Report on the Internet Society Symposium on Network and Distributed System Security by Christoph L. Schuba (schuba@cs.purdue.edu) The third ISOC symposium on network and distributed system security was held at the Catamaran Hotel in San Diego, CA on February 16-17, 1995. This one-track symposium was sponsored by the Internet Society (ISOC). The symposium was well attended, with 300 people preregistered, and about 50 late registrations and walk-ins. Thursday consisted of four sessions, two of which were panels. The sessions covered diverse approaches to security at the network layer, off-line object distribution security, and Internet payments. The panels discussed security architecture for the Internet infrastructure, and Internet payment mechanisms. At the dinner banquet Robert E. Kahn (Corporation for National Research Initiatives) talked about Intellectual Property in the Network Environment. Friday consisted again of four sessions, with the last one being a panel discussion on security issues for mosaic and the world wide web. The other sessions covered practice and experience with security monitoring tools, authentication and authorization, and mechanisms of identity, the certificate infrastructure. Thursday, February 16 James Ellis (general chair, CERT) and David Balenson (program co-chair, TIS) opened the symposium and stated its purpose: to bring together people who are building software and/or hardware to provide network and distributed system security (ndss) services. The symposium targets at researchers, implementors, and users of ndss facilities. The first session about "diverse approaches to security at the network layer" was chaired by Stephen T. Kent (BBN) and featured three talks. The first talk was given by Tony Ballardie (University College London) about "multicast-specific security threats and counter-measures". Tony stated that there is a lack of effective group access control and that multicast traffic is potentially more susceptible to link-attack than unicast communication, because traffic traverses more links. He concluded that multicast is at a higher risk compared to unicast. In his talk he discussed the threats of eavesdropping and denial of service. Currently "attacks" are not malicious but mainly accidental. This may change in the future. Proposed solutions were a new version of the IGMP protocol that enforces group access control. The following talk was given by Daniel Stevenson (MCNC) who described the "design of a key agile cryptographic system for OC-12c rate ATM". Daniel described a transparent approach to add communication privacy and authenticated call setup on the network layer. A cryptographic unit placed between the potentially "evil" public WAN and endstation equipment and secure private LANs supports the additional security services at the ATM layer. It provides privacy via fast encryption/decryption of the ATM payload. Authenticated call setup is achieved through additional signaling messages between the cryptographic units at call setup time. The system operates full duplex at the OC-12c rate (622 Mbps). The key agile system can handle up to 65534 active secure connections. The crypto unit can be connected as a security gateway as a 'bump-in-the-fiber', as a S-bus interface or as a HIPPI interface. Hardware and software detail designs of the system have been completed. In the last talk in this session Steffen Stempel (EISS, University of Karlsruhe) talked about "IpAccess - An Internet service access system for firewall installations". IpAccess allows users in the internal LAN to access services in the Internet without exposing the internal LAN to the untrusted Internet. That is achieved via "TCP forwarding", a technique that redirects TCP connections over the firewall server into the Internet and via "application forwarding", a technique where network programs run on the firewall server providing additional authorization checks. The second session in the morning was on the security architecture for the Internet infrastructure. Robert Shirey (Mitre) chaired this session. The first presentation was given by Paul Lambert (Motorola). He talked about the security services that are provided by the IP Security protocols (IPSP) and that will be included into IPv6. He stressed the need for key management and a cohesive naming structure for hosts, networks, processes, users, ... basically any entity participating in distributed computing. He made the point that one security protocol is not enough. Different protocol layers, services, and applications have to replicate security services such as integrity, confidentiality, and availability to make the whole system secure. James Galvin (TIS) continued with an explicit example of an important service in the Internet, the Domain Name System (DNS). For a deployment of a security extension it is important to maintain interoperability. Observed incidents regarding the weaknesses of the DNS are currently mainly accidental. The service can be secured by providing an add-on authentication of bindings. Protecting DNS data from disclosure is an explicit non-goal. This has the benefit that the solution will not be subject to current US export control laws. Additionally an extension for the DNS providing key management functions was included into the current standards work based on the Eastlake/Kaufman proposal. Both Gary Malkin (Xylogics) and Sandra Murphy (TIS), presented current work on securing the routing infrastructure. They made a distinction based on inter- or intra-domain routing, as well as the type of algorithm used (vector distance or link state algorithm). The hard case is securing inter domain routing that uses distance vector algorithms - unfortunately