printing equipment. This will move on to the more modern techniques, developed in reaction to the widespread deployment of high-quality digital printing hardware. Also the field of digital watermarking will be introduced and its relationship to counterfeit deterrence discussed. The lecture will cover the progress of a project to understand the currency detection feature, and reverse engineer it. This includes conventional reverse-engineering techniques such as disassembly and dynamic code analysis, but it will also describe application specific tools, such as black box digital watermark benchmarking.

Finally, proposed EU legislation will make the inclusion of such a system mandatory, so the consequences on Free and open source software will be discussed. These are in addition to conventional DRM problems such as prevention of legal manipulation of currency images, and other problems specific to counterfeit deterrence.

Voting is a peculiar security problem, with seemingly contradictory requirements of anonymity and verifiability. One important tool in the fulfilment of these requirements is the verifiable mixnet. This talk reviews the high-level challenges of election protocols, the specific trend of verifiable mixnets used in these protocols, and the current challenges that we are trying to address, particularly with respect to the rapid delivery of verified elections results.

Wiretaps have been an element of U.S. law-enforcement and foreign-intelligence investigations for over a quarter century. During this period, communications technology has substantially changed. Law enforcement has sought to keep laws current with the new technology. But new technology brings new threats and it is not clear that the FBI's latest efforts to extend the Communications Assistance for Law Enforcement Act (CALEA) to Voice over IP would actually improve the total security equation. In this talk, we discuss national-security and law-enforcement wiretapping and the Internet, and what security means in this context.

Since Boneh-Franklin's 2001 paper on "Identity based encryption from the Weil pairing," the research on identity based cryptography and the work on applying bilinear maps to cryptography are both flourishing. Shamir, in 1984, proposed the idea of "identity-based" cryptography to avoid a Public Key Infrastructure. Instead of having the users have their own public key, the identity of the user is the "public key," and a trusted center provides each party with a secret key.

We critically analyze whether Shamir's identity-based concept allows us to avoid a public key infrastructure. We argue the need for at least a registration infrastructure, which we call a "basic Identity-based Key Infrastructure." Moreover, we demonstrate that, if secret keys of users can be stolen or lost, the infrastructure required to deal with this is as complex as the one of PKI. Our discussion extends to the case the traditional PKI is replaced by an on-line PKI, as introduced by Rivest (1998).

We conclude by surveying possible useful applications of identity-based cryptography. Note: no number theory will be used in this lecture.

Security protection in microcontrollers and smartcards with EEPROM/Flash memories is based on the assumption that information from the memory disappears completely after erasing. Chip manufacturers were very successful in making their hardware design very robust to all sorts of attacks. But they had a common problem of data remanence in floating gate transistors. The information stored inside a EEPROM/Flash cell in the form of a charge on the floating gate changes some parameters of the storage transistor, so that even after an erase operation the transistor does not get back to its initial state, thereby allowing the attacker to distinguish between previously programmed and not programmed transistors and restore the information from the erased memory. In practice the attack can be done in different ways. The cheapest way is to measure the parameters of the transistor non-invasively by observing voltage and time dependant characteristics of each memory cell inside the array. Fortunately for security, this only works with a very limited number of chips. However, the fact that the information does not disappear completely after the memory erase, forces developers to implement additional protection. This talk summarises the research done in this direction so far and shows how much information can be extracted from some Microchip PIC microcontrollers after their memory has been 'erased'.

Over the past few years, Denial of Service (DoS) attacks have emerged as a serious vulnerability for almost every Internet service. An adversary bent on limiting access to a network resource could simply marshal enough client machines to bring down an Internet service by subjecting it to sustained levels of demand that far exceed its capacity, making that service incapable of adequately responding to legitimate requests. In this talk I will expose a different, but potentially more malignant adversarial attack that exploits the transients of a system's adaptive behavior, as opposed to its limited steady-state capacity. In particular, I will show that a determined adversary could bleed an adaptive system's capacity or significantly reduce its service quality by subjecting it to an unsuspicious, low-intensity (but well orchestrated and timed) request stream that causes the system to become very inefficient, or unstable. I will give examples of such "Reduction of Quality" (RoQ) attacks on a number of common adaptive components in modern computing and networking systems. RoQ attacks stand in sharp contrast to traditional brute-force, sustained high-rate DoS attacks, as well as recently proposed "shrew" attacks that exploit specific protocol settings. I will present numerical and simulation results, which are validated with observations from real Internet experiments.

This work was done in collaboration with Mina Guirguis and Ibrahim Matta.

In his 1950 paper "Computing Machinery and Intelligence", Turing highlighted, for the first time, the risks of bad input validation in software. The problem has not gone away. Buffer overflows, which account for a third of the vulnerabilities discovered in the past decade, are today the best studied example.

Automatic vulnerability-search tools have lead to an explosion in the rate at which such flaws are discovered today. One particular technique is fault injection, the insertion of random, atypical data into input files or protocol packets, combined with monitoring memory violations. Existing tools for this are still rather crude. Their success is more testimony to the high density of flaws in fielded software than the result of good test coverage. This talk presents a new optimized approach for performing such "fuzzing" tests and will include a demonstration of the "Autodafé" tool that implements it.

With widespread acceptance of the Internet as a public medium for communication and information retrieval, there has been rising concern that the personal privacy of users can be eroded by malicious persons monitoring the network.

A technical solution to maintaining privacy is to provide anonymity. There have been a number of protocols proposed for anonymous network communication. We show there exist attacks based on passive traffic monitoring that degrade the anonymity of all existing protocols. We use this result to place an upper bound on how long existing protocols, including Crowds, Onion Routing, Mix-nets, and DC-Net, can maintain anonymity in the face of the attacks described. �This provides an analytical measure by we can compare the efficacy of all protocols. Our analytical bounds are supported by tighter results from simulations, and we made empirical measurements of our assumptions. We found that mix-based protocols offer the best tradeoff of performance and security.

In our most recent work, we have looked at attacks to detect signatures of users and webservers that persist over days or weeks. VPNs created by ssh tunnels or secure wireless connections (e.g., WEP) as implemented are not sufficient to block these signatures, even though they provide more protection than SSL-based connections that have been looked at previously for the same problem. We designed an attack and evaluated it with real Internet measurements: allowed a training period, we found an attacker could guess which exact web site (in the training set) was visited by a user through an encrypted link almost 40% of the time; 70% of the time the correct answer was in the attacker�s top five guesses. (A random guess had less than 1% chance of success.)

Network security is terrible, and we are constantly threatened with the prospect of imminent doom. Yet such warnings have been common for the last two decades. In spite of that, the situation has not gotten any better. On the other hand, there have not been any great disasters either. To understand this paradox, we need to consider not just the technology, but also the economics, sociology, and psychology of security. Any technology that requires care from millions of people, most very unsophisticated in technical issues, will be limited in its effectiveness by what those people are willing and able to do. The interactions of human society and human nature suggest that security will continue being applied as an afterthought. We will have to put up with the equivalent of baling wire and chewing gum, and to live on the edge of intolerable frustration. However, that is not likely to block development and deployment of information technology, because of the non-technological protection mechanisms in our society.

Slides are here.

I will discuss the evolution of ubiquitous computing. Future ubiquitous communications systems will enable interaction between an increasingly diverse range of devices, both mobile and fixed. This will allow users to construct their own ubiquitous services using a combination of different communications technologies. Dynamic, heterogeneous and distributed networks will create new opportunities, such as the convergence of communications and highly adaptive reconfigurable terminals. They will also bring new challenges. I will discuss the particular problems involved in securing such ubiquitous environments. My goal is to establish a series of requirements for future security architectures, and future directions that might lead towards the ubiquitous utopia.

Distributed hash tables (DHTs) are a popular approach to building large-scale distributed applications in the research community. They store data with high availability and they allow data to be looked up quickly, even when nodes are leaving and joining the system at a high rate. DHTs are also decentralized, requiring no organization to be in charge of the management. Only a few operational DHTs exist, however, because most research has focused on the design of the lookup protocol to find data in DHT. We have found that given enough network bandwidth every lookup protocol can be made to work well; the real challenge in designing a distributed hash table is engineering the details. This talk summarizes our experience with engineering the Chord distributed hash table. Joint work with: Frank Dabek, Jinyang Li, Robert Morris, Emil Sit, and Jeremy Stribling.

The U.S. Department of Defense had been planning to run an Internet-based voting "experiment" called SERVE (Secure Electronic Registration and Voting Experiment) for the 2004 presidential primaries and general election. In order to evaluate the security of SERVE, a group of computer scientists was asked to review the program. On Jan. 21, 2004 four members of the review panel, including the speaker, produced a report, available at www.servesecurityreport.org, that analyzed the security risks of SERVE and called for SERVE to be shut down. On Feb. 3, 2004, the Department of Defense cancelled SERVE.

In this talk I shall discuss the security problems with Internet voting in general and SERVE in particular. If time permits, I'll also discuss some vulnerabilities of other forms of voting such as paperless touch screen machines.

Speaker:

Barbara Simons is a technology policy consultant. She earned her Ph.D. from U.C. Berkeley, and was a computer science researcher at IBM Research, where she worked on compiler optimization, algorithm analysis, and scheduling theory. A former President of the Association for Computing Machinery (ACM), Simons co-chairs the ACM's US Public Policy Committee (USACM). She served on the NSF panel on Internet Voting, the President's Export Council's Subcommittee on Encryption, and the President's Council on the Year 2000 Conversion. She is on several Boards of Directors, including the U.C. Berkeley Engineering Fund and the Electronic Privacy Information Center, as well as the Advisory Board of the Oxford Internet Institute and the Public Interest Registry's .ORG Advisory Council. She has testified before both the U.S. and the California legislatures. She is a Fellow of ACM and the American Association for the Advancement of Science. She received the Alumnus of the Year Award from the Berkeley Computer Science Department, the Norbert Wiener Award from CPSR, the Outstanding Contribution Award from ACM, and the Pioneer Award from EFF.

The speaker will talk about anonymous communication systems and the relatively new field of analysis of their anonymity properties. He will introduce the subject, look at some of the ways of achieving anonymous communications, define the requirements and threat models, and then talk about a few of the methods used in their analysis.

Privacy of personal location information is becoming an increasingly important issue. This talk discusses some of the challenges of providing location privacy whilst at the same permitting location-based services to function. Most methods of enabling location privacy in the literature use access control; this talk introduces the mix zone model which takes a different approach, enabling location privacy through anonymisation. A mathematical model is developed to provide a quantitative measure of anonymity and a method of providing direct feedback to the user is discussed.

slides

In anonymous communications, as in other fields of computer security, the study of attack and defence go hand in hand. It might therefore seem strange that, until recently, the study of "traffic analysis" has not attracted a lot of attention. In this talk, recent quantitative breakthroughs are presented in understanding how traffic analysis is performed. They are used to quantify the cost of attacking generic anonymous communication systems. The focus then shifts towards high-bandwidth low-latency systems like "onion routing". We show how the features remaining in the anonymised streams of traffic can be used to trace them, and provide techniques that scale to de-anonymise whole networks.

The speaker has spent some time developing Security API attacks that trick hardware security modules (HSMs) into revealing their secrets by sending unusual sequences of commands to their published APIs. But how hard is it to phyiscally open up the device, and "walk in the front door"? This talk describes the speaker's experiences reverse-engineering the 'Luna CA3'. The Luna CA3 is a Hardware Security Module manufactured by Chrysalis-ITS, used in Certification Authorities all over the world. The talk begins with an informal recounting of how the reverse-engineering process progressed, and the various challenges arising on the way. It then explains the results: the exploitation of the internal API to defeat manufacturer lock-in, and identification of the weak spots for more serious attacks which may lead to full compromise. It concludes by looking at the lessons learned from a direct attack on an HSM.

End users are often unaware that their systems have been compromised and are being used to relay bulk unsolicited email (spam). However, automated processing of the email logs recorded on the "smarthost" provided by an ISP for their customer's outgoing email can be used to detect this activity. These logs do not contain any of the content of the email, or even the subject lines. However, the variability and obfuscation of sender and receiver that is used by spammers to avoid detection at the destination creates distinctive patterns at the source that permits legitimate email traffic to be distinguished from spam. Some relatively simple heuristics result in the detection of low numbers of "false positives" despite tuning to ensure few "false negatives".

Many security researchers and practitioners treat usability of security as a user interface (UI) problem. It is no co-incidence that the most widely known and cited paper on usability and security is Whitten & Tygar's "Why Johnny Can't Encrypt", a study of the user interface to PGP 5.0. Whilst there is no argument that many UIs to security tools are unusable, and that unusable UIs are bad for usability and security, I will argue that there are other pressing usability issues that need to be addressed. For instance:

• Users often bypass security mechanisms because they interfere with production tasks.
• Users often bypass security mechanisms because they behaviour that conflicts with their values and social norms.
• In many organisations, there is a discrepancy between security policies and security behaviour, which leads to a deteriorating security culture.
• The complexity of current security systems creates problems – and fosters bad decisions – not just among end-users, but other – technically able – stakeholders, such system administrators and software developers.

In conclusion, I will put forward a research agenda for usable and effective security.

Speaker:

M. Angela Sasse is the Professor of Human-Centred Technology in the Department of Computer Science at University College London. Since 1996, she has been researching usability issues of security systems in collaboration with a number of Ph.D. students, and published research on effectiveness and usability of authentication mechanisms, user attitudes and perceptions to computer security, and human and financial cost of security mechanisms, and related work on user-centred approaches to trust and privacy.

A refreshing thing about modern number-theoretic cryptography is that it shows how bad at sums computers really are. Even the most advanced primary-school techniques of long multiplication and long division cannot provide useful speeds when faced with 300-digit modular exponentiations.

This talk will cover the problems of designing hardware for large-integer arithmetic and the ways round them, and will describe a new design for a modular multiplication chip.

Long division is made of subtractions and it needs the result of each subtraction when deciding what to do next; but in silicon, binary subtraction (like addition) is an inescapably slow operation. The algorithm described here takes a ruthless approach: don't get it right slowly, get it wrong fast; and hope that the resulting errors (which double on every clock tick) will be noticeable before they are too large to correct. This balancing act leads to a design that is fast, economical in silicon, easily verifiable, and, unusually in this field, is as efficient for modular multiplication as it is for modular exponentiation.

Speaker:

Martin Kochanski is the inventor of Cardbox, a respected and widely used flat-file text database for DOS and Windows. He has been involved in cryptography since 1979, breaking several commercial encryption products as well as the Lu-Lee public-key cryptosystem; he has also designed and implemented FAP4, the world's first commercially available RSA encryption chip. He is the publisher of Universalis, which provides the daily Liturgy of the Hours through the Web, on palmtops, and through mobile phones.

paper

Your identity is your most valuable asset. It is the key to unlocking your rights, rewards and privileges, qualifications, employment opportunities, citizenship and trust, medical history, benefits and reputation. Albeit intangible, it clearly has a high value, and therefore it is no surprise that identity fraud is one of the UK's fastest growing crimes. It leaves in it's wake considerable disruption for consumers to regain their identity, and significant losses to business.

In this lecture, Gareth Jones, a former Detective Sergeant, with experience in managing fraud risks in banking and currently directing the development of fraud prevention products for Experian – the UK's largest consumer credit reference agency, will cover:

• The methodology used by the fraudsters with reference to case examples
• The impact of the fraud in terms of value of loss and spread of victims
• Good practice in the management of mass-multiple fraud cases of this sort
• Gaps in the fraud detection process that could be improved upon
• Opportunities for fraud prevention
• Taking care of the victim

Virtual Private Networks (VPNs) should provide users with the isolation and security associated with private networks, but at a lower cost made possible by the use of a shared infrastructure. One type of VPN currently enjoying wide deployment is described in RFC 2547. From the customer's point of view, RFC 2547 VPNs represent an outsourcing of routing to Internet Service Providers (ISPs). From the ISP's perspective, this represents (at long last) a chance to "add value" to IP services. However, it also represents a network configuration nightmare. I'll talk about one attempt to tame the complexity of these VPNs using network invariants - maintained by bits of implementation - that can be composed to reason about the global correctness of VPN various implementations. The approach quickly reveals some rather nasty problems with RFC 2547 VPNs. I'll mention these and a few possible fixes.

* Dr Tim Griffin has recently joined the Intel Research Laboratory at Cambridge. He previously worked at AT&T research investigating network management. He also has research interests in databases and programming languages.

