FIRST Security Papers

This is a large collection of papers about various different computer security issues. These papers were originally a part of Forum of Incident Response and Security Teams' (FIRST) 1994 Security Tools and Techniques CD-ROM.

Table of Contents

• Authentication -- Documents related to authentication of users, communications, and hosts.
• Criteria -- Documents related to security evaluation criteria for computer systems and protocols.
• Cryptography -- Documents related to cryptograhic protocols and methods.
• Firewall -- Documents related to the construction and use of network firewalls.
• General -- Documents that cover computer security in general and other miscellaneous topics.
• Legal -- Documents related to computer security, the law, and ethics.
• Password -- Documents related to passwords.
• Protocol -- Documents related to the design of secure network protocols, and to the security analysis of existing protocols.
• Unix -- Documents related to the security of the UNIX operating system.
• Virus -- Documents related to computer viruses, worms, etc.

Authentication

Kerberos: An Authentication Service for Open Network Systems

A description of the Kerberos authentication system.

Designing an Authentication System: A Dialogue in Four Scenes

A ``play'' in which the characters end up designing an authentication system much like Kerberos. Provides an easy-to-understand description of why Kerberos is the way it is.

Limitations of the Kerberos Authentication System

A description of some limitations and weaknesses in the Kerberos authentication system.

KryptoKnight Authentication and Key Distribution System

An authentication and key distribution system that provides facilities for secure communication in any type of network environment.

Long Running Jobs in an Authenticated Environment

A system for running batch jobs in an environment in which users must have tokens or tickets to run.

A Note on the Use of Timestamps as Nonces

A note on the use of timestamps in authentication protocols.

Evaluation Criteria

Canadian Trusted Computer Product Evaluation Criteria, Part 1

The Canadian "Orange Book."

Canadian Trusted Computer Product Evaluation Criteria, Part 2

The Canadian "Orange Book."

Executive Guide to the Protection of Information Resources

A U.S. National Institute of Standards and Technology publication.

Federal Criteria for Information Technology Security, Volume 1

The new "Orange Book."

Federal Criteria for Information Technology Security, Volume 2

The new "Orange Book."

Green Book on the Security of Information Systems

A document that sets out the development of a consistent approach to Information Security in Europe, taking into account common interests with other countries.

Foundations for the Harmonization of Information Technology Security Standards

An analysis of the differences between the U.S., Canadian, and European Information Technology Security efforts, and discussions of how to make them more similar.

Horses and Barn Doors: Evolution of Corporate Guidelines for Internet Usage

A description of how Intel Corp.'s Internet usage policies were developed.

Guidelines for the Secure Operation of the Internet - RFC 1281

Provides a set of guidelines to aid in the secure operation of the Internet.

Information Technology Security Evaluation Criteria

The European "Orange Book."

Management Guide to the Protection of Information Resources

A U.S. National Institute of Standards and Technology publication.

Open Systems Security

An Architectural Framework Thesis dissertation presenting an architecture for building secure open systems communication via untrusted global data networks.

Protection and Security Issues for Future Systems

An examination of the problems of protection and security as applied to future computer systems.

Relating Functionality Class and Security Sub-Profile Specifications

A discussion of various alternatives for associating functionality class and security sub-profiile specifications, such as those presented in the Federal Criteria (fcvol1.ps and fcvol2.ps).

Department of Defense Trusted Computer System Evaluation Criteria

The "Orange Book."

Cryptography

Codes, Keys, and Conflicts: Issues in U.S. Crypto Policy

A report of a special panel of the ACM (Association for Computing Machinery) U.S. Public Policy Committee.

Augmented Encrypted Key Exchange: A Password-Based Protocol Secure Against Dictionary Attacks and Password File Compromise

An extension of the protocol described in neke.ps that removes the requirement that the host store passwords in cleartext.

A Cryptographic File System for Unix

A description of a UNIX file system implementation that provides transparent encryption and decryption of files stored on the disk.

Key Management in an Encrypting File System

A description of how "smart cards" can be used to manage the keys used by the encryption file system described in cfs.ps.

A High-Speed Software DES Implementation

Describes a high-speed software implementation of the Data Encryption Standard.

