Security Group
1998 seminars
8 December 16:15Realising security policy within the healthcare environment / Steve Furnell, University of Plymouth
Room TP4, Computer Laboratory
Information systems security represents a significant issue within the modern healthcare environment. Information technology now pervades virtually all aspects of operation and care provision, with a consequent need arising to preserve the confidentiality, integrity and availability of systems and data. The security policy is an essential element in ensuring that a consistent approach can be enforced and maintained across the establishment. I will discuss the areas that should be encompassed by any policy, as well as the typical constraints of the healthcare environment that may limit the practical approach. A further important consideration is how to ensure that all staff will know and observe the policy. I will address this through a discussion of security training and awareness initiatives.
The presentation will make significant reference to work that has been conducted at the European level, in particular the ISHTAR (Implementing Secure Healthcare Telematics Applications in Europe) project in which I have been involved under the EU `Telematics Applications for Health' programme.
1 December 16:15Secure sessions from weak secrets / Bruce Christianson, University of Hertfordshire
Room TP4, Computer Laboratory
Sometimes two parties who share a weak secret k such as a password wish to share a strong secret s such as a session key without revealing information about k to an active attacker. This talk describes some recent work in this direction, carried out jointly with Michael Roe and David Wheeler. We present some new protocols for secure strong secret sharing, including one based on RSA rather than Diffie-Hellman. As well as being simpler and quicker than their predecessors, our protocols also have slightly stronger security properties. In particular, they make no cryptographic use of s and so impose no subtle restrictions upon the use which is made of s by other protocols, and they do not rely upon the existence of hash functions with mystical properties. After rounding up the usual suspects, the talk will also consider some new attacks and how to frustrate them.
24 November 16:15Observations on the advanced encryption standard candidates / Mike Roe, Centre for Communications Systems Research
Room TP4, Computer Laboratory
The US government is running a competition to find a replacement for the data encryption standard. There are fifteen candidate algorithms now available for public analysis and comment. I have implemented a number of them from the published definitions, and in this talk I will discuss the lessons I learned in the process.
17 November 16:15Cryp, cip and cots: trusting cryptography in commercial-off-the-shelf systems / Bill Caelli, Queensland University of Technology
Room TP4, Computer Laboratory
Cryptographic (CRYP) sub-systems now play a vital role in the protection of "mission-critical" information systems and data networks, particularly those now being deployed for electronic commerce activities nationally and internationally. Such mission-critical information systems, and associated data networks, are, in turn, being used to control and monitor critical infrastuctures in modern society; infrastructures that need a high degree of protection (CIP). These include overall structures for water reticulation, electricity, finance, government, energy, transport and so on. However, under cost pressures those in charge of such infrastructures are moving to adoption of commercial-off-the-shelf (COTS) systems for the control and monitoring of such infrastructures, rather than "bespoke" solutions to information systems needs. With cryptography forming the main protection and trust mechanism to safeguard these controlling information systems, the trustworthy integration of cryptographic sub-systems into COTS becomes of paramount importance. This has a number of technical, business and political implications that need to be explored. This paper examines all three of these aspects of the cryptography integration problem.
16 November 16:15A hacker looks at cryptography / Bruce Schneier, Counterpane Systems
Room TP4, Computer Laboratory
Building a secure product is a lot more than reading a copy of Applied Cryptography, and then stringing a series of secure algorithms and protocols together. Many "buzzword compatible" products are insecure not because of faulty mathematics, but faulty implementation. Engineers misuse secure primitives, introduce security flaws elsewhere in the process, build bad user interfaces, don't allow for errors or failures, and generally fail to leverage the security of their cryptography. This talk is about what commonly goes wrong in cryptographic products.
10 November 16:15Copyright control for digital image libraries / Glenn Hall, Hewlett-Packard Laboratories
Room TP4, Computer Laboratory
We will talk about copyright control for digital image libraries using high quality imaging systems, over the web. We have built a system, using on-the-fly watermarking, for a commercial image supplier, now on trial. This raises a number of interesting technical and business questions, such as watermark distrubution, and cascading permissions through business processes.
3 November 16:15Alpha pulse technology - a new concept for generating true randomness / Mark Shilton, Amersham Pharmacia Biotech
Room TP4, Computer Laboratory
The Alpha Pulse random generator is a miniature hardware device for triggering random events with a predetermined event probability. The device uses a miniature silicon photo diode detector incorporating a harmless quantity of a radioactive alpha emitting material. The device produces random voltage pulses when alpha particles are emitted within the photo diode. The device has been used to generate pure, unbiased, non-deterministic random numbers and also to trigger random win events with long odds for applications such as gaming. The event probabilities produced by the device agree very closely with the predictions of Poisson theory.