The media term "hacking" covers a very wide range of activities. Networked computers are subject to many different types of attack at many different technical levels and with many different motivations. Defending against such diverse threats is likely to require similarly diverse measures. This talk will examine the current threats and the measures that can be taken to defend against them, and discuss how increases in the scale and complexity of computer systems may affect the balance between attack and defence.

Simon Watkin will share his unique perspective of the Government's progress towards full implementation of RIPA. He will recall the conception of RIPA, describe how the imposition of regulation on public authorities' surveillance of communications data was derailed and explain the effect of the RIPA Statutory Instruments which Parliament is being invited to approve. He will also explain what has happened to Part III of RIPA. Finally he will describe what he is doing to review how best the Government can ensure respect for individual privacy and, at the same time, protect the public from crime and terrorism.

Speaker:

Simon Watkin joined the Home Office's Covert Investigation Policy Team in September 2002 from David Blunkett's Private Office where he was a Private Secretary. He was nominated as an Internet Hero at the UK Internet Industry Awards 2003 for "doing his best to understand the industry, tech sector interest groups and experts and to subsequently inform discussions within the Home Office".

He worked on implementation of the recommendations of the Cabinet Office Performance and Innovation Unit report on Encryption and Law Enforcement, and on the development of the National Technical Assistance Centre. In 2001 he established the Home Office's Hi-Tech Crime Team assessing the impact of new technologies upon law enforcement capabilities.

I will discuss elliptic curve cryptography and how it is used in a traditional public key setting. I will go on to explain some of the attacks against such systems and then show how the existance of such attacks can be used to develop new identity based encryption and signature protocols.

The proliferation of different distributed systems platforms and security technologies complicates the integration of distributed applications. Model driven software development tries to tackle this problem by modelling the application logic undistorted by technology and using tools to map the model to the particular technology. Distributed systems security faces a similar challenge in that there are many different platforms and security technologies that need to be integrated.

This talk will present our new security framework. Its central part is the policy repository, which stores the platform-independent security policy. Once the framework is integrated, the mapping from the abstract policy to the concrete enforcement, as well as the translation of technology specific security information into abstract security attributes is automatic. We will illustrate our approach using our prototype implementation and an exemplary integration with the CORBA Component Model, which are currently being implemented as part of an EU-IST research project.

Speaker:

Ulrich Lang is co-founder and research director of ObjectSecurity Ltd., a leading IT security specialist company. He received his Ph.D. from the University of Cambridge (Security Group, Computer Laboratory) in 2003. His dissertation was about conceptual aspects of security policies for middleware. Before that he completed a Master's Degree (M.Sc.) in Information Security at the University of London in 1997, after studying computer science with management at the University of Munich and at Royal Holloway College (University of London). After his M.Sc. graduation, he worked as an independent security consultant on various CORBA based banking projects. He is the author of a book on Developing Secure Distributed Systems with CORBA, various articles in journals and several publications at international conferences and workshops.

We present an experimental study showing that soft memory errors can lead to serious security vulnerabilities in Java and .NET virtual machines, or in any system that relies on type-checking of untrusted programs as a protection mechanism. Our attack works by sending to the JVM for execution a Java program that is designed so that almost any memory error in its address space will allow it to take control of the JVM. All conventional Java and .NET virtual machines are vulnerable to this attack. The technique of the attack is broadly applicable against other language-based security schemes such as proof-carrying code.

We measured the attack on two commercial Java Virtual Machines: Sun's and IBM's. We show that a single-bit error in the Java program's data space can be exploited to execute arbitrary code with a probability of about 70%, and multiple-bit errors with a lower probability.

Our attack is particularly relevant against smart cards or tamper-resistant computers, where the user has physical access (to the outside of the computer) and can use various means to induce faults; we have successfully used heat. Fortunately, there are some straightforward defenses against this attack.

This presentation may include a live demonstration of our attack.

paper

Typically HSM's protect cryptographic keys and algorithms and have a low level (cryptographic) API. Overall security is then dependent on the accessibility of the API. A simplistic way to improve this situation is to allow generic applications to run within a secure boundary. However the complexity and interfaces of most applications mean that merely running them on secure hardware will not provide good security.

The Hardware Security Appliance (HSA) research is exploring ways to find the right model/balance of using secure hardware to achieve better system security. The HSA concept is to encapsulate simple security services that bind security functions such as decryption with authorisation and authentication. Such hardware secured services provide a functional root of trust that can be placed within the context of a wider IT solution. Running a security service within a secure hardware device with limited functional and management APIs allows suprisingly rich policies to be tightly bound to the ways cryptographic keys are used. The HSA has an RSA identity to allow remote configuration of policies – hence creating a separation of control from local system administrators.

The talk will include examples of HSA services that highlights the main aspects of the approach and (hopefully) show how "thinking in an HSA like way" leads to different kinds of security and trust solutions.

Embedded computer control is increasingly common in appliances, vehicles, communication devices, medical instruments, and many other systems. Some embedded computer systems enable users to obtain their own programs from parties other than the maker of the device. For instance, PDAs and some cell phones offer an open application programming interface that enables users to better customize devices to their needs and support an industry of independent software vendors. This kind of flexibility will be more difficult for other kinds of embedded devices where safety and security are a greater risk. This talk discusses some of the challenges and architectural options for open APIs for embedded systems. These issues are illustrated through an approach to implementing secure programmable payment cards based on Java Cards. This work is based on efforts of the OpEm Project at Penn.

Cyber security provides assurances and safeguards for cyberspace interactions and services. These are built upon hardware and software technology for computing, communications and storage. In the past half century, design goals have focussed mainly on improving performance, cost and power in hardware, and on improving functionality, versatility and ease-of-use in software. Approaches to cyber security have focused on reactive measures, perimeter security and software implementations. In contrast, we propose a proactive approach to cyber security, where every component, hardware, software or networking, has secure or trustworthy operation as a primary design goal. We ask what computer architecture might look like, if cyber security is a primary design goal, rather than added on as an after-thought. What is a minimalist set of architectural components for a security-aware processor? We give some examples of faster ciphers with novel permutation instructions, defensive design for mitigating DDoS attacks, and virtual secure co-processing.

Planning for emergency incidents has become very topical with the focus on "Post-September Eleventh Threats". This seminar will give an overview of how an Acute Hospital's planning fits in with other emergency services in managing a major incident and will pay particular attention to how the skills developed by security researchers and analysts are applicable in the role of "Emergency Planning Officer".

Speaker:

After graduating in Computer Science from Cambridge and working as a security programmer, Marek Isalski was appointed as Data Security Manager at South Manchester University Hospitals NHS Trust. He is the lead for Data Protection, Freedom of Information and information confidentiality/security at the Trust, and his responsibilities also include business continuity planning. Together with James Bell he co-ordinates the Major Incident Planning Team currently reassessing emergency planning primarily for the Wythenshawe site, the hospital closest to Manchester Airport.

Douwe Korff will explain what data protection is (and what it isn't, i.e. not data security and not privacy), what its basic principles are – and why the laws don't work. He will show that the legal rules are predicated on assumptions which do not hold, and that enforcement is haphazard and negotiable. But he will also show how something like data protection is going to be crucial if the individual is to be protected against major (public and private) institutions and interests. And he will then try and discuss with the audience how the problems can be overcome.

Speaker:

Douwe Korff is a Dutch human rights lawyer and data protection expert. Now a professor of international law at London Metropolitan University, he has worked in both (overlapping) fields for Amnesty International, the Council of Europe and the EU Commission as well as the direct marketing industry.

The UK government has launched two consultations on retention of communications data and access to data. The government's aim appears to be the creation of a comprehensive mandatory regime of data storage that will cover all aspects of location and communication traffic on almost the entire population. These proposals follow a string of initiatives designed to shift the privacy default in favour of law enforcement, revenue and national security. In this talk I will outline the threats and benefits of universal surveillance of communications, and place this assessment into the broader context of the declining state of privacy in Britain. Simon Davies is Director of Privacy International.

There have been many designs proposed for network anonymity systems, but only a few have seen noticeable adoption. This is due in part to the fact that there are some difficult problems to solve when designing an anonymity system, and often theses problems are "practical" in nature, and not anticipated at the design stage. This seminar will discuss the ways in which anonymity systems are being deployed, what their uses are, and where they meet or fail to meet their intended purposes. Key design points, implementation and deployment pitfalls, abuse concerns, and various attacks on existing systems will be covered.

Speaker:

Len Sassaman is a communication security consultant specializing in Internet privacy and anonymity technologies. Len has been a strong defender of personal rights through technology. As a volunteer, he has lent his expertise to human rights organizations, victim support groups, and civil liberties organizations.

Len is an anonymous remailer operator, and is currently project manager for Mixmaster, the most advanced remailer software available. Previously, he was a software engineer for PGP Security, the provider of the world's best known personal cryptography software. A returning Black Hat speaker, Len is also a frequent contributor to online discussions of electronic privacy issues, and has contributed to the development of free software privacy utilities.

The human population is not doubling every 18 months, but the ability of computers to keep track of us is. The blind force of Moore's law has been accelerated by policy since 9/11. What are the feasible, and reasonable, responses to this?

Speaker:

The talk will provide a summary of the security problems associated with bypass of locks and safes, and a primer of the basic locking mechanisms. A description of the process of breaking three different locks that are utilized in the hotel industry worldwide will also be provided. These case examples will demonstrate vulnerabilities and lack of proper security engineering by the manufacturers.

Speaker:

Marc Weber Tobias is an Investigative Attorney and polygraph examiner in the United States. He has written five law enforcement textbooks dealing with criminal law, security, and communications. Marc Tobias was employed for several years by the Office of Attorney General, State of South Dakota, as the Chief of the Organized Crime Unit. As such, he directed felony investigations involving frauds as well as violent crimes.

Mr. Tobias is the author of the 1400 page textbook and multimedia collection Locks, Safes, and Security: An International Police Reference. He consults on lock security and his law firm handles investigations for government and private clients.

slides (Powerpoint, 25 MB)

The speaker will present in the first part of the talk some ongoing research. The second part is about a result first presented with Zbigniew Kotulski and Josef Pieprzykat at ESORICS 2002 in Zurich about verifiable secret sharing. The approach there works for any underlying secret sharing scheme. It is based on the concept of verification sets of participants, related to authorized set of participants. The participants interact (no third party involved) in order to check validity of their shares before they are pooled for secret recovery. Verification efficiency does not depend on the number of faulty participants.

[David will present the talk "Writing secure code" that was originally announced for this slot on Wednesday in St John's College instead. He coauthored a book of the same title (CL library: K.6 39)]

Mandatory decryption and/or key access for law enforcement and other purposes is being considered by Governments as a viable alternative to key escrow.

m-o-o-t responds to this threat, which we at m-o-o-t consider useless against the well-informed, an invasion of privacy, and potentially self-incriminatory.

The implementation and integration of some techniques to make cyphertext unavailable to LEA's, to make keys unavailable to the user, and to hide files, will be covered in some detail.

These are included in the m-o-o-t CD, which boots and runs on most everyday computers – the internal hard drive need not be involved. Security measures against some non-cryptanalytic attacks are included, and functionality is optimised for the novice.

The talk will also mention some anonymity and deniability techniques which we are working on, the future of m-o-o-t at a time when the eventual implementation of RIPA Pt.3 is becoming uncertain, and some unanticipated uses for m-o-o-t.

This talk will describe a policy driven role based access control system developed under the EC PERMIS project. The user's roles, and the policy are stored in X.509 Attribute Certificates. The policy, written in XML, describes who is trusted to allocate roles to users, and what permissions each role has. The DTD has been published at XML.org. Access control decisions are made by an Access Control Decision Function consisting of just three Java methods and a constructor. The decision is made according to the requested mode of access, the user's trusted roles and the policy. We also have a tool, the Privilege Allocator, that makes ACs and stores them in an LDAP directory.

After the events of 11 September 2001, the past year has demonstrated how controlling publicly available information is of strategic advantage, both economically and politically. Governments find the ability to anticipate public opinion indispensable, as this permits to disseminate "appropriate" elements of information on which the public will base its decisions.

Army psychological operations units ("psy-ops") represent this new era, in which wars are won primarily in public opinion. On this new theater of operations, the different information providers and actors in the world of communication are themselves tools of influence and manipulation – willingly or unwillingly. Taking into account the speed at which data is exchanged today and the reductions in information processing time, it becomes more and more difficult to find the guide marks necessary for an independent opinion.

Computer security and cryptology takes much of its basic philosophy and language from the world of mechanical locks, and yet we often ignore the possibility that physical security systems might suffer from the same kinds of attacks that plague computers and networks. This talk examines mechanical locks from a computer scientist's viewpoint. We describe attacks for amplifying rights in mechanical pin tumbler locks. Given access to a single master-keyed lock and its associated change key, a procedure is given that allows discovery and creation of a working master key for the system. No special skill or equipment, beyond a small number of blank keys and a metal file, is required, and the attacker need engage in no suspicious behavior at the lock's location. We end with future directions for research in this area and the suggestion that mechanical locks are worthy objects of our attention and scrutiny.

more info

The theory of computation, including modern cryptography, was laid down almost seventy years ago, was implemented within a decade, became commercial within another decade, and dominated the world's economy half a century later. Quantum information technology is a fundamentally new way of harnessing nature. It is too early to say how important a way this will eventually be, but we can reasonably speculate about its impact both on computation and data security. I will review the basic concepts of quantum information science and describe experimental techniques which aim to give data processing devices new functionality.

In recent years, loss of valuable information has been due to surprisingly low tech attacks.

By the cleaning lady, I mean some person or entity that you believe could not possibly be part of your security or cryptographic system. I leave it to the reader to identify his or her own cleaning ladies in the remainder of this talk and in real life.

It is my understanding that all major countries employ cleaning ladies in this capacity.

Would the listener please think hard about 'trusted third parties' and 'woman in the middle' attacks.

The basic components of role-based access control are well understood and widely accepted. The use of RBAC principles to manage RBAC systems has been less widely studied although some advances have been made. In particular, the ARBAC97 model makes an important contribution to the understanding and modeling of administration in role-based access control. However, there are several features of the model which we believe could be improved. We introduce the concept of administrative scope in a role hierarchy and show how this can be used to control updates to the hierarchy. We then incrementally develop a model for administering the role hierarchy and compare it to the RRA97 sub-model of ARBAC97. We conclude that our model offers significant advantages over RRA97.

paper

MAC based security systems have not achieved much popularity because of both actually and perceived difficulties of use.

I will describe my work in adding SE Linux support to the Debian distribution including packaging policy files, and supporting live upgrades of software in a secure fashion. Given a choice between security and manageability most organizations will not choose security. Given a choice between security and ease of use most users will not choose security. I aim to make SE Linux easy enough for desktop users and manageable enough for commercial users.

Finally there are some issues regarding SE Linux management that have not been addressed adequately (IMHO). I will discuss these with the audience and I will be very interested in any suggestions for ways to approach these problems.

slides
followup

The increasing interconnection of data sources has led to growing fears that the "end of privacy" (at least as we know it today) is near. This may be the most undesirable long-term outcome of the continuing information revolution.

Since data today are largely stored data, and further, are often collected in a user-controllable manner (e.g., by data entry from a keyboard), various privacy techniques and technologies can be applied. However, in the very near future, ubiquitous low-cost sensors will be introduced into our information networks, and eventually operated collectively, with interesting and perhaps unsettling consequences.

This talk will attempt to expose a subset of the issues and to stimulate thinking on the technologies and their implications. I will close with some speculation on how we, as engineers, might keep society's options open.

AMPC is a new, encryption free anonymizing network that is efficient to use, and does not require the use of conventional cryptography by the users of the network. The AMPC (Anonymous MultiParty Computation) method uses a variation of Chaum's mixes that utilizes value-splitting to hide inputs, and is secure as long as less then a square root of the servers in the network are compromised. On top of AMPC we have built a new e-Voting protocol, which also does not require the users to use any conventional cryptography, thus 'freeing' the users from the need to rely on the security and integrity of the workstations they use to perform the actual voting. The protocol also provides the voter with a receipt, that ensures the voter that his vote was actually received by the tallier. This new e-Voting protocol uses a new weak signatures building block ('enhanced check vectors') as well as AMPC.

related papers

Information has grown to become the most important asset to most organizations today. To effectively secure these assets, a set of security controls is normally introduced. These controls can be physical, technical or operational of nature. Operational controls are those controls that are executed by employees or users of information, like locking your office door or not writing your password word. Thus, the behaviour of the employees or users are influenced by the operational controls defined. These operational controls are normally dictated through company policies and procedures, which are derived from and based on various standards and frameworks.

