WWC snapshot of http://www.alw.nih.gov/Security/first-papers.html taken on Sat Jun 10 19:13:30 1995
FIRST Security Papers
This is a large collection of papers about various different computer security issues. These papers were originally a part of Forum of Incident Response and Security Teams' (FIRST)
1994 Security Tools and Techniques CD-ROM.
Table of Contents
- Authentication
-- Documents related to authentication of users, communications, and hosts.
- Criteria
-- Documents related to security evaluation criteria for computer systems and protocols.
- Cryptography
-- Documents related to cryptograhic protocols and methods.
- Firewall
-- Documents related to the construction and use of network firewalls.
- General
-- Documents that cover computer security in general and other miscellaneous topics.
- Legal
-- Documents related to computer security, the law, and ethics.
- Password
-- Documents related to passwords.
- Protocol
-- Documents related to the design of secure network protocols, and to the security analysis of existing protocols.
- Unix
-- Documents related to the security of the UNIX operating system.
- Virus
-- Documents related to computer viruses, worms, etc.
-
Kerberos: An Authentication Service for Open Network Systems
- A description of the Kerberos authentication system.
-
Designing an Authentication System: A Dialogue in Four Scenes
- A ``play'' in which the characters end up designing an authentication system much like Kerberos. Provides an easy-to-understand description of why Kerberos is the way it is.
-
Limitations of the Kerberos Authentication System
- A description of some limitations and weaknesses in the Kerberos authentication system.
-
KryptoKnight Authentication and Key Distribution System
- An authentication and key distribution system that provides facilities for secure communication in any type of network environment.
-
Long Running Jobs in an Authenticated Environment
- A system for running batch jobs in an environment in which users must have tokens or tickets to run.
-
A Note on the Use of Timestamps as Nonces
- A note on the use of timestamps in authentication protocols.
-
Canadian Trusted Computer Product Evaluation Criteria, Part 1
- The Canadian "Orange Book."
-
Canadian Trusted Computer Product Evaluation Criteria, Part 2
- The Canadian "Orange Book."
-
Executive Guide to the Protection of Information Resources
- A U.S. National Institute of Standards and Technology publication.
-
Federal Criteria for Information Technology Security, Volume 1
- The new "Orange Book."
-
Federal Criteria for Information Technology Security, Volume 2
- The new "Orange Book."
-
Green Book on the Security of Information Systems
- A document that sets out the development of a consistent approach to Information Security in Europe, taking into account common interests with other countries.
-
Foundations for the Harmonization of Information Technology Security Standards
- An analysis of the differences between the U.S., Canadian, and European Information Technology Security efforts, and discussions of how to make them more similar.
-
Horses and Barn Doors: Evolution of Corporate Guidelines for Internet Usage
- A description of how Intel Corp.'s Internet usage policies were developed.
-
Guidelines for the Secure Operation of the Internet - RFC 1281
- Provides a set of guidelines to aid in the secure operation of the Internet.
-
Information Technology Security Evaluation Criteria
- The European "Orange Book."
-
Management Guide to the Protection of Information Resources
- A U.S. National Institute of Standards and Technology publication.
-
Open Systems Security
- An Architectural Framework Thesis dissertation presenting an architecture for building secure open systems communication via untrusted global data networks.
-
Protection and Security Issues for Future Systems
- An examination of the problems of protection and security as applied to future computer systems.
-
Relating Functionality Class and Security Sub-Profile Specifications
- A discussion of various alternatives for associating functionality class and security sub-profiile specifications, such as those presented in the Federal Criteria (fcvol1.ps and fcvol2.ps).
-
Department of Defense Trusted Computer System Evaluation Criteria
- The "Orange Book."
-
Codes, Keys, and Conflicts: Issues in U.S. Crypto Policy
- A report of a special panel of the ACM (Association for Computing Machinery) U.S. Public Policy Committee.
-
Augmented Encrypted Key Exchange: A Password-Based Protocol Secure Against Dictionary Attacks and Password File Compromise
- An extension of the protocol described in neke.ps that removes the requirement that the host store passwords in cleartext.
-
A Cryptographic File System for Unix
- A description of a UNIX file system implementation that provides transparent encryption and decryption of files stored on the disk.
-
Key Management in an Encrypting File System
- A description of how "smart cards" can be used to manage the keys used by the encryption file system described in cfs.ps.
-
A High-Speed Software DES Implementation
- Describes a high-speed software implementation of the Data Encryption Standard.
-
Using Content-Addressable Search Engines to Encrypt and Break DES
- A very simple parallel architecture using a modifed version of content-addressable memory can be used to cheaply and efficiently encipher and decipher data with DES-like systems. Describes how to implement these systems, and also how to construct a large scale engine for exhaustively searching the keyspace of DES.