The Alpha Pulse random generator is robust, durable, highly tamper resistant; it is unaffected by external influences and potentially can be made very small. Its operating principles, design, performance and applications will be reviewed.
27 October 16:15On the security of digital tachographs / Ross Anderson, University of Cambridge
Room TP4, Computer Laboratory
Tachographs are used in most heavy vehicles in Europe to control drivers' hours, and for secondary purposes ranging from investigating accidents and toxic waste dumping to the detection of fuel fraud. Their effectiveness is under threat from increasing levels of sophisticated fraud and manipulation. I will discuss this in the context of recent EU proposals to move to smartcard-based tachograph systems, which are aimed at cutting fraud and improving the level of enforcement generally. I will argue that the proposed new regime will be extremely vulnerable to the wholesale forgery of smartcards and to system-level manipulation; it has the potential to lead to a large-scale breakdown in control. I will then sketch some potential solutions.
20 October 16:15Secure implementation of channel abstractions / Cedric Fournet, Microsoft Research
Room TP4, Computer Laboratory
Communication in distributed systems often relies on useful abstractions such as channels, remote procedure calls, and remote method invocations. The implementations of these abstractions sometimes provide security properties, in particular through encryption. We study those security properties, focusing on channel abstractions. We introduce a simple high-level language that includes constructs for creating and using secure channels. The language is a variant of the join-calculus and belongs to the same family as the pi-calculus. We show how to translate the high-level language into a lower-level language that includes cryptographic primitives. In this translation, we map communication on secure channels to encrypted communication on public channels. We obtain a correctness theorem for our translation; this theorem implies that one can reason about programs in the high-level language without mentioning the subtle cryptographic protocols used in their lower-level implementation.
This is joint work with Martin Abadi (Compaq/SRC) and Georges Gonthier (INRIA Rocquencourt).
16 June 16:15Medical privacy protection - the xtrend project / Vaclav Matyas, University of Cambridge
Room TP4, Computer Laboratory
The Xtrend project involves collecting drug prescription (and collection) data from pharmacies and creating a database that supports evaluation of general practitioners' (GPs') prescription trends by district. The data is collected without patient identity information, but GPs' identity has to be protected carefully by subsequent processing - only some GPs have consented to their identity being known to data users (usually drug wholesalers or manufacturers) and the identity of the others has to be concealed.
The talk will analyse the problems in protecting the identity of the non-consenting GPs. The solution involves measures like setting a minimal number of participating GPs, practices and pharmacies in a district, and concealing the telltale signs of GPs moving between practices or going on holiday. Another interesting issue concerns the fact that the system is currently being built and this provides a certain level of `noise' against malicious data analysis. However, the situation once the system stabilises will almost certainly be different.
9 June 16:15The art of uncovering those well-hidden bits / Nick Howgrave-Graham, University of Bath
Room TP4, Computer Laboratory
The talk will be based loosely around the use of partial knowledge in solving bivariate Diophantine equations. Many interesting problems fall in to this category including factoring, and solving univariate modular equations, both of which have major implications in cryptography.
The methods are based on work by Coppersmith, and employ lattice basis reduction by the LLL algorithm. An interesting theoretical result concerning dual lattices and the LLL algorithm is shown along the way.
Finally a novel approach to fiding solutions to x^2+y^2=N is demonstrated, and applied (using the technique of Pinch and McKee) to breaking a recently proposed elliptic curve cryptosystem.
2 June 16:15A denotational definition of system integrity / Simon Foley, University College, Cork
Room TP4, Computer Laboratory
Conventional integrity models limit themselves to the boundary of the computer system and tend to define integrity in an operational or implementation oriented sense. For example, the Clark-Wilson model recommends that well-formed transactions, segregation of duties and auditing be used to ensure integrity. However, the model does not attempt to address what is meant by integrity - evaluating a system gives a confidence to the extent that good design principles have been applied. For instance, when we define a complex segregation of duty policy, we cannot use the model to guarantee that a user of the system cannot somehow bypass the intent of the segregation via some unexpected circuitous route.
Clark and Wilson informally identified segregation of duty as a mechanism that is used to control external consistency, which is described as the correct correspondence between the data object and the real world object that it represents. In this talk I will explore a formal definition for external consistency and illustrate how it is implemented in terms of segregation of duties. This denotational, rather than operational, definition is useful because it allows us to determine whether a particular segregation of duties configuration actually works, that is, whether it ensures that the system is externally consistent.