The major problem experienced in many organizations today are that the users are not aware of or do not adhere to these policies and procedures. Therefore, educating the users to behave according to the company's information security policies and procedures will ensure that an information security culture will be created in the organization. This security culture will give rise to, what can be called, the human firewall. This human firewall should ensure that all users of information are fully educated as far as information security is concerned and their everyday behaviour, when working with company information, is in line with the prescribed policies and procedures.

This talk describes the role of policies, procedures, standards, frameworks, etc in creating an information security culture in an organization where the behaviour of the users creates a human firewall against information security threats.

Design of security APIs is becoming as notoriously hard to get right as design of security protocols. This talk describes the first steps towards developing a formal tool to assist experts in the analysis of security APIs.

The speaker first describes the roots of this work in crypto protocol analysis, and explains the new challenges presented by API analysis. He describes basic approach to formalising APIs, and presents a new tool which can check a formal model of an API against specific properties, for instance: checking a financial API to see if any combination of up to 5 commands can reveal a customer's PIN.

The tool uses birthday attacks and a large helping of brute force to analyse a large subset of an APIs state space. Though the tool can never hope to explore more than a large subset of the API, the speaker believes that interesting attacks do lie within state spaces between 2⁴⁰ and 2⁸⁰ – an area as yet unexplored by existing tools.

The mass adoption of embedded computing devices (mobile phones, PDAs, smartcards, etc) is moving us rapidly into the ubiquitous computing age. If these devices are to be a boon rather than a bane then robustness is critical. Security will be increasingly important, not only for traditional roles like payment mechanisms and access control, but also for peer to peer transactions and new business structures.

Smartcards are an early embodiment of consumer security devices. They present a harder target for the criminal underworld than their magnetic strip counterparts. However, for several years now it has been know that microprocessors can leak a lot of useful information through power and electromagnetic emissions. These emissions (often referred to as "side channels") are characteristic of conventional clocked digital circuit designs. Fault injection techniques have also been used to trick devices into fault modes which leak additional information.

As part of an EU funded project (G3Card) we have been collaborating with industrial and academic partners to develop technologies for the 3rd Generation of Smartcards. In Cambridge we have played both black hat and white hat roles so that we can evaluate what we have designed in much the same way that a good locksmith must also understand how to be a good lock pick. This lecture will review our design strategies, from concept to VLSI implementation. Results will be presented from formal verification of components to bench experiments on naked chips.

This talk will present a brief history of viruses, how the problem has changed from 15 years ago to the current day with a look at just how large the problem really is in the light of the rapid technological change of the last few years. It will review current viruses and provide a look at what can be expected in the future.

Although it might appear that modern technology should be able to provide secure, auditable, anonymous elections, this turns out to be a difficult problem for computer scientists. Vote collection and tabulation involves processes for system security, program provability, user authentication, and product reliability, all of which harbor inherent flaws. These matters are further compounded by sociological and legal technicalities – such as the prevention of vote-selling and protection from denial-of-service attacks. This talk will address these subjects from a computer science standpoint, focusing on those which are considered to be "hard" (the CS word for "presently unsolvable"). Although these computer systems can not achieve all desired election goals, suggestions will be made regarding design enhancements which, if implemented, could improve these devices to the point where they are almost as good as mechanical lever machines and hand-counted paper ballots.

Related:

• UK government proposals
• Speaker's E-voting website
• Speaker's FIPR talk on 17 October

A number of efficient attacks against the typical financial API of tamper responding security modules will be presented. This allows the recovery of the PIN from an encrypted PIN block. These attacks succeed against the state of the art security modules of all major vendors, and are computationally trivial requiring between a few seconds and a couple of minutes. Some real world attack scenarios are also presented highlighting the potential for fraud.

dissertation, slides

The concept of digital signatures is supposed to replace handwritten ones. Verifiable Democracy is the virtual version of handwritten legislature. It seems that the concept of Threshold Signatures addresses this. (In threshold signatures the secret key is distributed so that only authorized subsets can combine their shares to form a signature. Any non-authorized subset gains no information about the signature.) However, a problem that occurs is that-even in the case of virtual legislature-lawmakers may be absent. In many democratic organizations the number of users vary temporally and so the meaning of what a majority is. The manner in which a legislature votes is similar to a threshold signature scheme, and the power to sign is similar to possessing shares to sign. The fact that members are absent implies the need for transfer of power to sign. Schemes for redistribution shares have been developed. However, these solutions require parties to delete their shares, which is often an unrealistic assumption. Here we provide a model for democratic bodies and solve the related problem of assuring an orderly and verifiable transfer of power as the size of the body varies. This presentation is based on joint work with Brian King and will be presented at eGOV (September 2–6).

This talk presents research results on the effects of irradiating semiconductor devices (SD) and integrated circuits (IC) with lasers. We show that the adequate simulation of the phenomena occuring requires the joint numerical solution of both the optical equations as well as the fundamental semiconductor physics equations in a two-dimensional approximation. Simulations with our "DIODE-2D" software have shown that laser irradiation can be an effective tool for SD and IC investigation and influencing. It may be used to ionize separate components to define their reaction or change state. The numerical simulation helps to identify optimal laser-beam parameters, such as the wavelength, pulse width, location etc. Numerous examples presented will illustrate the capabilities of SD and IC laser irradiation.

In the first part of this talk, I will present results of a systematic investigation of leakage of compromising information via electromagnetic (EM) emanations from CMOS based devices. This information leakage differs substantially from and is more powerful than leakage from other conventional side-channels such as timing and power. EM emanations are shown to consist of a multiplicity of compromising signals, each leaking somewhat different information. Our experimental results confirm that some of these signals could individually contain enough leakage to defeat countermeasures against other side- channels such as power. In the second part of this talk, I will present a new form of side channel attacks which we call template attacks. These attacks can break implementations and countermeasures whose security is dependent on the assumption that an adversary cannot obtain more than one or a limited number of side channel samples. They require that an adversary has access to an identical experimental device that he can program to his choosing. In contrast to previous approaches which viewed noise as a hindrance that had to be reduced or eliminated, our approach focuses on precisely modeling noise, and using this to fully extract information present in a single sample. I will present a case study where we use this approach to extract keys from an implementation of RC4.

Modern cryptographic practice rests on the use of one-way functions, which are easy to evaluate but difficult to invert. Unfortunately, commonly used one-way functions are either based on unproven conjectures or have known vulnerabilities. We show that instead of relying on number theory, the mesoscopic physics of coherent transport through a disordered medium can be used to allocate and authenticate unique identifiers by physically reducing its microstructure to a fixed-length string of binary digits. These physical one-way functions (POWFs) are inexpensive to fabricate, prohibitively difficult to duplicate, admit no compact mathematical representation, and are intrinsically tamper-resistant. We provide a simple authentication protocol based on the enormous address space that is a principal characteristic of physical one-way functions.

A majority of this work was done while the speaker was at the MIT Media Laboratory.

Threshold sharing schemes provide fundamental building blocks for secure distributed computation and the safeguarding of secrets. Since its invention, many enhancements to threshold secret sharing have been proposed. Proactive Secret Sharing, for example, provide enhanced protection by updating the shares periodically in a distributed fashion. Traditionally, PSS schemes retain the same set of shareholders and the same access structure across updates. A more general problem is the redistribution of shares between different (possibly disjoint sets of) shareholders and different access structures. We study this generalization and present a new protocol that performs verifiable secret redistribution between arbitrary shareholders and across arbitrary access structures. We also identify a vulnerability in the previous protocols that allows faulty shareholders to distribute invalid shares to new shareholders, and we prove the security of our scheme with an information-theoretic security proof.

Technical Report

The traditional techniques for remote unauthorized access to private and confidential information – tapping communication links, code breaking, impersonation – become increasingly infeasible as the use of modern cryptographic protection techniques proliferates. Those in the business of obtaining information from other people's computers without consent – criminals and spies, intelligence agency and law enforcement technicians, private detectives, market researchers – are therefore increasingly looking for alternative eavesdropping techniques. One class of alternatives utilises those unintentional information leaks caused by the physical/analog underlying processes in computers and peripherals that can be sensed, amplified and decoded at a distance.

This talk provides an introduction, overview and demonstration of electromagnetic and optical passive eavesdropping techniques for personal computers, focusing in particular on video display units. It will present new techniques for eavesdropping liquid-crystal and cathode-ray tube displays and will discuss the information-security threat posed by these, along with simple new protective measures.

Slides

Applications that involve the electronic transfer of credentials, profile data, and other sensitive information are quickly gaining momentum. Initiatives such as E-Government and Network Identity are attempts to facilitate information exchanges beyond the traditional confines of private networks. Today's prevalent methods for secure electronic authentication rely either on Kerberos-style authentication or on PKI based on digital identity certificates, both of which were invented a quarter of a century ago, at the dawn of modern cryptography. In particular, they were designed to secure primarily non-open organizational environments, such as enterprise intranets and inter-government communication. Within the context of today's emerging open information infrastructures, however, symmetric authentication and digital identity certificates do at best a mediocre job of protecting security, introduce a host of performance problems, and have devastating consequences for privacy. Amongst others, they fundamentally do not offer any of the following: software-only protection against lending of access rights; role-based access; the ability to disclose the minimal information needed to a verifier; the ability of verifiers to hide competitive data from online status validators; limited-use instances of certified information; non-repudiation even in the presence of malicious central parties; and, reverse (or negative) authentication. As a result, they expose organizations to potentially unlimited liability, lead to consumer fear, and stifle the adoption of new systems. This presentation will show a much better way of doing authentication and access control in Digital Identity and Profile Management systems, based on scientific advancements in electronic authentication made over the past 25 years.

ABOUT THE AUTHOR: Dr. Stefan Brands is one of leading cryptographic experts on the subject of electronic authentication. His book Rethinking Public Key Infrastructures and Digital Certificates: Building in Privacy has been widely acclaimed by prominent privacy advocates, security experts, and legal experts, and its subject matter is taught at universities around the world. Dr. Brands is an adjunct professor at McGill's School of Computer Science in Montreal, and is the founder of Credentica. Incorporated in January 2002, Credentica's mission is to provide superior software solutions for transaction systems that involve digital identity and profile management.

Kerberos is old technology — started over 15 years ago, and based on fundamentals first published almost 25 years ago. It first showed up in Windows as part of Windows 2000, and continues to be its central authentication technology. What could be interesting about it today?

Computer Forensics is now over a decade old. While disk forensics operates at very high standards of evidence preservation and analysis, other forms of digital evidence do not. What standards should we expect and apply to the output of mainframe computers, or from complex systems, or to logs of intercepted network traffic? The search for answers requires us to look at the fundamentals of "forensic science" and how far its aims may be different from those of conventional scientific activity. "Proof" in the court-room is quite different from "scientific" proof; and engineering notions of "reliability" different again from "legal" reliability. We also need to understand some of the quirks of admissibility as well as the practicalities of what happens in the run up to a trial as well as in a trial itself.

Slides (ppt, pdf)

Any security system needs to consider likely threats. This seminar is a brief introduction and survey of frauds and scams, with some remarks on simple, and often non-technical, common sense countermeasures that are so often neglected.

Internet Voting has been hailed as a solution to the increasing malaise we are experiencing in politics and democratic engagement, especially among 'young people'. I'll be exploring:

• Why Internet Voting is unlikely to improve turnout.
• Why so many companies are trying to offer Internet Voting services and what sorts of security they're offering.
• How GNU.FREE differs from commercial Internet Voting solutions.
• Is secure and private Internet voting possible?

Finally I'll run through some issues of security perception versus reality and why using Free Software can help non-technical people trust technology.

Additional notes:

Recent attacks using differential power analysis (DPA) have shown how good equipment and poor implementation might be applied to break a single use of RSA on a smart card. The attacks are based on recognising the re-use of operands in the standard square-and-multiply, m-ary or sliding windows exponentiation schemes. A new algorithm is presented which avoids such operand re-use and consequently provides much greater resistance to DPA. It is based on generating random addition chains. Unlike the easier process of generating addition/subtraction chains (which have been applied to ECC), the algorithm does not require the computation of an inverse, and so is also applicable to RSA.

The talk will concentrate on two aspects of the algorithm, namely its efficiency and its security against side channel leakage. The former establishes performance akin to that of 4-ary exponentiation. The latter will assume the attacker can distinguish between squares and multiplies, and perhaps recognise re-use of operands. Under such attacks, it still appears to be computationally infeasible to recover the secret exponent.

handout, slides

This talk introduces a new middleware security model with access policies based on "resource descriptors". These are necessary because the available cryptographic identities only represent software entities at the middleware layer, but not individual application-layer clients or targets. As a result, additional descriptors are needed to express fine-grained policies. Useful descriptors need to fulfil properties such as uniqueness and persistency. We obtain such descriptors through a mapping process from instance information to resource descriptors.

As part of the EU funded research project Component Based Open Source Architecture for Distributed Telecom Applications (COACH), we plan to implement and evaluate component based distributed systems (CORBA components and Enterprise Java Beans) for the telecommunications domain. This includes the design and implementation of a security architecture for these new requirements and provides opportunities for interested students and researchers to join the project.

The use of technology by criminals is impacting at an unprecedented scale the ability of the police to fulfill their role in society. Almost any crime may now have a digital aspect, from the very simple distribution of illegal material to murder.

Nigel Jones has recently retired from the Kent Police Computer Crime Unit and is currently developing training programmes for cybercrime investigators and forensic computer analysts. He has been closely involved with the topic at a national level within ACPO and at an international level within European Commission high-tech crime discussions and those in the Lyon Group of the G8.

He will talk about what constitutes cybercrime and present some real life cases to show the type of difficulties that investigators encounter, including issues such as disclosure, forensic examination of seized computers, and the practical effects of the Human Rights Act on law enforcement's ability to conduct investigations. He will also discuss the issues of data retention and preservation, along with the challenges posed to law enforcement by EU data protection legislation.

The talk aims to show how working police officers are (sometimes) managing to gather evidence, despite all the challenges they face.

The Internet was not engineered to preserve privacy and is rapidly becoming "the" communication network. European Union policies on data protection demand a better understanding of the tradeoffs between the benefits and privacy risks of new Internet technology.

Maintaining location or traffic information confidential like the transmitted data are key provisions of the new European regulatory framework for electronic communications infrastructure. The EU aims to adapt and update the existing Data Protection Directive to take into account new technologies and to empower users to control their personal information. However, it is not well understood how this policy and the underlying Internet technology can be brought into alignment. For example, the current IPv6 method of automatic device configuration results in a readily observable and recognizable identifier, in spite of a roaming user.

This talk will present a number of privacy threats in the next generation Internet and the ongoing efforts in the research community to handle them, focusing on RFC3041 and location privacy in (hierarchical) MobileIPv6.

Humans have an extraordinary ability to recognise faces and can do so despite changes in viewing angle, lighting, age and hairstyle. This should make human operators very successful at detecting the fraudulent use of photo-id and -credit cards, at recognising the perpetrator of a crime and at matching the face of a suspect to video surveillance footage.

However, psychological research has shown that we tend to make very inaccurate eyewitnesses and, more surprisingly, cannot even perform the simple matching tasks involved with checking photo-cards and identifying suspects from CCTV footage. This has led to the conclusion that we are good at processing 'familiar' faces and poor at processing 'unfamiliar' faces.

The current talk looks at the results of research that has examined face identification in a forensic setting and compares the ability of human operators to the specifications set-down for computerised systems.

Digital signatures are a basic technology for secure e-business, but only if the following issues are addressed, so that relying parties can trust in digitally signed statements.

One problem area is the validation of digital signatures. It cannot be guaranteed that the result is independent of the time of checking. Similarly, it is not clear whether the validity of digital signatures can be checked at any future time. Moreover, the delivery risks of digitally signed messages are not distributed according to the responsibilities of sender and recipient.

For these reasons, alternative and more comprehensive solutions are necessary. One area is to support that declarations of intent become binding at a point in time that is fair towards both the signer and the verifier.

This talk is based on problems and experiences with digital signatures analysed in the context of the German Digital Signature Act and Ordinance. It should be interesting to discuss some of these proposals in a European context.