-
Protocol Failure in the Escrowed Encryption Standard
- A description of some protocol weaknesses in the Clinton administration's Escrowed Encryption Standard, also known as the Clipper Chip.
-
Why Cryptosystems Fail
- A survey of the failure modes of retail banking systems, the second largest application of cryptography.
-
Encrypted Key Exchange: Password-Based Protocols Secure Against Dictionary Attacks
- A combination of public- and private-key cryptography that allows two parties sharing a common password to exchange confidential and authenticated information over an insecure network. The protocol is secure against active attack, and also against off-line "dictionary" attacks.
Public-Key Cryptography Standards from RSA Laboratories
-
Some Examples of the PKCS Standards
-
A Layman's Guide to a Subset of ASN.1, BER, and DER
-
An Overview of the PKCS Standards
-
RSA Encryption Standard
-
Deprecated
-
Diffie-Hellman Key-Agreement Standard
-
Deprecated
-
Password-Based Encryption Standard
-
Extended-Certificate Syntax Standard
-
Cryptographic Message Syntax Standard
-
Private-Key Information Syntax Standard
-
Selected Attribute Types
-
Certifcation Request Syntax Standard
-
Network Security via Private-Key Certificates
- Some practical security protocols that use private-key encryption in the public-key style.
-
Answers to Frequently Asked Questions About Today's Cryptography
-
Cryptography FAQ
-
SKIPJACK Review: Interim Report: The SKIPJACK Algorithm
- The report from the group of non-government cryptologists who reviewed the classified SKIPJACK encryption algorithm used in the Clinton administration's Clipper and Capstone chips.
-
The Architecture and Implementation of Network Layer Security Under Unix
- A description of a network-layer security protocol for the IP protocol suite that provides authentication, integrity, and confidentiality of IP datagrams.
-
Visa Protocols for Controlling Inter-Organizational Datagram Flow
- A cryptographic method for authenticating and authorizing a flow of datagrams.
-
Visa Protocols for Controlling Inter-Organizational Datagram Flow: Extended Description
- A cryptographic method for authenticating and authorizing a flow of datagrams.
-
Packet Filtering in an IP Router
- A description of how the packet filtering facility in the Telebit NetBlazer was designed and developed.
-
A Network Firewall
- A description of Digital Equipment Corporation's network firewall between its corporate network and the Internet.
-
Thinking About Firewalls
(PS)
- A description of some of the considerations and trade-offs in designing network firewalls.
-
An Internet Gatekeeper
- A description of how to construct an Internet firewall.
-
The Design of a Secure Internet Gateway
- A description of the design of the firewall used by AT&T to protect their corporate network from the Internet.
-
A Network Perimeter With Secure External Access
- A description of the firewall in use at whitehouse.gov.
-
Packets Found on an Internet
- A description of the types of packets, particularly the anomalous ones, that appeared at the AT&T firewall.
-
Network (In)Security Through IP Packet Filtering
- A description of how to use the packet filtering features of commercial routers as a security tool.
-
Simple and Flexible Datagram Access Controls for Unix-based Gateways
- A description of the screend packet filtering system.
-
TCP Wrapper: Network Monitoring, Access Control, and Booby Traps
- A description of the author's tcpwrapper software.
-
A Toolkit and Methods for Internet Firewalls
(PS)
- A description of the Trusted Information Systems Firewall Toolkit.
-
An Architectural Overview of UNIX Network Security
- A description of a number of UNIX-related components of network security, particularly as they pertain to firewalls.
-
X Through the Firewall, and Other Application Relays
- A description of how to create application-specifc relays to pass traffic through a network firewall.
-
An Evening With Berferd: In Which a Cracker is Lured, Endured, and Studied
- A description of how the author kept an attacker ``on the line'' for several months in order to learn his methods.
-
Computer Emergency Response - An International Problem
- A call for international cooperation between computer emergency response teams, and suggested methods for achieving it.
-
Compromise: What if Your Machines are Compromised by an Intruder
- Suggestions for securing a system after it has already been compromised.
-
There Be Dragons
- A description of the wide variety of attacks attempted on the AT&T Internet firewall.
-
Establishing a Computer Security Incident Response Capability
- Procedures and issues for establishing a computer security incident response team.
-
Almost Everything You Wanted To Know About Security
-
Software Forensics: Can We Track Code to its Authors?
- An idea that it may be possible to identify the authors of malicious software by the style and features of their programs.
-
How to Set Up a Secure Anonymous FTP Site
- Methods for numerous different operating systems.
-
Security Breaches: Five Recent Incidents at Columbia University
- A detailed account of five break-ins at Columbia University, and the steps taken to stop them.
-
The Social Organization of the Computer Underground
- The author's thesis for a master's degree in sociology.
-
Site Security Handbook - RFC 1244
- The product of the Site Security Policy Handbook Working Group of the Internet Engineering Task Force.