27 May 16:15Attacks on copyright marking systems / Fabien Petitcolas, University of Cambridge
Room TP4, Computer Laboratory
In the last few years, a large number of schemes have been proposed for hiding copyright marks and other information in digital pictures, video, audio and other multimedia objects. I will describe some contenders that have appeared in the research literature and in the field; I will then present a number of attacks that enable the information hidden by them to be removed or otherwise rendered unusable.
26 May 16:15Differential-linear weak key classes of idea / Philip Michael Hawkes, University of Queensland
Room TP4, Computer Laboratory
The International Data Encryption Algorithm (IDEA) is a well known block cipher which is used, for example, in the Pretty Good Privacy (PGP) package. In this talk, the largest known weak key classes of IDEA and reduced-round IDEA are constructed. For some of these classes, membership is determined by a differential-linear test while encrypting with a single key. In particular, $8.5$-round IDEA has a weak key class of $2^{63}$ keys (one in every $2^{65}$ keys) for which membership is determined in such a manner. A related-key differential-linear attack on 4-round IDEA is presented which is successful for all keys. Large weak key classes are found for 4.5- to 6.5-round and 8-round IDEA for which membership of these classes is determined by similar related-key differential-linear tests.
19 May 16:15Confessions of a red box builder / David Biggins, Rhea International Ltd
Room TP4, Computer Laboratory
In the world of commercial product development, even in a hi-tech environment, there are many conflicting factors that go to make up the success or otherwise of a product - technical, commercial, political, and just plain luck (good or bad).
Balancing these factors requires the patience of Job, the discretion of Caesar's wife, the judgement of Solomon (not Alan), the technical knowledge of Turing (Alan), the deviousness of the Borgias, the ruthlessness of Genghis Khan, the showmanship of PT Barnum, and the financial acumen of J Paul Getty - none of which I have...
So how DO you take a security product to market these days?
This talk aims to cover many of the factors, technical and otherwise, encountered so far in the development of the Latches for Windows product, and the ways we have managed to hang on to the tiger's tail...
12 May Cryptology, technology and policy / Susan Landau, University of Massachussetts
5 May 16:15The corba security service specification and corba security in practice / Ulrich Lang, University of Cambridge
Room TP4, Computer Laboratory
This seminar will first give a brief introduction to CORBA, and then focus on the CORBA Security Service Specification. The security functionality provided by the Security Service and its relevance to distributed systems security in general will be described on an abstract level. The seminar will also try to compare the Security Service Specification to CORBA security in the real world; issues like trust boundaries, Java security, business requirements etc. will be briefly put into context.
29 April 17:30Pgp and resistance to key escrow / Phil Zimmermann, Network Associates Inc.
Hopkinson Lecture Theatre, New Museums Site
This week's political developments highlight the trap of buying into a top-down key management infrastructure. I will talk about the new features of PGP's evolving architecture which we have specifically designed in order to make it resistant to key escrow while enhancing its scalability in large organisations.
NOTE: this week's seminar has been arranged at short notice in response to the government's U-turn on crypto policy. It is thus at a non standard time and a nonstandard venue. Maps and travelling directions can be found here.
Other relevant seminars this term include a talk on the 12th May by Susan Landau of the University of Massachussetts on `Cryptology, Technology and Policy' (Susan is one of the authors of `Privacy on the Line' which documents the crypto policy struggle in the USA) and another on the 19th by David Biggins of Rhea International Ltd entitled `Confessions of a Red Box Builder' (Rhea designed the new electronic red boxes used by some ministers). Both these talks are at the usual 4.15PM in room TP4.
10 March 16:15Priority driven protocol design / Bruce Christianson, University of Hertfordshire
Room TP4, Computer Laboratory
Priority Driven Communication Protocol Design was a methodology for designing communications protocols which was introduced about fifteen years ago. In this seminar I shall attempt to rehabilitate PDCPD in the context of security protocols, arguing that treating PDCPD as a conceptual framework for reasoning about the design and optimization of protocols (rather than as a design methodology per se) can provide insight into managing the effects of laying off tasks to only partially trusted third parties in order to improve performance: the analagous design problem in 'conventional' communications protocol design is de-layering.
3 March 16:15Videocrypt - past, present, and future / Yossi Tsuria, News Datacom, Israel
Room TP4, Computer Laboratory
VideoCrypt, with 9 million subscribers on 4 continents, is without doubt one of the most successful conditional access systems in the world. It also enjoys numerous attacks by the pirate community.