Book

As ever more people are connected to the Web so they have access to unlimited information. Is this a safeguard against the emergence of tyrants? Or a means by which democracies can be destroyed? How is the accuracy of information to be verified? How can the undoubted benefits of such widespread availability of information be prevented from serving as an equally effective platform for the criminally minded? Should we be overly concerned about this? How do we ensure that the information that is required gets to the right people at the right time, and is not buried in a mass of junk mail? The continually accelerating pace of change makes it imperative to set out the right principles on which to make decisions on these important questions as soon as possible.

In this talk we will describe the evolution of a suite of advanced failure analysis techniques used for rapid fault localization on integrated circuits. These techniques have evolved from the basic electron-beam induced current method from electron microscopy. Clever beam energy control lead to the development of the resistive contrast imaging (RCI) technique. RCI proved very useful for evaluating the continuity of metal and poly interconnect layers. RCI was limited in that it provided information about all conductors; both good and bad. The need for rapid fault localization methods that return information from defective areas only lead to further technique development. Modifications to the bias and amplification setup used for RCI lead to the charge induced voltage alteration (CIVA) and the low beam energy, LECIVA, techniques. Like RCI, CIVA and LECIVA rely on an electron beam to stimulate the sample. Unlike RCI, they produce images by monitoring voltage changes across a constant current supply. This modification allows these techniques to produce images with content from the defective regions on integrated circuits only. From these electron beam-based techniques, the optical beam equivalent, LIVA or light induced voltage alteration technique was developed for scanning laser microscope use. LIVA differed from it's electron beam counterparts only in the stimulus, i.e. the use of a scanned laser beam. LIVA relies on the generation of electron-hole pairs and requires the use of wavelengths less than 1100 nm. LIVA produces images similar to CIVA and LECIVA except that the conductor fan-out network is not visible, only diffusions connected to open conductors appear in the images. The thermally induced voltage alteration (TIVA) and Seebeck effect imaging (SEI) techniques solve this problem by using longer wavelength lasers where electron-hole pairs are not generated. TIVA and SEI use a thermal stimulus with the same basic bias method used in the original CIVA technique. TIVA, LIVA, and SEI have the ability to be used from the front or backside of the die. We will describe the physics behind each technique and demonstrate their applications through examples.

Past work on protocol verification has largely focused on simple protocols from the academic world. SET is a huge protocol devised by Visa and Mastercard for Internet shopping. It aims to protect both cardholders and merchants from fraud. Protocol participants must first register with their bank, which (after making suitable checks) will provide them with electronic credentials. Customers don't give their credit card numbers directly, but instead give these credentials to the merchant to prove their honesty. The merchant presents similar credentials to the customer. For payment, the customer's account details are passed to the merchant's bank, but not to the merchant himself.

The initial registration phase could in principle be simple. Unfortunately, complex mechanisms (e.g. digital envelopes) and unnecessary encryption complicate the proofs. The talk gives a very high-level overview of the SET protocol and then shows a few details of the proofs of its registration and payment phases.

Electronic Commerce is about Commerce. "Electronic" is only to speed up matters and thus increasing the profit. But to some (in fact, most) security experts, the focus is on "Electronic" rather than "Commerce", which is only an excuse to build "very secure" systems. As a result, most systems available today are too cumbersome (e.g. SET), and if we are not careful, we may never find an appropriate route forward. In the talk, we will exhibit a number of bad designs, including PGP, and explain how we think EC should be implemented.

Buggy software, buggy networks and buggy people make even the most carefully designed systems and processes vulnerable. Yet many of the problems can be explained more clearly and convincingly using the language of microeconomics: network externalities, asymmetric information, moral hazard, adverse selection, liability dumping and the tragedy of the commons. Information security is about power; while at the technical level it is about controlling who may use which resource and how, while at the level of business strategy it is increasingly about raising barriers to trade, segmenting markets and differentiating products. Often insecurity is welcome; for example, it may foster economic growth by making monopolies harder to defend.

A brute force attack on DES has been proven to be within reach of corporations and organised crime since the EFF created the Descracker machine in 1998. In this talk we aim to show just how high up the brute force ladder a single individual, of modest means, can climb.

Technology deployed in the mobile telecoms industry in recent years has been designed to protect networks and customers from fraud risk. The truth is that fraud has not been defeated by technology, quite the reverse. Those measures specifically designed to thwart criminals have often been used to perpetrate fraud. The reason for this is a lack of understanding of the nature of fraud and those who commit it. Internal fraud is the greatest risk that any commercial enterprise faces and those based upon technology are the most vulnerable of all. This talk will examine some of the types of internal fraud which are commonly experienced and attempt to explain them using some brief examples from the speaker's own experience as well as suggesting ways in which some of the wrongs may be righted.

In version 4 of the Internet protocol, an IP "address" was used to identify both a computer and the point at which that computer was connected to the network. This is acceptable when the computer's point of connection never changes, but might become a problem when computers are mobile. The IETF is proposing a change to the Internet Protocol which allows a host's address to change over time. The last draft of the proposal was rejected as unacceptable because it introduced too many security problems. We present a cryptographic protocol which is intended to reduce these security problems to a manageable level.

Unconditionally secure communication means that even an infinitely powerful adversary cannot break the confidentiality nor the authenticity of the system. Classical results by Shannon dating back some 50 years seem to imply that unconditionally secure solutions are doomed to being impractical, if not impossible. However, in recent years, new research has shown that these results were based on rather pessimistic assumptions on the amount of information available to an adversary. It turns out that in many practical scenarios, these assumptions are not satisfied, e.g., when communication is noisy, in large networks where not all nodes can be hacked into, or when quantum communication is used. In all these settings, unconditional particular emphasis on quantum communication.

In a pay-TV broadcast, an authorised user may decrypt the content and re-broadcast it. In Crypto 99, Fiat and Tassa proposed dynamic tracing schemes that can trace a group of colluders who attempt to re-broadcast the content. We show an attack on their scheme and propose a new tracing scheme, called sequential tracing scheme, that can capture all colluders and minimises real-time computation. We show application of this scheme to fingerprinting digital content.

How much difference is there between gaming cheats and hackers? Not much, so why should the methods of protection and detection differ? This presentation provides a practitioner's review of how cheating in casinos and attacking information systems are similar. Using past posting, cool decks, chip cups, palming, card counting and mini-cam techniques, the presenter will illustrate how hackers attack systems using back-orifice, Trojan horses, shoulder surfing, social engineering, and lead referral methods. Finally, the presenter will explain how time-proven casino protection and detection techniques reduce the risk in casinos, and how similar techniques can be used to in providing effective information systems security. Additionally, he will talk about new knowledge-base and device agent technologies are being used to improve the central management of enterprise security devices.

I shall describe a number of attacks proposed recently on simple binary clock-controlled sequence generators, where one linear-feedback shift register determines the clocking of another shift register which produces the output. (The connection polynomials are assumed known.) In particular I shall consider the step[1..D] generator, the shrinking generator, and the closely related alternating-step generator. The basic idea is to find out where and with what frequency or probability the output binary sequence can be embedded in the sequence produced by the clock-controlled shift register. After describing methods for finding the most likely places for the embedding, I then examine ways of finding 'a posteriori' probabilities for the bits in the clocking sequence, and hence making possible fast correlation attacks on the control shift register.

Strand spaces are a Dolev-Yao style model of cryptographic protocol execution. They are intended to retain the minimal information compatible with the goal of providing reliable proofs of authentication and secrecy properties where they hold, and counterexamples where they do not. Strand spaces have been used as the basis for numerous results, by our group and others:

This seminar describes Ponder - a new declarative, object-oriented language for specifying policies for security and management of distributed systems. The language includes constructs for authorisation policies defining permitted actions; event triggered obligation policies specifying actions to be performed by manager agents; refrain policies specifying actions that subjects must refrain from performing; delegation policies defining what authorisations can be delegated and to whom. Filtered actions extend authorisations to define transformation of input or output parameters. Constraints specify limitations on the applicability of policies based on time or object state. Roles group the policies relating to a position in an organisation. A management structure defines a configuration of role instances as well as the relationship between roles. These concepts can be used to model roles, rights and duties relating to organisational patterns which occur in many large enterprises.

Attacks are presented on the IBM 4758 CCA (the first ever security module to have achieved all round FIPS140-1 Level 4 certification) and the Visa Security Module. Two new attack principles are demonstrated. Related key attacks use known or chosen differences between two cryptographic keys. Data protected with one key can then be abused by manipulation using the other key. Meet in the middle attacks work by generating a large number of unknown keys of the same type, thus reducing the key space that must be searched to discover the value of one of the keys in the type. Design heuristics are presented to avoid these attacks and other common errors.

Security processors typically store secret key material in static RAM, from which power is removed if the device is tampered with. It is commonly believed that, at temperatures below -20C, the contents of SRAM can be `frozen'; therefore, many devices treat temperatures below this threshold as tampering events. We have done some experiments to establish the temperature dependency of data retention time in modern SRAM devices. Our experiments show that the conventional wisdom no longer holds.

We present an architecture for creating groups, managing their membership and proving membership in ad-hoc networks. Ad/hoc networks are formed on demand without support from pre-existing infrastructure such as central servers, security associations or PKI. The networks must continue functioning - as securely as possible - even when communication between the network nodes is only occasional and nodes unexpectedly fail or leave the network. Our architecture is based on key-oriented public-key certificates. (This is based on joint work with Silja Maki and Maarit Hietalahti, and it was funded by the Finnish defense forces.)

TBA

Implementing copy protection on software is a difficult problem that has resisted a satisfactory solution for many years. This paper proposes a set of features that allows a machine to execute XOM code: code where neither the instructions or the data are visible to entities outside the running process. To support XOM code we use a machine that supports internal compartments, where a process in one compartment cannot read data from another compartment. All data that leaves the machine is encrypted, since we assume secure compartments cannot be guaranteed by anything outside the machine. The design of this machine poses some interesting trade-offs between security, efficiency and flexibility. We explore some of the potential security issues as one pushes the machine to become more efficient and flexible. Our analysis indicates, while not cheap, it is possible to create a normal multi-tasking machine where nearly all applications can be run in XOM mode.

I will consider the problem of automatically verifying cryptographic protocols. In particular, I will present an algorithm that, given a finite process describing a protocol in a hostile environment, computes a model in which security and authentication properties can be checked. This algorithm, I hope, will serve as the basis for a verification tool.

This authentication protocol is a generalisation of the Otway-Rees protocol in which the common challenge is replaced by component nesting so that it can be applied to object-based, client-server chains involving any number of objects and principals. Each object in a chain, whether acting in a client or server role, handles authentication with its neighbours, without any need to be aware of the resultant global behaviour. Session keys are returned by an authentication server which services a client-server chain as a whole: nested requests are built along the forward chain; the final server presents the whole package to the authentication server; and nested responses containing session keys are delivered back down the chain.

Starting with a process language for cryptographic protocols and a semantics designed to support reasoning about secrecy and authentication, I'll illustrate the roles of locality, independence and linearity in understanding and reasoning about distributed processes. This will lead on to a sketch of the broader research interests of myself and students.

The passage of the Regulation of Investigatory Powers Act through parliament was the occasion of much controversy, especially as regards its provisions relating to cryptography. It appeared that it breached the European Convention on Human Rights at many points, and that the possibility of having their private keys seized would drive many E-commerce businesses overseas. In the event, the Act was amended to mitigate the worst excesses, with the simultaneous introduction of much window dressing. Nevertheless, many lesser problems remain, which may or may not be addressed in the Code of Practice. Since the implementation of that part of the Act has now been postponed for a year, we may have to wait some considerable time before the full picture becomes clear.

This talk discusses the difficulties of describing an appropriate notion of the security attributes 'caller' and 'target' in object-oriented middleware systems such as CORBA.

The Internet and its protocols provide methods by which it is possible to locate the person or machine responsible for a particular action. In many ways, "traceability" should be seen as the opposite of "anonymity".

The most popular way to attack protocols that provide anonymity to the participants is to use the provided anonymity to cheat. It is then very difficult to trace the cheaters and special mechanisms must be present in the protocols to help with that task. We will discuss the example of anonymous auctions and the various ways participants can cheat. We will refine the proposed protocols to support "identity escrow", so that the identity of the cheaters can be revealed, by a third party, if the protocol has not been followed.

We describe two new signature schemes with interesting algebraic properties.

Risk management is often done badly. Directly perceptible risks are dealt with instinctively and intuitively, but when the science is inconclusive people are liberated to argue from pre-established beliefs, convictions and prejudices. When unconfirmed hypotheses - `virtual risks' - get mistaken for risks about which science has clear and useful advice to offer, much confusion results.

Distributed Denial of Service attacks have become a serious problem since the second half of 1999. They are a manifestation of what economists call the `tragedy of the commons': while everyone may have an interest in protecting a shared resource (Internet security), individuals have a stronger motive to cheat (connecting insecure computers). So we doubt that some of the proposed technical countermeasures will work, as they take insufficient account of economic forces. In this talk, we discuss the XenoService, a possible remedy.

Once upon a time there was the GPO, who were required by law to run all the Nation's communications - be they written, telegraph or voice. Fraud was easy to perpetrate in those days because of the somewhat crude methods used to control the switched network. Nowadays BT, who inherited the role the GPO held as the provider of Universal Service for telephony and telex, are but one of over 200 licensed network operators: and all of these are to some extent at risk of becoming victims of fraud.

The early years of the 21st century will be dominated by explosive expansion of communications. The bandwidth, flexibility (particularly mobility), and range of services available will support an electronic commerce to which the currenty hype cannot do justice. Society's resulting dependence on this resource will make it the target of first resort in future conflicts, continuing the 20th century trend toward involvement of civilian populations.

Most of the existing work on security protocol analysis concentrates on finding guarantees of correctness. In some cases, analysis using one tool may find a ``new'' flaw that was not detected by another tool. Such results are sometimes attributed to the use of more rigorous tools.

Any program can create an environment in which to run another program, controlling every aspect of its operation. Trivially, but inefficiently, this can be done by binary emulation. More usefully, most current processors provide sufficient support for confined programs to be executed natively.

`Non-repudation' is a favourite buzzword in e-commerce discussions, and a major part of much new digital signature legislation. But its use outside its original security context is riven with problems. This talk looks at the technical, usability, and legal difficulties associated with non-repudiation in the real world, and their effect on the allocation of risk in e-commerce. Banks have successfully moved the risk of online credit card transactions to merchants. Can they shift banking risk to consumers so easily?

Europay is an international payment scheme with over 220 million cards licensing the brands Maestro, Cirrus, Eurocard and Eurocheque. It is currently migrating its magstripe-card based system to chipcard technology. The talk will highlight the security architecture of the new debit-credit system which is based on the so-called EMV (Europay-Mastercard-Visa) specifications. Furthermore the PKI will be presented which supports the offline chipcard authentication method.

Credit cards are the currency of the internet. But they aren't greasing the axles of commerce, because they weren't designed for customer-not-present.

In this talk we will look at the cryptographic requirements for electronic commerce and how hardware security modules (HSMs) can help address these needs. We will examine the threat models and security policies commonplace in e-commerce and we will look at how various types of HSMs can help. We will then look at how existing HSMs could be improved to provide more secure solutions in the future.

No history of the Second World War nowadays fails to mention the important role of signals intelligence (SIGINT) . By contrast, SIGINT is entirely absent from most studies of the Cold War. Newly declassified material in the West, as well as highly classified material exfiltrated from KGB archives by Vasili Mitrokhin, shows, however, that SIGINT continued to play a major role. The KGB supplied the Soviet leadership throughout the Cold War with far more high-grade diplomatic SIGINT (including decrypts from major NATO governments) than they could possibly read. In many cases agent penetration was able to resolve the problems caused by the increasing complexity of cipher systems. Among the revelations in recently declassified Western SIGINT is the identification of a Cambridge scientist as the youngest major spy of the twentieth century.

`SENSS Bruce' is a new security tool, being made available for free by Sun Microsystems, under the terms of the Sun Community Source License. Bruce provides a high-integrity, highly-trustworthy, hierarchical and scalable framework for pro-active security/integrity checking on an network-wide basis. This presentation will describe Bruce's design, functionality, and cover the benefits and weaknesses of Java, which was used as the platform for implementing Bruce.