-
Computer Break-ins: A Case Study
- A study of multiple break-in attempts at Vrije Universiteit in Amsterdam.
-
Electronic Currency for the Internet
- A framework for electronic currency for the Internet that provides a real-time electronic payment system.
-
NetCash: A Design for Practical Electronic Currency on the Internet
- A framework for electronic currency for the Internet that provides a real-time electronic payment system.
-
Computer User's Guide to the Protection of Information Resources
- A report from the U.S. National Institute of Standards and Technology.
- An Introduction to Computer Security: The NIST Handbook
(part 1)
(part 2)
(part 3)
(part 4)
(part 5)
- A publication of the U.S. National Institute of Standards and Technology. This is a draft copy, included with permission.
-
Security Patches FAQ for Your System: The Patch List
- A list of security patches for most any operating system, and how to obtain them.
-
Proxy-Based Authorization and Accounting for Distributed Systems
- A method to support both authorization and accounting in a distributed environment.
-
Pseudo-Network Drivers and Virtual Networks
- A method for creating pseudo-networks, much like the pseudo-terminals in use on many UNIX systems.
-
Coping with the Threat of Computer Security Incidents: A Primer from Prevention through Recovery
- A basic text for the author's one-day seminar on the practical aspects of computer security in an unclassified networked environment.
-
Automated Tools for Testing Computer System Vulnerability
- Discusses some of the automated tools for checking the security of a wide variety of systems.
-
Vendor Security Contacts: Reporting Vulnerabilities and Obtaining New Patches
- Contact names, numbers, and addresses for most major operating systems.
-
Defamation Liability of Computerized Bulletin Board Operators and Problems of Proof
- A discussion of the libel and slander laws, and how they apply to bulletin board operators.
-
Complete text of the Computer Fraud and Abuse Act of 1986, 18 U.S.C. 1030.
-
Frequently Asked Questions About Copyright
-
Computer Security and the Law
- A review of legal issues surrounding computer security, for the system administrator.
-
Cubby v. CompuServe
- The complete text of the judge's decision in the Cubby v. CompuServe libel case, in which CompuServe was found not to be responsible for material posted on one of their bulletin boards.
-
Complete text of the Electronic Communications Privacy
- Act of 1986, United States Public Law 99-508.
-
E-Law: Legal Issues Affecting Computer Information Systems and System Operator Liability
- First appeared in the Albany Law Journal of Science and Technology, Volume 3 , Number 1.
-
Are Computer Hacker Break-ins Ethical?
- Lists and refutes many of the reasons given to justify computer break-ins.
-
The complete text of the U.S. Family Educational Right to Privacy Act ( the Buckley Amendment), 20 U.S.C.
-
Information about the computer crime laws in France.
-
Legal Issues, A Site Manager's Nightmare
Examines the legal ramifications of computer security laws on system administrators.
-
Internet Libel: Is the Provider Responsible?
- An examination of the Cubby v. Compuserve case as it applies to Internet service providers.
-
Computer Electronic Mail and Privacy
- A discussion of the Electronic Communications Privacy Act as it applies to electronic mail.
-
Some Musings on Ethics and Computer Break-Ins
- A discussion of ethics and responsibility, particularly as they pertain to the Internet Worm of November, 1988.
-
Complete text of the Privacy Act of 1974 and Amendments, 5 U.S.C. 552a.
-
An Introduction to Computer Security for Lawyers
- A number of articles serving to introduce lawyers to the concepts behind computer security.
-
Revised Computer Crime Sentencing Guidelines
- A description of the new federal sentencing guidelines that address the Computer Fraud and Abuse Act.
-
Computer crime laws, listed by state.
-
Department of Defense Password Management Guideline
- Enumerates a number of good password management practices.
-
Standard for Automated Password Generator
- Federal Information Processing Standard No. 181.
-
Foiling the Cracker: A Survey of, and Improvements to, Password Security
- Demonstrates the ease with which most passwords can be guessed by a motivated attacker.
-
Observing Reusable Password Choices
- A method for observing password choices made by users, and how to protect it from being compromised.
-
OPUS: Preventing Weak Password Choices
- A system that uses Bloom filters to implement a constant-time dictionary lookup, regardless of dictionary size, to check a user's password choice for " goodness"
-
User Authentication and Related Topics: An Annotated Bibliography
-
Password Security: A Case History
- A description of the original UNIX password algorithm, and the reasons for replacing it with the current one.
-
UNIX Password Security - Ten Years Later
- A reexamination of the UNIX password algorithm after ten years of advances in software and hardware.
-
The S/Key One-Time Password System
- A freely available implementation of one-time passwords.
-
Highjacking AFS
- A description of security weaknesses in the Andrew File System (AFS).