the case that has to be solved. Sandra listed a few concrete threats, mainly denial of service attacks. She discussed a number of issues that reappeared throughout the conference and are probably part of almost any talk on computer security: computational efficiency, resource efficiency (bandwidth), export control rules, patent problems. She also said that efficiency is a much larger issue in routing than on name resolution. A question to the whole panel asked if general hardware support is in sight for authentication requirements that are part of all the mentioned infrastructure problems. No efforts seem to go into that direction currently. However the IETF attempts to develop security mechanisms that can be used synergistically by different working groups. The first session after lunch was chaired by Jeffrey Schiller (MIT). It contained 2 presentations on "off-line object distribution security". Avi Rubin (Bellcore) talked about "trusted distribution of software over the Internet". His prototype system "Betsi" addresses aspects of the problem that malicious software can be posted to the public with no accountability. He proposes the solution that a trusted third party signs a certificate to identify the author of a program and to secure its integrity. The signature provides no guarantee other than that the software is from a certain author. The trust requirement is therefore shifted away from the distribution site to the author. The main question asked after the talk was concerned with the necessity of Betsi. Avi answered that Betsi provides official timestamps and only one well known public key is necessary. The question why the user should trust the Betsi maintainers was answered with a winning smile. Following Avi John Lowry (BBN) spoke about "location-independent information object security". Users that are mobile and use multiple platforms with differing applications over time have no security service applications which are independent of location or computing environment. The IOS project has developed tools that provide these services to documents. One main example is the 'electronic signature timestamp server' (ETSS) which provides the services of document registration (timestamping), validation, and non-repudiation. The last session of the day on Internet payments was chaired by Ravi Ganesan (Bell Atlantic). The session was divided into a one talk subsession and a panel on Internet payment mechanisms, requirements and architecture. Stefan Brands (Centrum voor Wiskunde en Informatica) gave his talk on "electronic cash on the Internet". He described a system where the customer carries a tamper-resistant device such as a PCMCIA card precharged with a certain amount of currency. The customer can then spend this money with service providers off line. The payments are untraceable and unlinkable. Multiparty security is guaranteed without parties having to trust other parties. The restraint on double-spending, the possibility of currency conversion, low transmission costs, and low on line computational costs are further attractive features of Stefan's approach. The panel consisted mainly of presentations. There was not much time for questions. Elmar Stefferud (First Virtual Holding) started with a presentation on his company's "approach to Internet information commerce". After stating First Virtual's goals he talked about an interesting paradigm shift concerning information commerce: Buyers cannot evaluate information without obtaining it and sellers don't need returned goods. Compared to traditional commerce sellers have nearly zero cost for inventory and distribution. Clifford Neumann (USC) continued with his view of "NetCheque and NetCash - requirements for network payments". He sees information commerce as a set of secure applications that have to be integrated with the overall information and computing infrastructure. Future services will only be realized if the service providers are compensated for the services they provide. Secure, reliable, flexible, scalable, efficient, and unobtrusive payment methods are required as a basic service. Dave Crocker (Brandenburg Consulting) was the last speaker at the panel. He talked about "EDI delivery over the net". After a motivation why to do commerce over the Internet at all (e.g., reduced access cost, global reach) and common concerns (operational, unfamiliarity w/ the Internet, security) he talked about the role of EDI. Many companies have decades of experience with EDI and there is a wide variety of applications EDI is currently used for. EDI requires only a secure transport service from the Internet. It could be arbitrarily nicely incorporated into existing services such as email or gopher with a variety of encoding schemes (such as MIME). EDI is oriented towards long term, high volume transactions. The industry wants secure standards for EDI transfer soon. There was one important question in the question session that was basically not answered, namely if all these efforts are realistic in the light of real big players like existing credit card companies. Friday, February 17 The first session on the second day on "security monitoring tools: practice and experience" was chaired by Michael St. Johns (ARPA). Three talks were given. David Simmons (Los Alamos National Labs) started out talking about "NERD network event recording device: an automated system for network and anomaly detection and notification". The NERD is an automated, real-time system for monitoring and detecting network anomalies, as well as providing timely notification to network managers of significant network events. The system is based on syslogd, but any event recorder can supply information to the NERD. It