As organisations migrate to a distributed computing environment, the administration of security policies, in particular authorisation policies, becomes increasingly important. In this talk, we will consider some issues involved in the design of an authorisation system for distributed systems. We will discuss some of the architectural principles involved and consider an authorisation policy language and give some examples of policy specifications. We will conclude the talk by looking at some further work in this area.

The term `data shadow' covers the concept that combining different types of records (toll records, credit records, bank records, health records etc) can elicit additional information, a data shadow, which can track the life of an individual. Now in 2030 our society is managed in every aspect by shadow watching - said to be `the most significant tool for the maintenance of law and order by the European army and for the selling of Government services' (Prime Minister Sir Chris Evans Guildhall speech - January 2029 ).

XML (eXtensible Markup Language) has emerged as a relevant standard for document representation and exchange on the Web. It is often the case that XML documents contain information of different sensitivity degrees, which must be selectively shared by (possibly large) user communities. There is thus the need for models and mechanisms enabling the specification and enforcement of access control policies for XML documents. Mechanisms are also required enabling a secure and selective dissemination of documents to users, according to the authorizations that these users have. In this talk, we first define a model of access control policies for XML documents. Policies that can be defined in our model take into account both user profiles, and document contents and structures. We also describe an approach, which essentially allows one to send the same document to all users, and yet to enforce the stated access control policies. Our approach consists of encrypting different portions of the same document according to different encryption keys, and selectively distributing these keys to the various users according to the access control policies. We show that the number of encryption keys that have to be generated under our approach is minimal.

Most existing work which merges Fault Tolerance into Security concentrates on using fault tolerance as a means of bolstering a server's resilience to external attack. The most notable of this work is carried out by Reiter on Rampart.

Adopting a programming-language perspective, we study the problem of implementing authentication in a distributed system. We define a process calculus with constructs for authentication and show how this calculus can be translated to a lower-level language using marshalling, multiplexing, and cryptographic protocols. Authentication serves for identity-based security in the source language and enables simplifications in the translation. We reason about correctness relying on the concepts of observational equivalence. (This is joint work with Martin Abadi and Georges Gonthier)

The increased technical availability provided by mobile communication necessitates support for users so that they can control their personal reachability (personal reachability management). This talk reports on a PDA and mobile phone based prototype functioning primarily as a reachability manager to avoid annoying calls and overcome the CallerID problem. Its core functionality is to enable parties to negotiate, e.g. the urgency of a telephone call, and by that maintain security that respects the interests of all involved parties (multilateral security).

The RSA cryptosystem is very widely used. A particularly visible application is to protect and authenticate e-commerce transactions and it has been estimated that about 95% of all web-based e-commerce uses 512-bit RSA keys. As the security of RSA is no better than the difficulty of factoring a key's public modulus, progress in integer factorisation directly measures the security of RSA keys of any particular size.

Smart cards can be formalised realistically within Paulson's inductive approach for security protocols. The cards can be stolen and/or cracked by an eavesdropper. The kernel of their built-in algorithm works correctly, so they can't be used as oracles, but their I/O interface doesn't, so they send correct outputs unreliably.

In the past few years elliptic curve cryptography has moved from a fringe activity to a major challenger to the dominant RSA/DSA systems. Elliptic curves offer major advances on older systems such as increased speed, less memory and smaller key sizes. As digital signatures become more and more important in the commercial world the use of elliptic curve-based signatures will become all pervasive.

Model checking is a method of formally verifying properties of finite state machines. By describing operating system structure and system authorization policies using finite state machines, model checking may be used to verify useful properties of policies, improving the chances of developing a secure system. The technique is demonstrated on authorization systems from an Active Network, and from a simplified UNIX-like environment.

Modern interconnected computer systems handling classified information can be built using Windows NT. The architecture provides each user with a private desktop in which to work, along with services for sharing data. Within a desktop, the user is helped to attach security labels to their data. When data is shared, labelling prevents accidental compromise, but other measures defend against other forms of compromise.

Most approaches to formal verification of authentication protocols assume encryption to have the property that parts of a message cannot be extracted without knowledge of the encrypting key. In practice, implementations are not perfect in this sense and the correctness of a protocol may depend on the algebraic properties of encryption.

Traditionally, cryptographic protocols are described in terms of a sequence of steps, each of which sees one principal sending a message to another principal. It is implicitly assumed that the fundamental communication primitive is necessarily one-to-one and protocols addressing anonymity tend to resort to a highly redundant composition of multiple elementary transmissions in order to frustrate traffic analysis. This talk, building on the case study of an anonymous auction between mistrustful principals with no trusted arbitrator, presents "anonymous broadcast" as a new protocol building block. This lower-level primitive is, in its class of cases, a more accurate model of what actually happens in local area networking and, with certain restrictions, can be used as a particularly efficient implementation technique for many anonymity-related protocols.

A large variety of encryption schemes, or modes, have been proposed to date, and some of these are known to be secure against adaptive, chosen-plaintext attacks. In this presentation, I define a joint condition on any such secure scheme and any high-performance Manipulation Detection Code (hpMDC) function, such as XOR, CRC-32, modular addition, or simply a constant, to counter adaptive chosen-message attacks, namely both adaptive chosen-plaintext and chosen-ciphertext attacks, that lead to message forgeries. I also illustrate two applications of the joint condition in practice, namely (1) the design of fast encryption-with-integrity schemes and (2) the optimal selection of a hpMDC function for a given encryption scheme.

Rivest suggested the idea of multi-grade cryptography, which lets a cryptosystem present multiple levels of security under different circumstances. For instance, to an external law enforcement agent, the cryptosystems of the users in an organisation might show a high level of security (e.g., equivalent to a 64-bit key-search). Once this high-level security ``shell'' is broken with a non-tivial effort, each user's key becomes an easier computational problem (e.g., 40-bit key-search). To any other parties who cannot afford to break the shell, user security is an intractable problem. An important point in muti-grade cryptgraphy is that the external law enforcement agent should only need to break the an organisation's shell once.

Let us consider the case of the company president who delegates the power to sign certain documents to her secretary. If the president never cheats, then many existing mechanisms are sufficient to implement this. But what if the president suddenly announces that her secretary has been sacked because of a mistake in a very important document? It may well be that the secretary did not made a mistake: but with almost all the existing mechanisms, she has no way of demonstrating that it was the president, and not she, who created or authorised the disputed document.

IBM has been working in the field of Secure Cryptographic Coprocessors since the early 1980's. This talk will briefly discuss the history of IBM's efforts, then go on to discuss the hardware architecture in and the physical security design.

The hardware architecture will be shown from a performance standpoint, discussing the ideas that worked and the ones that didn't.

The physical security design was the first ever to be validated at FIPS 140-1 level 4. The principles of the design will be described and the manufacturing implications will be discussed.

Presentation material

As the value of data on computing systems increases and operating systems become more secure, physical attacks on computing systems to steal or modify assets become more likely. This technology requires constant review and improvement, just as other competitive technologies need review to stay at the leading edge.

This talk describes known physical attacks ranging from simple attacks which require little skill or resource, to complex attacks which require trained, technical people and considerable resources. Physical security methods to deter or prevent these attacks are presented. The intent is to match protection methods with the attack methods in terms of complexity and cost. In this way cost effective protection can be produced across a wide range of systems and needs.

Specific technical mechanisms now in use will be discussed, as well as mechanisms proposed for future use. Common design problems and solutions are discussed with consideration for manufacturing.

Presentation material

This talk is an overview of the Oasis access control architecture. This provides both a means for specifying complex authorisation information in an open distributed environment, and an efficient implementation.

Recent years have seen a great proliferation of papers on watermarking of digital data. These have usually started from a very generalised view of the nature of the data and concentrated on the quality of the security algorithm.

The recent synthesis of quantum physics with computer science has led to a new paradigm for computation which is in principle physically realisable, yet not fully encompassed by the standard (e.g. Turing) notion of computability. A quantum computer cannot compute any non-Turing-computable function but it appears to be able to perform some computations exponentially faster than any classical device. The pre-eminent example is the existence of a polynomial-time quantum algorithm for integer factorisation - a problem for which there is no known classical (even randomised) efficient algorithm. In recent developments, quantum physics also gives rise to new modes of communication and an associated quantum information theory.

In this talk I will introduce the essential principles of quantum computation and outline the structure of some fundamental quantum algorithms. I will discuss the relation of quantum computation to various classical complexity classes and finally consider some recent issues of current interest.

This talk will be held in the Babbage Lecture Theatre. Maps and travelling directions are at http://www.cl.cam.ac.uk/site-maps/site-maps.html.

It is a popular conjecture that the design of authentication is an error prone and hence difficult task. Once again, I will try to explain how this situation may have come about.

As a general observation, one may note that in many areas of science progress in the understanding of fundamental concepts has gone hand in hand with the development of a language for discussing these concepts. The difficulty of giving good definitions for authentication bears witness to this problem. In a specific observation on authentication, I will illustrate that the term authentication is used in a number of different security paradigms, a fact that can only add further confusion.

Not surprisingly, I will argue that more precision in the discourse about authentication is required. In this respect, designers and attackers have been equally culpable so far.

In its Advanced Encryption Standard (AES) programme the US National Institute of Standards and Technology has selected 15 algorithms for consideration as candidates to replace the now obsolescent DES standard.

This talk will look at some of the issues that the author has faced in implementing all 15 candidates from scratch. The coverage will focus on implementation and performance rather than on security or cryptanalysis. In particular the issues involved in using algorithm specifications as a basis for implementation in C will be discussed, as will some of the surprises involved in running such code on modern pipelined/semi-parallel architecures such as the Pentium II. The talk will also cover an interesting aspect of performance optimisation for Serpent.

Presentation material

The richest, strongest, most electronically-vulnerable nation on earth persists in a policy that effectively restricts the use of encryption technology domestically as well as abroad. Even while the security of transactions over telephone and computer networks has become a source of wide public concern, the US government continues to work against the proliferation of unbreakable cryptography (and thus perfectly concealable communications).

In this talk we present a brief history of wiretap law and privacy rulings in the United States, and we put current crypto policy in the context of decisions made over the last twenty years.

Information systems security represents a significant issue within the modern healthcare environment. Information technology now pervades virtually all aspects of operation and care provision, with a consequent need arising to preserve the confidentiality, integrity and availability of systems and data. The security policy is an essential element in ensuring that a consistent approach can be enforced and maintained across the establishment. I will discuss the areas that should be encompassed by any policy, as well as the typical constraints of the healthcare environment that may limit the practical approach. A further important consideration is how to ensure that all staff will know and observe the policy. I will address this through a discussion of security training and awareness initiatives.

The presentation will make significant reference to work that has been conducted at the European level, in particular the ISHTAR (Implementing Secure Healthcare Telematics Applications in Europe) project in which I have been involved under the EU `Telematics Applications for Health' programme.

Sometimes two parties who share a weak secret k such as a password wish to share a strong secret s such as a session key without revealing information about k to an active attacker. This talk describes some recent work in this direction, carried out jointly with Michael Roe and David Wheeler. We present some new protocols for secure strong secret sharing, including one based on RSA rather than Diffie-Hellman. As well as being simpler and quicker than their predecessors, our protocols also have slightly stronger security properties. In particular, they make no cryptographic use of s and so impose no subtle restrictions upon the use which is made of s by other protocols, and they do not rely upon the existence of hash functions with mystical properties. After rounding up the usual suspects, the talk will also consider some new attacks and how to frustrate them.

The US government is running a competition to find a replacement for the data encryption standard. There are fifteen candidate algorithms now available for public analysis and comment. I have implemented a number of them from the published definitions, and in this talk I will discuss the lessons I learned in the process.

Cryptographic (CRYP) sub-systems now play a vital role in the protection of "mission-critical" information systems and data networks, particularly those now being deployed for electronic commerce activities nationally and internationally. Such mission-critical information systems, and associated data networks, are, in turn, being used to control and monitor critical infrastuctures in modern society; infrastructures that need a high degree of protection (CIP). These include overall structures for water reticulation, electricity, finance, government, energy, transport and so on. However, under cost pressures those in charge of such infrastructures are moving to adoption of commercial-off-the-shelf (COTS) systems for the control and monitoring of such infrastructures, rather than "bespoke" solutions to information systems needs. With cryptography forming the main protection and trust mechanism to safeguard these controlling information systems, the trustworthy integration of cryptographic sub-systems into COTS becomes of paramount importance. This has a number of technical, business and political implications that need to be explored. This paper examines all three of these aspects of the cryptography integration problem.

Building a secure product is a lot more than reading a copy of Applied Cryptography, and then stringing a series of secure algorithms and protocols together. Many "buzzword compatible" products are insecure not because of faulty mathematics, but faulty implementation. Engineers misuse secure primitives, introduce security flaws elsewhere in the process, build bad user interfaces, don't allow for errors or failures, and generally fail to leverage the security of their cryptography. This talk is about what commonly goes wrong in cryptographic products.

We will talk about copyright control for digital image libraries using high quality imaging systems, over the web. We have built a system, using on-the-fly watermarking, for a commercial image supplier, now on trial. This raises a number of interesting technical and business questions, such as watermark distrubution, and cascading permissions through business processes.

The Alpha Pulse random generator is a miniature hardware device for triggering random events with a predetermined event probability. The device uses a miniature silicon photo diode detector incorporating a harmless quantity of a radioactive alpha emitting material. The device produces random voltage pulses when alpha particles are emitted within the photo diode. The device has been used to generate pure, unbiased, non-deterministic random numbers and also to trigger random win events with long odds for applications such as gaming. The event probabilities produced by the device agree very closely with the predictions of Poisson theory.

The Alpha Pulse random generator is robust, durable, highly tamper resistant; it is unaffected by external influences and potentially can be made very small. Its operating principles, design, performance and applications will be reviewed.

Tachographs are used in most heavy vehicles in Europe to control drivers' hours, and for secondary purposes ranging from investigating accidents and toxic waste dumping to the detection of fuel fraud. Their effectiveness is under threat from increasing levels of sophisticated fraud and manipulation. I will discuss this in the context of recent EU proposals to move to smartcard-based tachograph systems, which are aimed at cutting fraud and improving the level of enforcement generally. I will argue that the proposed new regime will be extremely vulnerable to the wholesale forgery of smartcards and to system-level manipulation; it has the potential to lead to a large-scale breakdown in control. I will then sketch some potential solutions.

Communication in distributed systems often relies on useful abstractions such as channels, remote procedure calls, and remote method invocations. The implementations of these abstractions sometimes provide security properties, in particular through encryption. We study those security properties, focusing on channel abstractions. We introduce a simple high-level language that includes constructs for creating and using secure channels. The language is a variant of the join-calculus and belongs to the same family as the pi-calculus. We show how to translate the high-level language into a lower-level language that includes cryptographic primitives. In this translation, we map communication on secure channels to encrypted communication on public channels. We obtain a correctness theorem for our translation; this theorem implies that one can reason about programs in the high-level language without mentioning the subtle cryptographic protocols used in their lower-level implementation.

This is joint work with Martin Abadi (Compaq/SRC) and Georges Gonthier (INRIA Rocquencourt).

The Xtrend project involves collecting drug prescription (and collection) data from pharmacies and creating a database that supports evaluation of general practitioners' (GPs') prescription trends by district. The data is collected without patient identity information, but GPs' identity has to be protected carefully by subsequent processing - only some GPs have consented to their identity being known to data users (usually drug wholesalers or manufacturers) and the identity of the others has to be concealed.

The talk will analyse the problems in protecting the identity of the non-consenting GPs. The solution involves measures like setting a minimal number of participating GPs, practices and pharmacies in a district, and concealing the telltale signs of GPs moving between practices or going on holiday. Another interesting issue concerns the fact that the system is currently being built and this provides a certain level of `noise' against malicious data analysis. However, the situation once the system stabilises will almost certainly be different.

The talk will be based loosely around the use of partial knowledge in solving bivariate Diophantine equations. Many interesting problems fall in to this category including factoring, and solving univariate modular equations, both of which have major implications in cryptography.

The methods are based on work by Coppersmith, and employ lattice basis reduction by the LLL algorithm. An interesting theoretical result concerning dual lattices and the LLL algorithm is shown along the way.

Finally a novel approach to fiding solutions to x^2+y^2=N is demonstrated, and applied (using the technique of Pinch and McKee) to breaking a recently proposed elliptic curve cryptosystem.