Using Content-Addressable Search Engines to Encrypt and Break DES

A very simple parallel architecture using a modifed version of content-addressable memory can be used to cheaply and efficiently encipher and decipher data with DES-like systems. Describes how to implement these systems, and also how to construct a large scale engine for exhaustively searching the keyspace of DES.

Protocol Failure in the Escrowed Encryption Standard

A description of some protocol weaknesses in the Clinton administration's Escrowed Encryption Standard, also known as the Clipper Chip.

Why Cryptosystems Fail

A survey of the failure modes of retail banking systems, the second largest application of cryptography.

Encrypted Key Exchange: Password-Based Protocols Secure Against Dictionary Attacks

A combination of public- and private-key cryptography that allows two parties sharing a common password to exchange confidential and authenticated information over an insecure network. The protocol is secure against active attack, and also against off-line "dictionary" attacks.

Public-Key Cryptography Standards from RSA Laboratories

Some Examples of the PKCS Standards

A Layman's Guide to a Subset of ASN.1, BER, and DER

An Overview of the PKCS Standards

RSA Encryption Standard

Deprecated

Diffie-Hellman Key-Agreement Standard

Deprecated

Password-Based Encryption Standard

Extended-Certificate Syntax Standard

Cryptographic Message Syntax Standard

Private-Key Information Syntax Standard

Selected Attribute Types

Certifcation Request Syntax Standard

Network Security via Private-Key Certificates

Some practical security protocols that use private-key encryption in the public-key style.

Answers to Frequently Asked Questions About Today's Cryptography

Cryptography FAQ

SKIPJACK Review: Interim Report: The SKIPJACK Algorithm

The report from the group of non-government cryptologists who reviewed the classified SKIPJACK encryption algorithm used in the Clinton administration's Clipper and Capstone chips.

The Architecture and Implementation of Network Layer Security Under Unix

A description of a network-layer security protocol for the IP protocol suite that provides authentication, integrity, and confidentiality of IP datagrams.

Visa Protocols for Controlling Inter-Organizational Datagram Flow

A cryptographic method for authenticating and authorizing a flow of datagrams.

Visa Protocols for Controlling Inter-Organizational Datagram Flow: Extended Description

A cryptographic method for authenticating and authorizing a flow of datagrams.

Firewall

Packet Filtering in an IP Router

A description of how the packet filtering facility in the Telebit NetBlazer was designed and developed.

A Network Firewall

A description of Digital Equipment Corporation's network firewall between its corporate network and the Internet.

Thinking About Firewalls (PS)

A description of some of the considerations and trade-offs in designing network firewalls.

An Internet Gatekeeper

A description of how to construct an Internet firewall.

The Design of a Secure Internet Gateway

A description of the design of the firewall used by AT&T to protect their corporate network from the Internet.

A Network Perimeter With Secure External Access

A description of the firewall in use at whitehouse.gov.

Packets Found on an Internet

A description of the types of packets, particularly the anomalous ones, that appeared at the AT&T firewall.

Network (In)Security Through IP Packet Filtering

A description of how to use the packet filtering features of commercial routers as a security tool.

Simple and Flexible Datagram Access Controls for Unix-based Gateways

A description of the screend packet filtering system.

TCP Wrapper: Network Monitoring, Access Control, and Booby Traps

A description of the author's tcpwrapper software.

A Toolkit and Methods for Internet Firewalls (PS)

A description of the Trusted Information Systems Firewall Toolkit.

An Architectural Overview of UNIX Network Security

A description of a number of UNIX-related components of network security, particularly as they pertain to firewalls.

X Through the Firewall, and Other Application Relays

A description of how to create application-specifc relays to pass traffic through a network firewall.

General

An Evening With Berferd: In Which a Cracker is Lured, Endured, and Studied

A description of how the author kept an attacker ``on the line'' for several months in order to learn his methods.

Computer Emergency Response - An International Problem

A call for international cooperation between computer emergency response teams, and suggested methods for achieving it.

Compromise: What if Your Machines are Compromised by an Intruder

Suggestions for securing a system after it has already been compromised.

There Be Dragons

A description of the wide variety of attacks attempted on the AT&T Internet firewall.

Establishing a Computer Security Incident Response Capability

Procedures and issues for establishing a computer security incident response team.