is mainly used to monitor disk usage, network links, connectivity, and authentication failures and notify administrators in different ways depending on the urgency of the events. Jim Alves-Foss (University of Idaho) gave "an overview of SNIF: a tool for surveying network information flow". He described an ongoing research and development project for surveying network information flow. The SNIF tool provides system administrators and security officers an encapsulated view of network communication and information flow for a set of monitored subnetworks. Input data to the SNIF system are low level network packets, no log messages in the style of syslog or application logging. Abdelaziz Mounji concluded the session by his talk on "distributed audit trail analysis". He presented a system for on--line analysis of multiple distributed data streams. Generic concepts are applied to security audit trail analysis, providing powerful network security monitoring and sophisticated tools for intrusion/anomaly detection. The overall system architecture contains two levels: host and network. The hosts generate the audit trail, have a logging controller that can modify the granularity of audit data, have a format adaptor that converts audit data into the native audit data format, and a local evaluator, the heart of the local system that executes the rule modules. A supplier process can then transmit the selected records to the evaluator of the master machine. The output of several master machines accumulates at at most one master machine. The overall sixth session of the symposium was on "authentication and authorization". Chair was Clifford Neuman (ISI USC). The first talk was given by Piers McMahon (ICL, UK). He talked about "Sesame V2 public key and authorization extension to Kerberos". This talk addressed a similar problem as the following one: limitation of the Kerberos model to symmetric keys and an identity-based authorization model. Piers demonstrated how the Sesame project has integrated asymmetric key distribution , and authorization support to extend Kerberos to provide scalability and manageability improvements. Ravi Ganesan (Bell Atlantic and John Hopkins University) followed with a brilliant talk on "Yaksha: augmenting Kerberos with public key cryptography". Yaksha's goal is to remedy some shortcomings of Kerberos: no catastrophic failures, no vulnerability to dictionary attacks, minimize protocol changes, upwards compatibility with smart cards, short keys. In its current form Yaksha augments Kerberos to provide authentication, signatures and key escrow. A possible further extension can include authorization. Yaksha uses as building block an RSA variant independently invented by Boyd and by Ganesan and Jacobi, in which the RSA key is split into two portions. The final talk before lunch was given by Barry Jaspan (Open Vision Technologies) on "GSS-API Security for ONC RPC". He showed how remote procedure calls can be extended to provide data integrity and privacy protection using the generic security service application program interface. Hilarie Orman (University of Arizona) opened the seventh session on "mechanisms of identity - the certificate infrastructure" after lunch. Three talks were presented in that session. Nada Kapidzic (Stockholm University) talked about "a certificate management system (CMS): structure, functions, and protocols". He described the CMS as a networked system for generation, distribution, storage and verification of certificates for use in a variety of security enhanced applications. By adding functions for the storage and retrieval of certificates to the specification the CMS becomes functionally complete and immediately operable as either an autonomous hierarchy, or integrated into a global system. A main lesson that was learned was that ease of installation and use were crucial for the success of the system. The following talk on "PEMToolKit: building a top-down certification hierarchy for PEM from the bottom up" was given by Alireza Bahreman (Bellcore). He claimed that the major impediment to widespread deployment and use of a certification hierarchy is a top-down public-key certification hierarchy. That can be overcome by building up such a hierarchy from the bottom up. The talk addressed two main requirements: the trust model and information retrieval. The vision is that islands of certification authorities will pop up and eventually grow to hierarchies. The last talk was a presentation by Michael Roe (University of Cambridge) who jumped in last minute for Suzan Mendes (TS-E3X). He presented "a new approach to the X.509 framework: allowing global authentication infrastructure without a global trust model". The author proposes to extend the X.509 structure to allow for different models of trust and allowing individuals or communities to establish security channels without requiring their attachment to a specific public trust model, while making explicit the meaning of certification. The final session of the symposium was a panel on "security issues for Mosaic and the world wide web. Chair and moderator Fred Avolio (TIS) introduced the panel members and started with a some brief comments on the importance of the topic and some security problems with the W3. Grep Bergren (NSA), Peter Churchyard (TIS), and Alan Schiffman (Enterprise Integration Technologies) gave short presentations and then answered several questions by the audience. Peter concentrated on firewall technology in the presence of http traffic. He made an important point: "We don't want encrypted data through our firewall, because that's a tunnel for anything!". Alan talked mainly about current efforts to secure the http protocol: s-http.