Conventional integrity models limit themselves to the boundary of the computer system and tend to define integrity in an operational or implementation oriented sense. For example, the Clark-Wilson model recommends that well-formed transactions, segregation of duties and auditing be used to ensure integrity. However, the model does not attempt to address what is meant by integrity - evaluating a system gives a confidence to the extent that good design principles have been applied. For instance, when we define a complex segregation of duty policy, we cannot use the model to guarantee that a user of the system cannot somehow bypass the intent of the segregation via some unexpected circuitous route.

Clark and Wilson informally identified segregation of duty as a mechanism that is used to control external consistency, which is described as the correct correspondence between the data object and the real world object that it represents. In this talk I will explore a formal definition for external consistency and illustrate how it is implemented in terms of segregation of duties. This denotational, rather than operational, definition is useful because it allows us to determine whether a particular segregation of duties configuration actually works, that is, whether it ensures that the system is externally consistent.

In the last few years, a large number of schemes have been proposed for hiding copyright marks and other information in digital pictures, video, audio and other multimedia objects. I will describe some contenders that have appeared in the research literature and in the field; I will then present a number of attacks that enable the information hidden by them to be removed or otherwise rendered unusable.

The International Data Encryption Algorithm (IDEA) is a well known block cipher which is used, for example, in the Pretty Good Privacy (PGP) package. In this talk, the largest known weak key classes of IDEA and reduced-round IDEA are constructed. For some of these classes, membership is determined by a differential-linear test while encrypting with a single key. In particular, $8.5$-round IDEA has a weak key class of $2^{63}$ keys (one in every $2^{65}$ keys) for which membership is determined in such a manner. A related-key differential-linear attack on 4-round IDEA is presented which is successful for all keys. Large weak key classes are found for 4.5- to 6.5-round and 8-round IDEA for which membership of these classes is determined by similar related-key differential-linear tests.

In the world of commercial product development, even in a hi-tech environment, there are many conflicting factors that go to make up the success or otherwise of a product - technical, commercial, political, and just plain luck (good or bad).

Balancing these factors requires the patience of Job, the discretion of Caesar's wife, the judgement of Solomon (not Alan), the technical knowledge of Turing (Alan), the deviousness of the Borgias, the ruthlessness of Genghis Khan, the showmanship of PT Barnum, and the financial acumen of J Paul Getty - none of which I have...

So how DO you take a security product to market these days?

This talk aims to cover many of the factors, technical and otherwise, encountered so far in the development of the Latches for Windows product, and the ways we have managed to hang on to the tiger's tail...

This seminar will first give a brief introduction to CORBA, and then focus on the CORBA Security Service Specification. The security functionality provided by the Security Service and its relevance to distributed systems security in general will be described on an abstract level. The seminar will also try to compare the Security Service Specification to CORBA security in the real world; issues like trust boundaries, Java security, business requirements etc. will be briefly put into context.

This week's political developments highlight the trap of buying into a top-down key management infrastructure. I will talk about the new features of PGP's evolving architecture which we have specifically designed in order to make it resistant to key escrow while enhancing its scalability in large organisations.

NOTE: this week's seminar has been arranged at short notice in response to the government's U-turn on crypto policy. It is thus at a non standard time and a nonstandard venue. Maps and travelling directions can be found here.

Other relevant seminars this term include a talk on the 12th May by Susan Landau of the University of Massachussetts on `Cryptology, Technology and Policy' (Susan is one of the authors of `Privacy on the Line' which documents the crypto policy struggle in the USA) and another on the 19th by David Biggins of Rhea International Ltd entitled `Confessions of a Red Box Builder' (Rhea designed the new electronic red boxes used by some ministers). Both these talks are at the usual 4.15PM in room TP4.

Priority Driven Communication Protocol Design was a methodology for designing communications protocols which was introduced about fifteen years ago. In this seminar I shall attempt to rehabilitate PDCPD in the context of security protocols, arguing that treating PDCPD as a conceptual framework for reasoning about the design and optimization of protocols (rather than as a design methodology per se) can provide insight into managing the effects of laying off tasks to only partially trusted third parties in order to improve performance: the analagous design problem in 'conventional' communications protocol design is de-layering.

VideoCrypt, with 9 million subscribers on 4 continents, is without doubt one of the most successful conditional access systems in the world. It also enjoys numerous attacks by the pirate community.

The presentation will describe the origins of the system and its key technology elements, and will discuss past and present security issues. It will also tackle future plans and challenges in the fields of interactive TV, copy protection and data broadcasting.

Mandatory label-based policies may be used to support a wide-range of application security requirements. Examples of these policies include Chinese Walls and Dynamic Segregation of Duties (see the seminar I gave on the 28th October 1997). Labels encode the security state of system entities and the application security policy specifies how these labels may change.

I will describe a framework, based on the Jajodia-Kogan message-filter model, that can support these policies in a multilevel secure OODBMS. This framework can support any (dynamic) label-based policy so long as the effect of a high-level request to relabel a low-level label cannot be detected at the low level. A sample policy will be described whereby high-level users can mark low-level objects, indicating that the object should be migrated to the high-level when deleted (at low).

The framework provides what is essentially an interpreter of multilevel programs: programs that manipulate multilevel data-structures that define the security labels of objects. This enables application functionality and security concerns to be developed (and verified) separately, bringing with it the advantages of a separation of concerns paradigm.

Security, and particularly 'Smart Card' security has become a very hot topic in the 1990's. We have been constantly 'educated' that Smart Cards are secure, and this series of seminars has spent much time examining the various claims and potential flaws in those claims. This talk will take a step back from the detail of smart card security, encryption algorithms etc. and examine the basic elements of security, It will briefly examine the various strengths and vulnerabilities of different approaches and present some ideas on how combining technologies can offer great benefits in reducing threats of security breaches.

So often overlooked by those who would maintain the confidentiality of their dealings, is that much of the most sensitive and most valuable information first occurs as the act of speech, a personal dialogue. If uninhibited speech can be eavesdropped as it is created, then there is no panoply of technical security that can subsequently make good that breach of security. Even in this computer age, the eavesdropping of speech in sensitive areas remains important in intelligence gathering, commercial as much as state.

This presentation outlines the main varieties of the electronic eavesdropping threat to confidential discussions and looks at advanced countermeasures to bugging where RF transmission is used to extract sensitive conversation from secured premises.

Until starting a technical surveillance countermeasures business in 1991, Owen Lewis was a signals officer in the British Army for 22 years. For some years, he was a visiting lecturer to the NATO Joint Services Advanced Electronic Warfare courses. Keith Penny is an engineer with 20 years of experience of the design, manufacture and systems deployment of a range of electronic surveillance and countersurveillance equipment. They have developed the SysRx system for RF spectrum monitoring, which is to be launched at the Police Scientific Development Branch closed exhibition in March 1998 and is first presented at this seminar.

Many computer security applications depend on the secure storage of secret key material. The processors storing these keys cannot be protected by walls and guards in applications such as digital purses or pay-TV encryption systems; often the key memory has to be given into the hands of the attacker. Smartcards and other tamper-resistant processors are frequently quoted as a solution for this problem, but there is little published material about how difficult it is for attackers to circumvent the physical protection of these low-cost devices. The talk will discuss various techniques that have been applied to break the security processors used in pay-TV encryption systems and digital purses with much less effort then the manufacturers had hoped.

Security protocols are used in the Internet, mobile phones, digital payment systems, etc. Their goals may be to keep data secret, to preserve it from tampering, or to prevent intruders from assuming somebody else's name. A faulty protocol can be attacked by simple means, such as replaying parts of old sessions, without brute-force codebreaking.

Researchers have developed tools to search for such attacks. However, failure to find attacks does not mean that a protocol is correct. Protocols and their goals are seldom specified formally, which makes it hard to say whether they are correct, even when possible attacks are pointed out.

The speaker will outline recent approaches to showing correctness, taking as an example a simple public-key protocol.

Subscription financed pay-TV channels such as BSkyB scramble their broadcast signal and provide their subscribers with special decoders to prevent unauthorized free access. Modern smartcard-based pay-TV access control systems like VideoCrypt are the first large scale consumer application of both cryptography and tamper resistant processors. Their security aspects have been scrutinized in the past five years by both professional pirate decoder manufacturers and amateur hackers. Professional pirates have developed reverse engineering skills previously only assumed to be available to major governments or corporations, while undergraduate students have found surprisingly simple and cheap ways to evade cryptographic protection schemes. There are valuable lessons to be learned for the design of future large-scale cryptographic applications.

We propose a new notion of fair and blind certification of knowledge. Blindly certified knowledge has a verifiable structure which can only be constructed by its exclusive owner with the help of a certification authority (CA). Verification of knowledge possession will include a simple check on the structure to convince a verifier of proper certification of the knowledge in addition to its exclusive belonging to the owner (prover). Unlike a blind signature, in blind knowledge certification no visible signature of the CA is available to the verifier and thus different sessions in which the same knowledge is used can easily be made unlinkable. As a result, a single blindly certified knowledge can be re-used polynomially many times without linking to the anonymous user. To prevent anonymity misuse with impunity, we also add fairness to the unlinkable anonymity by escrowing the knowledge to an off-line third party.

A system has been developed that allows the rapid, secure and private transmission of Nuclear Medicine and Positron Emission Tomography (PET) image data with associated patient files between a number of hospital sites facilitating clinical collaboration and accelerated education of Nuclear Medicine physicians.

Participating departments maintain an mSQL database populated with DICOM objects generated from Interfile or proprietary data. The database contains patient and study information and references to image data which may, or may not, be in DICOM format. An internet navigator is used to query the database and Multipurpose Mail Extension (MIME) typing enables the navigator to download a specific image, and launch a viewer appropriate to the data format and viewing platform. The clinicians can then report the images and submit a text report via either fax or over the internet. The protocols are independent of the network infrastructure linking the hospital sites and data transfer has been secured through the Secure Socket Layer (SSL). ATM networking has made the establishment of a dial-up telemedicine virtual LAN practical offering enhanced security.

Nuclear Medicine and PET departments on three hospital sites are currently involved in this project and the scaleable nature of this solution makes further expansion practical.

In recent years the use of elliptic curves in cryptography has become something of a "hot topic". This is because the discrete logarithm problem on elliptic curves is in general harder than the associated problem in the more traditional finite fields. In this talk I shall outline how one should choose one's elliptic curve by showing how certain attacks work. In particular I shall concentrate on the recent attack on "trace one curves".

The Clark-Wilson security model may be used for systems where security is enforced across both the operating system and the application systems. Under this model, a secure system may be viewed as a certified application running on top of a trusted computing base (TCB). Certifying an application corresponds to arguing (to a degree) its correctness; the TCB is expected to have undergone some sort of security evaluation. A variety of existing implementation models, for example multilevel security, have been shown capable of upholding the Clark-Wilson TCB requirements.

We argue that, given an evaluated TCB, an application designer should try to minimize the amount of security critical code that is contained within the application and rely on the TCB to enforce security wherever possible. Under the Clark-Wilson model, the TCB is expected to support (enforce) static segregation of duties. However it appears that dynamic segregation of duty must be implemented within the application itself.

In this talk I will describe a framework in which dynamic Clark-Wilson style segregation of duty policies can be expressed and supported by the TCB. I will also describe how these policies can be enforced under Unix and Multilevel TCBs.

Internet browsers use security protocols to protect confidential messages. An inductive analysis of TLS (a descendant of SSL 3.0) has been performed using the theorem prover Isabelle. Proofs are based on higher-order logic and make no assumptions concerning beliefs or finiteness. All the obvious security goals can be proved; session resumption appears to be secure even if old session keys have been compromised. The analysis suggests modest changes to simplify the protocol.

TLS, even at an abstract level, is much more complicated than most protocols that researchers have verified. Session keys are negotiated rather than distributed, some messages are optional, and others may be sent at various times. The resources needed to verify TLS are modest: the inductive approach scales up.

The purpose of EDI is to process business data in an automated way. This used to be handled on a bilateral basis between contracting parties using leased lines etc., but when parties without an initial contract do business over the Internet and/or X.400, it is absolutely vital to secure the interchanges by what we call security services: non-repudiation of origin/receipt and confidentiality are the obvious choices.

Back in the early 90's, the UN Security Joint Working Group came up with a number of proposals for the integration of these services at the EDIFACT syntax level, thus making them independent of the transport mechanism in use. This implied that the EDI translators would handle security, and in an automated fashion. The next step was to bring the supporting public key infrastructure with communicating CAs, LRAs and Directories into play, and a new EDIFACT message, KEYMAN, was designed to handle this.

The EDIFACT certificate thus derived was far more business minded than the original X.509 certificate in its design. The PKI and the underlying business model will be described, and we will explain how to avoid blacklists. We believe this model is the right one to take forward in electronic commerce, and this is exactly what we are doing in large pilots such as SEMPER, BOLERO, DYP, and ELSME.

Pachyderm is an experimental email system exhibiting the following properties:

The Platform is the Web: all interaction with Pachyderm is through a web browser; you can create, read and browse your email from any web-connected computer.

Location Independence: there is no state locked in particular client computers; you can move among client computers at will, and your email state will still be available to you.

Bandwidth Tolerance: Pachyderm is designed to tolerate a wide range of connectivity bandwidths, from high-speed local area networks to dial-up modems.

Easy Data Retrieval: all access to your email is based on queries on a full-text index; you can find the right message from among tens of thousands without any need for manual classification schemes such as folders.

The talk will outline the rationale for Pachyderm and describe the structure of the system.

NOTE: the time is nonstandard for a security seminar.

Emergent behaviours are those that result from interaction between the behaviour of the components of a composite system. We show that they play a role in the composite system's security properties: they may give rise to vulnerabilities directly, or result in the non-composability of security properties.

Using an emergent properties analysis, we can identify which aspects of component behaviour lead to undesirable emergent behaviour. This may enable us to strengthen individual systems so that desired properties compose. We can also use this approach to identify, a priori, when non-composable properties will be violated within a composite system.

We have shown how to apply this approach to several toy examples and are currently using it to analyse a Network Reference Monitor.

NOTE: the time is nonstandard for a security seminar.

In 1978, Rivest, Shamir and Adleman introduced the public-key cryptosystem RSA. Thereafter, it was extended to Lucas sequences and elliptic curves. In this talk, we will analyse the security of these cryptosystems in given contexts. In particular, some major known attacks against RSA-type systems will be reviewed. We will also see how these attacks can be avoided.

NOTE: the time and the place are nonstandard for a security seminar.

Visual cryptography was introduced by Naor and Shamir as a way to allow fast visual decryption of graphic objects. No decryption device is required; instead decryption is done by fitting slides together. Several schemes were suggested which allow users to share secret pictures (and text) in an information theoretically secure way, so that deciphering is easy if all the shares are given, but it is impossible if one of them is missing. The drawbacks of all the existing methods are the exponentially small contrast of the deciphered picture as the number of shares increases, and the reduction in quality due to pixels' being represented by many smaller (black and white) pixels.

In this talk we suggest new visual cryptographic schemes based on light polarization which are better than the optimal existing schemes. Then we present an ultimate scheme which does not subdivide pixels, and in which the contrast is independent of the number of shares.

Joint work with Ayal Itzkovitz

NOTE: the time is nonstandard for a security seminar.

NOTE: the time is nonstandard for a security seminar.

Java is typically compiled into an intermediate language, which we call JVML. The Java Virtual Machine interprets JVML code. Because mobile JVML code is not always trusted, a bytecode verifier enforces static constraints that prevent various dynamic errors. Given the importance of the bytecode verifier to security, its current descriptions are inadequate. We consider the use of typing rules to describe the bytecode verifier because they are more precise than prose, clearer than code, and easier to reason about than either. We explore the viability of this approach by developing a sound type system for a subset of JVML. This subset, despite its small size, is interesting because it includes JVML subroutines, a source of substantial difficulty for the bytecode verifier. (Joint work with Raymie Stata.)

NOTE: the time is nonstandard for a security seminar.

The problem of optimizing combinatorial problems or breaking cryptographic codes led to several novel paradigms for carrying out such a massively parallel random search, including quantum and DNA computers. In this talk, the speaker will propose a new paradigm, which is based on a simple and easy to implement idea.

The speaker will use some props to demonstrate the new paradigm in real time. It's accessible to everyone, even though some familiarity with the structure of DES like schemes helps to motivate the research.