-
An End-to-End Argument for Network Layer, Inter-Domain Access Controls
- A method by which different administrative domains of an internetwork can interconnect without exposing their internal resources to unrestricted access.
-
Identification Protocol - RFC 1413
- A description of the Identification Protocol, a means to determine the identity of the user of a particular TCP connection.
-
Security Problems in the TCP/IP Protocol Suite
- A description of several attacks on TCP/IP protocols including sequence number spoofing, routing attacks, source address spoofing, and authentication attacks.
-
A Unix Network Protocol Security Study: Network Information Service
- A discussion of the security weaknesses in the Network Information Service (Yellow Pages) protocol from Sun Microsystems.
-
A Security Analysis of the NTP Protocol
- A security analysis of the Network Time Protocol (NTP).
-
Protocol Design for Integrity Protection
- A design method for message integrity protection.
-
Privacy-Enhanced Electronic Mail
- A description of the Internet Privacy-Enhanced Mail protocols.
-
A Weakness in the 4.2BSD TCP/IP Software
- A description of a security weakness of the TCP/IP protocol suite as implemented in 4.2BSD UNIX.
-
Security Analyses of Network Time Services
- An analysis of the security requirements for a network time service.
-
Secure Control of Transit Internetwork Traffic
- Methods for controlling traffic traversing a local network on its way from one remote network to another.
- Access Control and Policy Enforcement in Internetworks
(part1)
(part2)
(part3)
- Methods of controlling access policy between different administrative domains of an internetwork.
-
The COPS Security Checker System
- A description of one of the most popular UNIX security scanners.
-
Improving the Security of Your Site by Breaking Into It
- Discussion of a number of commonly used attacks on UNIX systems, and how to check your systems for vulnerability to them.
Next-Generation Intrusion Detection Expert System (NIDES)
-
Detecting Intruders in Computer Systems
-
Software Requirements Specification: Next Generation Intrusion Detection Expert System
-
SAFEGUARD Final Report: Detecting Unusual Program Behavior Using the NIDES Statistical Component
-
The NIDES Statistical Component: Description and Justification
-
Automated Audit Trail Analysis and Intrusion Detection: A Survey
-
Life Without Root
- A method for authorizing users to perform certain system administration tasks without giving them the super-user password.
-
UNIX Password Security
- A discussion of the importance of well-chosen passwords, and how passwords are cracked.
-
On the Security of UNIX
- The original UNIX security paper.
-
The `Session Tty' Manager
- A method for controlling access to terminals by background processes after the user has logged out.
-
Improving the Security of Your UNIX System
(PS)
- A description of many of the security features of the average UNIX system, and how to use them.
-
UNIX Security Tools
- An excellent summary of most of the public domain UNIX security tools, and where to obtain them.
-
The Design and Implementation of Tripwire: A File System Integrity Checker
- Tripwire computes checksums of files on the system, and then scans later for any changes to those files.
-
Experiences With Tripwire: Using Integrity Checkers for Intrusion Detection
- A description of how the Tripwire integrity checker (see tripwire.ps) has performed in the field.
-
UNIX & Security
- Describes many of the security features of the UNIX operating system, as well as features that could be added to result in an evaluatable system at Class C2.
-
UTnet Guide to UNIX System Security
- A guide to UNIX security resources.
-
Computer Viruses as Artificial Life
- A consideration of computer viruses as artificial life - self-replicating organisms.
-
Frequently Asked Questions on VIRUS-L/comp.virus
-
Organizing a Corporate Anti-Virus Effort
- A description of how IBM Corp. has learned to cope with computer viruses and related threats.
-
Computer Security
- The G.A.O.'s report on the Internet Worm of November, 1988, and on the then-current state of Internet vulnerabilities and prosecution of computer virus cases.
-
The Internet Worm Program: An Analysis
- A description of the algorithms used by the Internet Worm program of November 2, 1988.
-
The Internet Worm Incident
- A description of the events involved in the Internet Worm of November 2, 1988.
-
An Overview of Computer Viruses in a Research Environment
- An examination of computer viruses as malicious logic in a research and development environment and current techniques in controlling the threats of viruses and other malicious logic programs.
-
Computer Viruses and Related Threats: A Management Guide
- Guidelines for preventing, deterring, containing, and recovering from attacks of viruses and related threats. A report from the U.S. National Institute of Standards and Technology.
-
With Microscope and Tweezers: An Analysis of the Internet Virus of November 1988
- A detailed description of the events of the Internet Worm of November 2, 1988 from one of the teams of people who combatted it.
-
A Guide to the Selection of Anti-Virus Tools and Techniques
- Criteria for judging the functionality, practicality, and convenience of anti-virus tools. A report from the U.S. National Institute of Standards and Technology.
-
A Tour of the Worm
- A tour of the Internet Worm of November 2, 1988.
Comments to
jbk@alw.nih.gov
Up to Unix Security Information