The presentation will describe the origins of the system and its key technology elements, and will discuss past and present security issues. It will also tackle future plans and challenges in the fields of interactive TV, copy protection and data broadcasting.
24 February 16:15Supporting dynamic security labels in multilevel secure object stores / Simon Foley, University College, Cork
Room TP4, Computer Laboratory
Mandatory label-based policies may be used to support a wide-range of application security requirements. Examples of these policies include Chinese Walls and Dynamic Segregation of Duties (see the seminar I gave on the 28th October 1997). Labels encode the security state of system entities and the application security policy specifies how these labels may change.
I will describe a framework, based on the Jajodia-Kogan message-filter model, that can support these policies in a multilevel secure OODBMS. This framework can support any (dynamic) label-based policy so long as the effect of a high-level request to relabel a low-level label cannot be detected at the low level. A sample policy will be described whereby high-level users can mark low-level objects, indicating that the object should be migrated to the high-level when deleted (at low).
The framework provides what is essentially an interpreter of multilevel programs: programs that manipulate multilevel data-structures that define the security labels of objects. This enables application functionality and security concerns to be developed (and verified) separately, bringing with it the advantages of a separation of concerns paradigm.
17 February 16:15Tamper resistant structured magnetics / Ed White, Thorn Secure Science International
Room TP4, Computer Laboratory
Security, and particularly 'Smart Card' security has become a very hot topic in the 1990's. We have been constantly 'educated' that Smart Cards are secure, and this series of seminars has spent much time examining the various claims and potential flaws in those claims. This talk will take a step back from the detail of smart card security, encryption algorithms etc. and examine the basic elements of security, It will briefly examine the various strengths and vulnerabilities of different approaches and present some ideas on how combining technologies can offer great benefits in reducing threats of security breaches.
10 February 16:15What are the wild waves saying? / Owen Lewis and Keith Penny, TEL
Room TP4, Computer Laboratory
So often overlooked by those who would maintain the confidentiality of their dealings, is that much of the most sensitive and most valuable information first occurs as the act of speech, a personal dialogue. If uninhibited speech can be eavesdropped as it is created, then there is no panoply of technical security that can subsequently make good that breach of security. Even in this computer age, the eavesdropping of speech in sensitive areas remains important in intelligence gathering, commercial as much as state.
This presentation outlines the main varieties of the electronic eavesdropping threat to confidential discussions and looks at advanced countermeasures to bugging where RF transmission is used to extract sensitive conversation from secured premises.
Until starting a technical surveillance countermeasures business in 1991, Owen Lewis was a signals officer in the British Army for 22 years. For some years, he was a visiting lecturer to the NATO Joint Services Advanced Electronic Warfare courses. Keith Penny is an engineer with 20 years of experience of the design, manufacture and systems deployment of a range of electronic surveillance and countersurveillance equipment. They have developed the SysRx system for RF spectrum monitoring, which is to be launched at the Police Scientific Development Branch closed exhibition in March 1998 and is first presented at this seminar.
4 February 16:15Hardware security: smartcards and other tamper resistant modules / Markus Kuhn, University of Cambridge
Babbage Lecture Theatre
Many computer security applications depend on the secure storage of secret key material. The processors storing these keys cannot be protected by walls and guards in applications such as digital purses or pay-TV encryption systems; often the key memory has to be given into the hands of the attacker. Smartcards and other tamper-resistant processors are frequently quoted as a solution for this problem, but there is little published material about how difficult it is for attackers to circumvent the physical protection of these low-cost devices. The talk will discuss various techniques that have been applied to break the security processors used in pay-TV encryption systems and digital purses with much less effort then the manufacturers had hoped.
28 January 16:15Security protocols and their correctness / Larry Paulson, University of Cambridge
Babbage Lecture Theatre
Security protocols are used in the Internet, mobile phones, digital payment systems, etc. Their goals may be to keep data secret, to preserve it from tampering, or to prevent intruders from assuming somebody else's name. A faulty protocol can be attacked by simple means, such as replaying parts of old sessions, without brute-force codebreaking.
Researchers have developed tools to search for such attacks. However, failure to find attacks does not mean that a protocol is correct. Protocols and their goals are seldom specified formally, which makes it hard to say whether they are correct, even when possible attacks are pointed out.
The speaker will outline recent approaches to showing correctness, taking as an example a simple public-key protocol.