There are two distinct areas of work in mobility: "mobile computing", concerning computation that is carried out in mobile devices, and "mobile computation", concerning mobile code that moves between devices. These distinctions are destined to vanish. We aim to describe all aspects of mobility within a single framework that encompasses mobile agents, the ambients where agents interact and the mobility of the ambients themselves.

The main difficulty with mobile computation is not in mobility per se, but in the crossing of administrative domains. Mobile programs must be equipped to navigate a hierarchy of domains, at every step obtaining authorization to move further. Therefore, at the most fundamental level we need to capture notions of locations, of mobility and of authorization to move.

We identify "mobile ambients" as a fundamental abstraction that generalizes both dynamic agents and the static domains they must cross. From a formal point of view we develop a simple but computationally powerful calculus that directly embodies domains and mobility (and little else). The calculus forms the basis of a small-language/ Java-library. We demonstrate the expressiveness of the approach by a series of examples, including showing how a notion

For a decade, people have viewed the binding of names to keys as the only problem. I will argue that names are almost meaningless in the context of the global Internet, and that we need rather to transfer authorisation securely from one entity to another. I will discuss two new attempts to do this, namely SDSI and SPKI.

One of the fastest growing areas of security research is steganography - hiding information in other information. One example is hiding encrypted copyright marks in digital images; the same ideas can be applied to other problems such as annotation and indexing, and to other kinds of object such as digital audio.

Research in this subject is highly interdisciplinary, and a number of people with backgrounds in graphics, signals processing and statistics have expressed interest in getting involved. I will therefore be giving a brief tutorial on the subject and outlining where the interesting areas of research appear to be.

NOTE: the time and location are nonstandard for a security seminar.

We survey some of the major security flaws found in Java-enabled web browsers from Sun, Netscape, and Microsoft over the last 15 months. While numerous issues have been found throughout the system, the worst problems come from type safety failures in the implementations that allow an attacker to run arbitrary machine code. Several of the type safety failures can be traced to dynamic linking. We examine a formal model of dynamic linking, and find some necessary conditions for safety.

This seminar is an illustrated and light-hearted introduction to vectors of insecurity within modern computer systems, focussing especially on Unix-like operating systems (i.e. don't expect the speaker to bang on about viruses for very long) and how it seems that the same problems come up time and again in new guises.

The presentation should be suitable for programmers, C/S students, and systems administrators of all grades, especially those with a programming bent, and will try to educate the audience away from some of the more grotesque mistakes of systems programming.

The invention of public-key cryptography led to the idea of non-repudiation protocols, which are intended to enable the resolution of disputes about pervious protocol exchanges. Later work on non-repudiation has shown that the means by which cryptographic keys are managed is just as important as the cryptographic algorithm, and public-key cryptography is neither necessary nor sufficient.

The ability to design and construct complex systems that enforce a security property presupposes an understanding of security properties themselves, as well as the security properties of a system that is composed from secure components. This talk will present a general theory of possibilistic security properties and of system composition for such properties.

It has been demonstrated that security properties do not fit into the saftey/liveness framework defined by Alpern and Schneider. That is, a security property can not be expressed as a property of a trace. (A trace is an ordered stream of events that can occur at the inputs and outputs of a component). However, we demonstrate that security properties can be expressed as a predicate over the set of all traces of a component that are consistent with a given low-level view of a trace.

The issue of composition with feedback has been the focus of much research, we demonstrate that the problem with feedback composition is related to the synchronization of the communications events between the various components. This allows us to provide necessary and sufficient conditions for determining when feedback composition will fail for Generalized Noninterference and for all properties stronger than Generalized Noninterference.

An understanding of what is a security property allows us to provide a method of constructing a system that satisfies a desired security property. This analysis yields a condition that can be used to determine how a property may emerge under composition.

SDSI is a new distributed security infrastructure, joint work by Butler Lampson and Ron Rivest. It has a simple public-key infrastructure that emphasizes linked local name spaces rather than a hierarchical global name space. SDSI makes it easy to define groups and issue group-membership certificates. Groups provide simple, clear terminology for defining access control lists and security policies.

Unless, as citizens and consumers, we believe that we can trust the government and business organisations that keep personal information about us, to treat that information confidentially and to use it only in ways that we consider to be in our interest, the ``information society'' will be a conflict-ridden, expensive and litigious affair.

In this presentation, I want to explore how we can understand better what determines trust in general. I then go on to look more specifically at how trust in connection with privacy, and I will conclude by setting out some strategies for policy in the fields of data protection, trusted third parties and independence of subject access to buttress trust and trustworthiness in the digital age.

To mark the centenary of the birth of M.H.A. Newman (1897-1984), St John's College are hosting a talk by Tony Sale, President of the Bletchley Park Trust.

Tony Sale is widely known for his achievement in constructing a working replica of the wartime Colossus computer.

The centenary will also be marked by an exhibition about Max Newman's life and work, to be held in the College Library from February 7th until Easter.

We build an original cryptographic toolbox based on error-correcting codes. Having studied the difficulty of the syndrome decoding problem, we define a one-way function and a general setting for its use. Our results allow us to prove the security of Stern's authentication protocol SD; we also construct a provably secure pseudo-random generator and a very efficient and versatile keyed one-way function. These algorithms are used to provide end-to-end security for an analog pay-tv system using smart cards, similar to VideoCrypt.

A novel protocol has been formally analyzed using the prover Isabelle/HOL, following the inductive approach described in the speaker's earlier work. A single run of the protocol delivers session keys to any number of agents, allowing neighbours to perform mutual authentication. The basic security theorem states that session keys are correctly delivered to adjacent pairs of honest agents, even if other agents in the chain are compromised. The complexity of the protocol caused modest difficulties in the specification and proofs, but symmetries in the protocol reduced the number of separate theorems to prove.

Dr Pinch will be talking specifically about an attack on a proposal for server-aided RSA computation using some factoring methods which go back to Lehmer.

Please note that this seminar is held at the DPMMS and not in The Computer Laboratory. Tea will be available in the DPMMS Common Room from 15:45.

The Gabidulin Cryptosystem is a Public Key Cryptosystem (PKC) based on error correcting codes. Two versions of it have been published. After I showed how to break medium sized instances of the first version, Prof. Gabidulin agreed that his choice of system parameters was unfortunate, and produced a second set of parameters which he claimed were the most secure set possible. They turn out to be the least secure set possible, and this talk will show how to break even large instances of the second version in a matter of seconds, while at the same time showing how to choose the parameters so as to defeat my methods. Finding a secret key of an instance of the PKC can be reduced to solving an instance of an intriguing search problem of linear algebra, and it would be of great interest to know whether this problem is NP-complete, since there is no known PKC for which finding secret keys is NP-complete. One can make an intractability assumption that members of a certain family of instances of the search problem are almost always hard, and on this assumption the Gabidulin PKC is provably secure.

Security protocols can be formally specified in terms of traces, which may involve many interleaved runs. Traces are defined inductively. Protocol descriptions model accidental key losses as well as attacks. The model spy can send spoof messages made up of components decrypted from previous traffic.

The approach has been implemented using the proof assistant Isabelle/HOL. Several symmetric-key protocols have been analysed, including Needham-Schroeder, Yahalom and Otway-Rees. A new attack has been discovered in a variant of Otway-Rees (already broken by Mao and Boyd). Assertions concerning secrecy and authenticity can be proved.

The approach rests on a common theory of messages, with three operators. The operator "parts" denotes the components of a set of messages. The operator "analz" denotes those parts that can be decrypted with known keys. The operator "synth" denotes those messages that can be expressed in terms of given components. The three operators enjoy many algebraic laws that are invaluable in proofs.

Reliability against failures from faulty links in an open network is usually assured by employing a network which has an appropriate topology. Security is assured by authenticating (and/or encrypting) the exchanged messages. For this, however, a certain degree of trust among the participating entities is needed. `Trusted paths' can be regarded as edges of a graph which we call the security graph. Usually it is assumed that this graph is almost complete, and that the entities are aware of its topology. In our scenario this is not the case.

We link trust with reliability, by analyzing the security graph. There are two models, a deterministic one in which the relative trust in a path is a Boolean expression, and a probabilistic one in which the vertices are assigned probabilities, and the trust in a path is a probability associated with the Boolean expression. We then discuss the `consensus problem' in the new scenario.

The talk is based on recent work with Yvo Desmedt. It is related to earlier work by Beth-Borcherding-Klein, Maurer and Reiter-Stubblebine, but differs in some important respects.

The Information Society will soon be upon us. Government and the private sector are looking to the new information technologies as a means of delivering goods and services more efficiently, more profitably and less expensively. Smart Cards and Active Badges to personalise network systems, Multimedia Work Space systems, e-mail communication can all be a benefit to the individual. At the same time these systems have the capability of increasingly tracking and recording our activities. They create a surveillance society by accident.

This need not be so. Technologies can be implemented to enhance and not invade personal privacy. Privacy enhancing technology should be the approach of the ethical engineer.

There have been a number of recent developments in the design of clock-controlled shift registers, where feedback shift registers are stepped irregularly in an attempt to break up their linearity while maintaining good statistical properties. Among recent developments are the shrinking generator, and the "alleged A5" cipher. At the same time there have been a number of cryptanalytic attacks by Menicocci, by Zivkovic and by Golic, amongst others. I shall talk about basic generators such as the step-1/2 and shrinking generators and the attacks proposed by Zivkovic ("embedding") and Golic ("linearisation"). Then I shall consider the stop-go Gollmann cascades and the attacks proposed by Menicocci and by Park et al. (Here the clocking sequences are XOR'd with the outputs from the clocked registers.) The attacks proposed by Zivkovic have been extended to step-1/2 Gollmann cascades, and have been found equivalent to the "lock-in" attacks discovered earlier.

One of my big points is that most of these attacks are easily parried.

If time permits I shall mention some systems which have not yet been seriously attacked, in the hope of encouraging someone to have a go. Among these are systems with mutual clock-control, for which no very rigorous theory is known.

We introduce the spi calculus, an extension of the pi calculus designed for the description and analysis of cryptographic protocols. We show how to use the spi calculus, particularly for studying authentication protocols. The pi calculus (without extension) suffices for some abstract protocols; the spi calculus enables us to consider cryptographic issues in more detail. We represent protocols as processes in the spi calculus and state their security properties in terms of coarse-grained notions of protocol equivalence.

This is joint work with Martin Abadi.

A useful principle in cipher design is to reduce or at least relate closely the cryptanalysis of the cipher to some long-studied problem that is believed to be difficult. Most public-key ciphers follow this principle fairly closely (e.g., RSA is at least similar to factoring). Modern symmetric-key ciphers, on the other hand, can rarely be reduced in this way and so are frequently designed specifically to resist the various known cryptanalytic attacks. In this informal talk, we examine a simple cipher primitive, based on Feistel networks, for which recovery of its internal state given its inputs and outputs is NP-complete. We outline simple and efficient block- and stream- cipher constructions based on this primitive.

As computers become faster they must become smaller because of the finiteness of the speed of light. The history of computer technology has involved a sequence of changes from one type of physical realisation to another - from gears to relays to valves to transistors to integrated circuits and so on. Quantum mechanics is already important in the design of microelectronic components. Soon it will be necessary to harness quantum mechanics rather than simply take it into account, and at that point it will be possible to give data processing devices new functionality. Quantum entanglement and quantum interference will make quantum computation so powerful that many problems, which are believed to be intractable on any classical computer, will become efficiently solvable. In order to illustrate the power of quantum data processing a brief discussion of Shor's quantum factoring algorithm will be provided and possibilities of its practical implementation will be discussed.

The "Firewall" - taking the (quite broad) definition of a firewall's being any device designed (in some manner) to restrict "soft" access to a network - has migrated from being a tool of the paranoid systems administrator, into being a standard part of modern network infrastructures.

This seminar will review why this situation has come about, what modern firewall architectures (both basic and advanced) look like, examine what they can/cannot accomplish, and will speculate upon the future potential of firewalls as access-security devices.

Fingerprints are the most specific known characteristics of people and are able to identify them uniquely over very large databases. However the low quality of fingerprint data found for example at the scene of a crime can challenge the ability of computer based methods to exploit all the inherent information. Recent advances in pattern recognition methods such as neural networks have led to highly accurate automated systems which have found applications in police, national registration, welfare and immigration systems. The new technologies have also been applied to biometric identification problems producing new. very low cost, accurate readers for computer and physical access control.

Increasingly widespread use is being made of technologies which allow individuals to be located and tracked. Many users express significant privacy concerns. Also, when systems such as these are used to make access control decisions such as unlocking doors and teleporting computer login sessions, a higher degree of security is demanded than was often initially planned.

In this talk I will show how technology similar to the Cypherpunk remailers, but on a smaller scale, can be used to give the user complete control over the information about their location, but still let them prove where they are to parts of the infrastructure when they need to.

There is considerable interest at present in protocols for `electronic commerce', which is usually taken to mean paying for video on demand, worldwide web pages and access to libraries and software. It is often supposed that this is a new field, but network payment mechanisms have been around for years. We describe their history and the lessons which should be learned. We then describe a number of recent proposals, and present a digital cash proposal of our own.

In this talk I will describe how we may analyze security protocols using CSP and its refinement checker FDR. Briefly, we encode the protocol in CSP, produce a CSP model of the most general attacker who can interact with the protocol, and use FDR to test whether the resulting system is secure. I will show how to apply this method to the well known Needham-Schroeder Public-Key Protocol. FDR discovers an attack upon the protocol, which allows an intruder to impersonate another agent. I will then show how to adapt the protocol to prevent this attack, and briefly indicate how we may use FDR to prove that the resulting protocol is secure.

We give an overview of a research project aimed at applying formal methods to the analysis and design of cryptographic protocols, and present some results on the specification using CSP of their security properties, including authentication, key exchange/distribution, robustness, non-repudiation, integrity, confidentiality and anonymity.

We can also model communications systems, and hostile agents, in CSP, and so we can analyse whether the security properties are upheld. We describe how the CSP model-checker FDR can be used to assist, and illustrate this with examples of how our techniques found flaws in published protocols, and how they can assist in the design of new or improved protocols.

The speaker has been looking at the cycle structure of an algorithm posted just over a year ago on the Internet and alleged to be the secret A5 algorithm used for confidentiality in the GSM mobile telephone system. This algorithm employs three mutually clock-controlled shift registers, and can fairly quickly enter a loop with what is essentially the shortest possible period, a number very small compared with the total number of states, or even its square root. Moreover this behaviour is robust, not being influenced by factors such as choice of primitive feedback polynomial or even clocking logic (with a proviso to be discussed). A fairly straightforward explanation for this behaviour has been found. Some ways of getting around the problem of excessively short periods are considered, as well as the behaviour of systems with different numbers of mutually clocked registers. In particular a mention is made of the wartime T52e cipher, perhaps the inspiration for "alleged A5".

Authentication is one of the bases of security in distributed systems, yet authentication protocols often contain serious flaws. We discuss some principles for the design of authentication protocols. The principles are neither necessary nor sufficient for correctness. They are however helpful, in that adherence to them would have avoided a considerable number of published errors. We also discuss logics designed for the analysis of authentication protocols, and their relation to the informal principles.

The Law Enforcement Agency Field (LEAF), which is sent with the ciphertext in the Clipper system, allows the FBI (police) to trace the sender and receiver of a call. However, the design requires tamperproof hardware. We propose an alternative approach, which is based on the computational complexity of some well known problems in number theory. Its applications extend beyond key escrow.

Rampart is a toolkit of protocols to facilitate the development of "high-integrity" services, i.e., distributed services that retain their availability and correctness despite the malicious penetration of some component servers by an attacker. At the core of Rampart are new protocols that solve several basic problems in distributed computing, including asynchronous group membership, reliable multicast (Byzantine agreement), and atomic multicast. Using these protocols, Rampart supports the development of high-integrity services via the technique of "state machine replication", and also extends this technique with a new approach to server output voting. In this talk we give an overview of Rampart, focusing primarily on its protocol architecture. We also discuss its performance in our prototype implementation, application services that we are developing, and other ongoing work.

Asynchronous transfer mode (ATM) is often described as the technology that will allow total flexibility and efficiency to be achieved in tomorrow's high speed, multi-service, multimedia networks. There has been an enormous amount of research activity in this area. However security issues for the ATM networks were much ignored in the past.

ATM networks introduce unique security concerns that must be addressed to ensure confidentiality and integrity of data. This talk will give an outline of the issues in securing the ATM networks and report on the on-going research effort in the area.

