Security Highlights

advertisement
Highlights of the 8th USENIX
Security Symposium
Greg Rose
QUALCOMM Australia
ggr@qualcomm.com
1-Jul-16
Copyright © QUALCOMM Inc, 1998
Introduction
• Held at the JW Marriott Hotel, Washington DC
• Two days of tutorials
• two days of symposium
• Invited talks and Works in Progress
• Program Chair: Win Treese (Open Market Inc)
• Invited Talks: Avi Rubin (AT&T Labs)
1-Jul-16
Copyright© QUALCOMM Inc, 1998
slide 2
Keynote: Experience is the
Best Teacher
• Peter Neumann, SRI International
• Examined the design of “secure systems”
• By anecdote, showed that many problems
recur even though they have been “fixed”
• recommends:
– better specification of requirements
– strong and robust protocols
– good cryptographic infrastructure
1-Jul-16
Copyright© QUALCOMM Inc, 1998
slide 3
The Design and Analysis of
Graphical Passwords
• Ian Jermyn (NYU), Alain Mayer, Fabian
Monrose, Mike Reiter (Bell Labs) and Avi
Rubin (AT&T Labs)
• Both “Best Paper” and “Best Student Paper”
• Presented a couple of schemes for entering
passwords graphically, on say a PDA.
• Research shows that people can remember
such things better
• There’s no “dictionary” to search
1-Jul-16
Copyright© QUALCOMM Inc, 1998
slide 4
Why Johnny Can’t Encrypt
• Alma Whitten (Carnegie Mellon), Doug Tygar
(UC Berkeley)
• Showed that a selection of people had
difficulty using PGP to send encrypted email
• Analysed what kinds of problems tripped
even experienced users
– security as a secondary goal
– the “barn door problem”
– Software only as strong as the weakest link
– lack of feedback
1-Jul-16
Copyright© QUALCOMM Inc, 1998
slide 5
The Design of a Cryptographic
Security Architecture
• Peter Gutmann (Uni. Auckland)
• Design a security architecture first, then wrap
an API around it
• It’s possible to offload the sensitive work, say
to a cryptographic co-processor
• The longest half hour talk ever given…
• http://www.cs.auckland.ac.nz/pgut001/cryptlib
.html
1-Jul-16
Copyright© QUALCOMM Inc, 1998
slide 6
Networks and Security and
why the two don’t get
along
• Steve Bellovin, AT&T Labs
• Filled in at last minute, still a great talk
• Problems:
– Servers get bogged down
– everything has to be secure, eg. Routing, time …
– trust management, lack of a PKI
– the difference between theory and practice, or
between design and implementation
• only 15% of 1998 CERT advisories could be
solved by encryption! Still too many buffer
overruns.
1-Jul-16
Copyright© QUALCOMM Inc, 1998
slide 7
ActiveX Insecurities
• Richard Smith (Phar Lap Software)
• Develops and collects examples of ActiveX
insecurities
• This was a very scary talk!
• Included one demonstration where reading
mail gave over control of the machine
• Some controls marked “secure” are not
• Turning on “security” can sometimes lead to
an infinite number of dialog boxes
1-Jul-16
Copyright© QUALCOMM Inc, 1998
slide 8
Works In Progress:
Advanced Encryption
Standard selection
• Elaine Barker, NIST
• 15 block cipher algorithms submitted in 1998
• Two conferences to discuss them
• 5 “finalists” chosen in August
– Serpent (Anderson, Biham and Knudsen)
– Twofish (Counterpane)
– Rijndael (Joan Daemen and Vincent Rijmen)
– MARS (IBM)
– RC6 (RSA)
• Conference next april, final selection late 2000
1-Jul-16
Copyright© QUALCOMM Inc, 1998
slide 9
Internet Mapping
• Bill Cheswick (Bell Labs)
• Very interesting talk because it had a huge
map of the internet
• Useful to find holes in the wall of intranets
1-Jul-16
Copyright© QUALCOMM Inc, 1998
slide 10
GSM A5/2 algorithm
revealed
• Nikita Borisov (UC Berkeley) reported on work
done by Lucky Green, Ian Goldberg, and
David Wagner
• Reverse engineered the algorithms for GSM
cellphone encryption
• Released printed source code for both
– stampede
• Announced a break of A5/2 (weaker)
– 2 hours to find it
– less than a second to run it
1-Jul-16
Copyright© QUALCOMM Inc, 1998
slide 11
Next one
• Denver, Colorado, August 14-17
• Chaired by Steve Bellovin and Greg Rose
• Invited talks: Win Treese
• Keynote: Dr. Blaine Burnham, Georgia Tech
Information Security Centre (ex NSA)
• Focus on “holistic security”
1-Jul-16
Copyright© QUALCOMM Inc, 1998
slide 12
Download