Highlights of the 8th USENIX Security Symposium Greg Rose QUALCOMM Australia ggr@qualcomm.com 1-Jul-16 Copyright © QUALCOMM Inc, 1998 Introduction • Held at the JW Marriott Hotel, Washington DC • Two days of tutorials • two days of symposium • Invited talks and Works in Progress • Program Chair: Win Treese (Open Market Inc) • Invited Talks: Avi Rubin (AT&T Labs) 1-Jul-16 Copyright© QUALCOMM Inc, 1998 slide 2 Keynote: Experience is the Best Teacher • Peter Neumann, SRI International • Examined the design of “secure systems” • By anecdote, showed that many problems recur even though they have been “fixed” • recommends: – better specification of requirements – strong and robust protocols – good cryptographic infrastructure 1-Jul-16 Copyright© QUALCOMM Inc, 1998 slide 3 The Design and Analysis of Graphical Passwords • Ian Jermyn (NYU), Alain Mayer, Fabian Monrose, Mike Reiter (Bell Labs) and Avi Rubin (AT&T Labs) • Both “Best Paper” and “Best Student Paper” • Presented a couple of schemes for entering passwords graphically, on say a PDA. • Research shows that people can remember such things better • There’s no “dictionary” to search 1-Jul-16 Copyright© QUALCOMM Inc, 1998 slide 4 Why Johnny Can’t Encrypt • Alma Whitten (Carnegie Mellon), Doug Tygar (UC Berkeley) • Showed that a selection of people had difficulty using PGP to send encrypted email • Analysed what kinds of problems tripped even experienced users – security as a secondary goal – the “barn door problem” – Software only as strong as the weakest link – lack of feedback 1-Jul-16 Copyright© QUALCOMM Inc, 1998 slide 5 The Design of a Cryptographic Security Architecture • Peter Gutmann (Uni. Auckland) • Design a security architecture first, then wrap an API around it • It’s possible to offload the sensitive work, say to a cryptographic co-processor • The longest half hour talk ever given… • http://www.cs.auckland.ac.nz/pgut001/cryptlib .html 1-Jul-16 Copyright© QUALCOMM Inc, 1998 slide 6 Networks and Security and why the two don’t get along • Steve Bellovin, AT&T Labs • Filled in at last minute, still a great talk • Problems: – Servers get bogged down – everything has to be secure, eg. Routing, time … – trust management, lack of a PKI – the difference between theory and practice, or between design and implementation • only 15% of 1998 CERT advisories could be solved by encryption! Still too many buffer overruns. 1-Jul-16 Copyright© QUALCOMM Inc, 1998 slide 7 ActiveX Insecurities • Richard Smith (Phar Lap Software) • Develops and collects examples of ActiveX insecurities • This was a very scary talk! • Included one demonstration where reading mail gave over control of the machine • Some controls marked “secure” are not • Turning on “security” can sometimes lead to an infinite number of dialog boxes 1-Jul-16 Copyright© QUALCOMM Inc, 1998 slide 8 Works In Progress: Advanced Encryption Standard selection • Elaine Barker, NIST • 15 block cipher algorithms submitted in 1998 • Two conferences to discuss them • 5 “finalists” chosen in August – Serpent (Anderson, Biham and Knudsen) – Twofish (Counterpane) – Rijndael (Joan Daemen and Vincent Rijmen) – MARS (IBM) – RC6 (RSA) • Conference next april, final selection late 2000 1-Jul-16 Copyright© QUALCOMM Inc, 1998 slide 9 Internet Mapping • Bill Cheswick (Bell Labs) • Very interesting talk because it had a huge map of the internet • Useful to find holes in the wall of intranets 1-Jul-16 Copyright© QUALCOMM Inc, 1998 slide 10 GSM A5/2 algorithm revealed • Nikita Borisov (UC Berkeley) reported on work done by Lucky Green, Ian Goldberg, and David Wagner • Reverse engineered the algorithms for GSM cellphone encryption • Released printed source code for both – stampede • Announced a break of A5/2 (weaker) – 2 hours to find it – less than a second to run it 1-Jul-16 Copyright© QUALCOMM Inc, 1998 slide 11 Next one • Denver, Colorado, August 14-17 • Chaired by Steve Bellovin and Greg Rose • Invited talks: Win Treese • Keynote: Dr. Blaine Burnham, Georgia Tech Information Security Centre (ex NSA) • Focus on “holistic security” 1-Jul-16 Copyright© QUALCOMM Inc, 1998 slide 12