For electronic business to mature, electronic transactions have to be made binding for sender and receiver. Digital signatures meet the original goals of non-repudiation quite adequately, but often further requirements are added, which demand the involvement of some trusted third party.

This talk will give an outline of current suggestions for non-repudiation protocols, discuss in more detail one particular protocol which tries to reduce the involvement of the trusted third party, and raise some points regarding the design and verification of such protocols.

Thesis I: During the past few decades, there has been an immense amount of research on the factorization of large integers. The size of the largest numbers that can be readily and rapidly factored into primes has increased from about twenty or thirty digits a few decades ago, to perhaps one hundred digits nowadays.

Thesis II: The amount of innovation in the theory and practice of factorization in the past century or so has been disappointingly small. The result is that a competent mathematician of the mid 19th century would perceive modern factorization methods as merely minor modifications to the methods known in his own day. Yet these "minor modifications" are themselves of considerable interest.

Modern research papers in this subject are remarkably difficult to read and understand. The amount of space and time spent on deriving detailed asymptotic estimates of space and running time interfere greatly with understanding the underlying methods.

I propose to discuss factorization methods, both old and new, and in a way that will be accessible to an audience that understands just a tiny amount of number theory.

What is trust? When people use the term "Trusted Third Party" what exactly do they mean? Often they don't mean what they think they do.

My dictionary gives several definitions, including:

1. a firm belief in the reliability or truth or strength etc. of a person or thing.
2. the state of being relied upon.

• something that is capable of violating your security policy.

Public key cryptosystems allow in theory the development of theft-proof capabilities which can be held in user space, passed across untrusted networks, and used without on-line authentication of the presenter, but which cannot be stolen and used successfully by an imposter, even with the collusion of certification authorities.

However, achieving this efficiently makes it desirable to refer to electronic instruments by their signatures rather than including complete texts. We discuss some key-spoofing attacks on theft-proof capabilities constructed using RSA and possible countermeasures. We conclude that PKCs would be more useful if their signature depended strongly on the public key of the certification authority.

Most modern symmetric key ciphers are instances of product ciphers, which were first suggested by Shannon soon after WWII. Such ciphers, which include DES, FEAL, LOKI and IDEA, iterate a fixed round function F to produce the encryption function. This iterative structure suggests that they can be modelled as a Markov chain, whose powers correspond in some manner to the iteration of F.

In this talk we will show that two highly acclaimed attacks, differential and linear cryptanalysis, can be modelled as Markov chains and that most product ciphers will be resistant to these attacks given a sufficient number of rounds.

As more and more human activities move into cyberspace, they become exposed to a new set of vulnerabilities, that can be exploited by a wide spectrum of "bad actors" for a variety of motives. This seminar discusses questions such as: (1) How serious are the likely threats to different segments of society, both today and in the future, from cyberspace-based attacks? (2) What are the best strategies for achieving security in cyberspace? (3) What roles and missions should various national entities be assigned? (4) Are there specific services and institutions that play such vital roles in society that their protection from cyberspace-based attacks should be of national concern? This presentation does not answer all these questions, but at least attempts to structure the discussion so that meaningful answers can be obtained.

(Please note that this seminar is not being held in the normal venue. The Phoenix seminar room is room PO3 at the west of the New Museums Site.)

Recent activity in the security community has concentrated on computer networks and new services they may provide. This work tends to overlook the more mundane services that we take for granted.

Computer technology has reduced the entry cost for forgers, or it may be said to reduce the skill necessary to produce convincing forgeries. To combat this I suggest that paper documents such as banknotes and cheques will need to incorporate machine-readable security information, and many documents used as evidence in courts may have to change drastically in the next few years.

With increased requirements for cryptographic security, there is a growing number of products on the market which provide such services as encryption, digital signature, and key exchange. While it is possible to write applications which use these products, there are no vendor-neutral standards, so any applications which use cryptographic services need to bind to proprietary APIs.

This talk will give an overview of the work of the X/Open Security Working Group in defining a generic cryptographic service API to meet the requirements for application interfaces to cryptographic and key management services. It will show how the X/Open work is building from existing key management models and from extensive implementation experience; and that the agreed service model will be comprehensive, practical, applicable to both software and hardware, algorithm independent, and take account of compliance with export control laws, and controls on cryptographic usage.

Modern technology has made it easier for governments to invade the privacy of their citizens and monitor political opposition groups. But cryptography has started to provide a means of reversing certain aspects of this erosion of privacy, thus affecting the power relationship between governments and citizens.

Philip Zimmermann is the creator of PGP (Pretty Good Privacy), the worldwide de facto standard for the encryption of email. It is published as free software, and has spread like dandelion seeds blowing in the wind, fanned by the firestorm of controversy at government efforts to suppress public access to strong cryptography. This has caused conflict with the US National Security Agency's desire to restrict the use of high-quality encryption, and he is being investigated for possible violation of export controls on munitions.

The relationship between security and reliability is not straightforward. On the one hand, a secure system does at most X, while a reliable system does at least X; so the two concepts seem in tension. On the other hand, recent experience investigating the failure modes of automatic teller machines, satellite TV encoders, prepayment electricity meters and burglar alarms has shown that almost all real world security failures are in fact reliability failures - they result from blunders in implementation and management. After describing some of this experience, I will discuss a robustness principle which has been derived from it, and which has proved itself useful in guiding security research.

This seminar will be multicast (audio and video) on the mbone as part of our multimedia test programme. Further information is available at http://www.cl.cam.ac.uk/mbone/#cl.

A recent survey of three generations of general information system design methods provides a framework for understanding current security design practice. The methods used may depend on checklists of controls, divide functional requirements into engineering partitions, or create abstract models of both the problem and the solution. An analysis of this survey reveals that security methods lag behind general systems development methods, and that many general methods fail to consider security specifications rigorously. These findings suggest that more general software engineering techniques cannot succeed without explicit security considerations.

In August 1977, Scientific American published a description of the newly-invented RSA public key cryptosystem. The inventors, Rivest, Shamir and Adleman, offered a $100 prize to the first person or group to break an implementation by factoring a 129-digit integer.

In this talk, I will describe how RSA-129 was factored by a collaboration of hundreds of workers spread around the world. I will concentrate mostly on the resource-management and organizational problems (rather than the number theory) behind what is probably the largest single computation ever performed.

In August 1977, Scientific American published a description of the newly-invented RSA public key cryptosystem. The inventors, Rivest, Shamir and Adleman, offered a $100 prize to the first person or group to break an implementation by factoring a 129-digit integer.

In this talk, I will describe how RSA-129 was factored by a collaboration of hundreds of workers spread around the world. I will concentrate mostly on the resource-management and organizational problems (rather than the number theory) behind what is probably the largest single computation ever performed.

Network routing protocols work in a vulnerable environment. Unless protected by appropriate security measures, their operation can be easily subverted by intruders capable of modifying, deleting or adding false information in routing updates. This paper analyses threats to the secure operation of inter-domain routing protocols, and proposes various counter measures to make these protocol secure against external threats.

Many applications, such as key generation in cryptography, rely on sources of unpredictable behaviour, which typically take the form of a random or pseudorandom number generator. It is of importance to designers and users to be able to evaluate the effectiveness of these devices.

The talk will cover the evaluation techniques implemented by a software suite we have written. A variety of statistical tests will be discussed, together with more specific methods such as linear complexity and the spectral test. Other tests, including sequence complexity and the binary derivative, will be mentioned in connection with the commercially available Crypt-XS package.

Some theoretical background will also be covered, including Yao's theorem which provides justification for a statistical approach, and the work of various authors on linear complexity.

The purpose of any security service is either to ensure that an event happens or to prevent an event happening (liveness or safety). Software reliablity is typically concerned with events that are universally agreed to be beneficial or harmful. On the other hand, computer security is typically concerned with events that are beneficial to some persons while harming others.

It follows that whether a computer security service is desirable or not depends upon who you are, and how you are effected by the events that it causes or prevents.

Traditionally, research interest has been focused on the services known as confidentiality, integrity and non-repudiation, and has neglected the converse services of wiretapping, forgery and plausible deniability.

Recent proposals for national cryptographic infrastructures are attempting to redress this historical imbalance. We will describe some possible protocols for achieving these new services, both with and without the use of trusted third parties.

Key management is undoubtedly one of the most important aspects of any cryptographic system. The skill of the designers who produce algorithms to withstand sophisticated cryptanalytic attacks is completely wasted if keys can be obtained by much simpler means such as seeing them displayed on a screen.

In this seminar we will present a low-level discussion on some of the basic aspects of key management; generation, distribution, storage, change and destruction. The discussion will encompass both symmetric and asymmetric systems.

For a symmetric system all keys must be secret and the distribution of those keys, particularly during initialisation, is a major headache. The introduction of asymmetric systems removed the requirement that all keys must be secret and thus changed the nature of the key distribution problem. However, for asymetric systems public keys must be authentic and must have other specific properties. These requirements create new problems.

Generic key hierarchical systems will be discussed and, possibly, some schemes designed to solve specific problems eg the transation key system for EFTPOS. The relevant standards will also be mentioned.

Samples from stochastic signals with sufficient complexity need reveal only very little agreement in order to reject the hypothesis that they arise from independent sources. The failure of a statistical test of independence can thereby serve as a basis for recognising signal sources if they possess enough degrees of freedom. Combinatorial complexity of stochastic detail can lead to similarity metrics having binomial type distributions, and this allows decisions about the identity of signal sources to be made with astronomic confidence levels.

I will describe an application of these statistical pattern recognition principles in a system for biometric personal identification that analyses the random texture visible at some distance in the iris of a person's eye. There is little genetic penetrance in the phenotypic description of the iris, beyond colour, form and physiology. Since its detailed morphogenesis depends on the initial conditions in the embryonic mesoderm from which it develops, the iris texture itself is stochastic, if not chaotic. The recognition algorithm demodulates the iris texture with complex valued 2D Gabor wavelets, and coarsely quantises the resulting phasors to build a 256 byte `iris code' whose entropy is roughly 173 bits. Ergodicity and commensurability facilitate extremely rapid comparisons of entire iris codes using 32-bit XOR instructions. Recognition decisions are made by exhaustive database searches at the rate of about 10,000 persons per second.

The expansion permutation in DES duplicates two bits between each neighbouring pair of S-boxes. Before they enter the S-boxes, bits of key are added to them (mod 2 by bit). The difference between plain and cipher is a sum of 8 outputs of S-boxes and can reveal key information.

This attack can give 16 bits of key information but it takes a lot of samples for a reliable result. There could just possibly be applications where it mattered.

The ease with which design mistakes are made in computer security systems in general, and in cryptography in particular, lead us to ask whether it is possible to design systems whose security properties are robust, in the sense that they can cope with minor errors of design, implementation and operation.

However, when we look at other engineering disciplines, we see that the nature of robustness properties varies quite widely. Most civil engineering mistakes cause structures to be slightly weaker than planned, and so bridges are built to be several times stronger than they need to be; aicraft designers on the other hand duplicate critical components such as engines, instruments and pilots. We will argue that there is a comparable organising principle for computer and communications security systems.

Denial of Service is a cinderella subject in security, since it is often supposed that there is not a lot that can usefully be said about it. There is very little literature in comparison with the huge amount published on confidentiality and authenticity. Some recent consulting work shows that there are things that can be said, and I shall present some of them using a suitably sanitised example.

Cars are stolen electronically. Widespread adoption of remote locking devices - electronic key fobs - has given rise to a new type of car theft. These devices send electronic signals which can be recorded and replayed using a so-called grabber, and this received considerable press attention following a recent court case. The seminar will describe the current state of affairs and how cryptographic techniques are leading to more theft-proof vehicles.

Distributed computer networks of unlimited extensibility and scale will evolve over the next decade. On behalf of their users, a huge variety of computers systems will offer, request and exchange services in an immense international open trading enterprise where there can be no central authority and no ubiquitous security infrastructure. This seminar will present a view that to meet the challenge we must take a radically different approach to computer security. It will argue for a change of emphasis, away from enforcement of administrator imposed security policies through an infrastructure, towards a regime of self-defence by individual service providers. It will discuss the policy nuances, required mechanisms and protocol design consequences that would follow from this change of direction.

A number of digital signature schemes have been proposed (Fiat-Shamir, Micali-Shamir and Bos-Chaum) which work by using a hash function of the message to key a combinatorial subset product. We find that such schemes need to incorporate a certain amount of freshness if they are to be secure, and we explain and quantify this.

When we consider the properties that a hash function must possess in order to be useful in this kind of application, we find that, contrary to previous belief, collision freedom is not a sufficient condition for hash functions. In fact, given any collision free hash function, we construct a derived function which is also collision free but cryptographically useless. In the process, we settle an outstanding conjecture of Okamoto that correlation freedom is a strictly stronger property than collision freedom.

The purpose of this talk is to give a formal definition of the term "Confidentiality Property". On the way, formal definitions will be given of related terms such as "Functionality property", "Cheapness property" and "Prestige property" (the last two being pedagogic toys).

The definitions of those terms is given in terms of a "refinement relation". Refinement relations are of interest as they capture the proof obligations for showing program correctness; and so our definitions are directly related to correctness concerns. The space of refinement relations is modelled as a set of pre-orders (quasi-orders).

This talk will be a survey of some of the advances made recently on the frontier between complexity and cryptography. In particular, it will discuss the role of uniqueness and the importance of randomness in this area.

It will be self-contained and assume only a basic knowledge of complexity concepts, so should be accessible to nonspecialists as well as of interest to experts.

Often the power to use a cryptosystem has to be shared. In threshold schemes, k-out-of-l have the power to generate a secret key (while less than k have not). However threshold schemes cannot be used directly in many applications, such as threshold signatures in which k-out-of-l have to co-sign a message. For a normal threshold scheme would require the shareholders to send their shares to a trusted person who would sign for them. But the use of such a trusted person violates the main point of threshold signatures!

The first concepts of threshold cryptography were independently introduced by Boyd, Croft-Harris and Desmedt; and schemes for threshold decryption, threshold authentication and threshold signature have been presented recently. At Crypto '92, Micali argued that the use of verifiable threshold schemes would facilitate the enforcement of court ordered wiretapping.

We first overview the research in the field and then present a threshold signature scheme which is as secure as RSA. This has the property that a court does not need to order the disclosure of a master key, but only the decryption of individual messages.

Recent developments in computer virus writing have caused a major rethink on strategies used by anti-virus software to detect virus code. Apart from the constantly increasing requirement for storage of information which describes each virus, the increased numbers of polymorphic (encrypting, self-mutating) viruses has led to the deleopment of algorithmic languages which describe virus code.

The lecture will include live demonstrations of computer viruses.

The `Internet Worm' exploited poorly chosen passwords to gain access to a very large number of computers; the UNIX password system is known to be weak against guessing attacks. It is less well known that many, if not most, authentication protocols are also subject to similar guessing attacks.

Several years ago a group of us (Li Gong, Jerry Saltzer, Roger Needham, and myself) proposed a technical solution to this problem. Our solution has been adopted by some, but not all, designers of cryptographic protocols.

I intend to demonstrate how one might break the schemes that did not adopt our suggestions. In particular I shall show how to break `C2 secure' SunOS, NFS, and Kerberos. I'll also show how these schemes may be changed to protect against such attacks.

The phrase "TCP/IP" is used to cover a multitude of independent protocols and mechanisms, some of which are Internet standards and others of which are vendor-specific or just "happen to be there", and which were generally designed with functionality more important than security. We will examine the various sub-families, their evolution and background assumptions, and hence deduce the security assumptions which, implicitly, underly them, and the weaknesses from which they suffer.

The speaker has been a consultant on TCP/IP for the Janet system, and has found and blocked several loopholes in TCP/IP suite.

Authentication protocols have been the subject of academic interest for some 15 years, following the seminal paper of Needham and Schroeder. While such protocols have been widely discussed and implemented, and indeed international standards for these protocols have been, and are being, developed, the explicit objectives of an authentication protocol have rarely been subjected to critical examination. Even those formal logics devised to examine these protocols often partially dodge the issue of the objectives of an authentication protocol, except typically to deal with the establishment of shared secret keys.

In this seminar, the latest ISO draft standards covering authentication protocols are considered in the context of a discussion of the objectives of these protocols. This discussion provides useful insights into the applicability of protocols for particular applications.