Almost Everything You Wanted To Know About Security

Software Forensics: Can We Track Code to its Authors?

An idea that it may be possible to identify the authors of malicious software by the style and features of their programs.

How to Set Up a Secure Anonymous FTP Site

Methods for numerous different operating systems.

Security Breaches: Five Recent Incidents at Columbia University

A detailed account of five break-ins at Columbia University, and the steps taken to stop them.

The Social Organization of the Computer Underground

The author's thesis for a master's degree in sociology.

Site Security Handbook - RFC 1244

The product of the Site Security Policy Handbook Working Group of the Internet Engineering Task Force.

Computer Break-ins: A Case Study

A study of multiple break-in attempts at Vrije Universiteit in Amsterdam.

Electronic Currency for the Internet

A framework for electronic currency for the Internet that provides a real-time electronic payment system.

NetCash: A Design for Practical Electronic Currency on the Internet

A framework for electronic currency for the Internet that provides a real-time electronic payment system.

Computer User's Guide to the Protection of Information Resources

A report from the U.S. National Institute of Standards and Technology.

An Introduction to Computer Security: The NIST Handbook (part 1) (part 2) (part 3) (part 4) (part 5)

A publication of the U.S. National Institute of Standards and Technology. This is a draft copy, included with permission.

Security Patches FAQ for Your System: The Patch List

A list of security patches for most any operating system, and how to obtain them.

Proxy-Based Authorization and Accounting for Distributed Systems

A method to support both authorization and accounting in a distributed environment.

Pseudo-Network Drivers and Virtual Networks

A method for creating pseudo-networks, much like the pseudo-terminals in use on many UNIX systems.

Coping with the Threat of Computer Security Incidents: A Primer from Prevention through Recovery

A basic text for the author's one-day seminar on the practical aspects of computer security in an unclassified networked environment.

Automated Tools for Testing Computer System Vulnerability

Discusses some of the automated tools for checking the security of a wide variety of systems.

Vendor Security Contacts: Reporting Vulnerabilities and Obtaining New Patches

Contact names, numbers, and addresses for most major operating systems.

Legal

Defamation Liability of Computerized Bulletin Board Operators and Problems of Proof

A discussion of the libel and slander laws, and how they apply to bulletin board operators.

Complete text of the Computer Fraud and Abuse Act of 1986, 18 U.S.C. 1030.

Frequently Asked Questions About Copyright

Computer Security and the Law

A review of legal issues surrounding computer security, for the system administrator.

Cubby v. CompuServe

The complete text of the judge's decision in the Cubby v. CompuServe libel case, in which CompuServe was found not to be responsible for material posted on one of their bulletin boards.

Complete text of the Electronic Communications Privacy

Act of 1986, United States Public Law 99-508.

E-Law: Legal Issues Affecting Computer Information Systems and System Operator Liability

First appeared in the Albany Law Journal of Science and Technology, Volume 3 , Number 1.

Are Computer Hacker Break-ins Ethical?

Lists and refutes many of the reasons given to justify computer break-ins.

The complete text of the U.S. Family Educational Right to Privacy Act ( the Buckley Amendment), 20 U.S.C.

Information about the computer crime laws in France.

Legal Issues, A Site Manager's Nightmare Examines the legal ramifications of computer security laws on system administrators.

Internet Libel: Is the Provider Responsible?

An examination of the Cubby v. Compuserve case as it applies to Internet service providers.

Computer Electronic Mail and Privacy

A discussion of the Electronic Communications Privacy Act as it applies to electronic mail.

Some Musings on Ethics and Computer Break-Ins

A discussion of ethics and responsibility, particularly as they pertain to the Internet Worm of November, 1988.

Complete text of the Privacy Act of 1974 and Amendments, 5 U.S.C. 552a.

An Introduction to Computer Security for Lawyers

A number of articles serving to introduce lawyers to the concepts behind computer security.

Revised Computer Crime Sentencing Guidelines

A description of the new federal sentencing guidelines that address the Computer Fraud and Abuse Act.

Computer crime laws, listed by state.

Password

Department of Defense Password Management Guideline

Enumerates a number of good password management practices.

Standard for Automated Password Generator

Federal Information Processing Standard No. 181.

Foiling the Cracker: A Survey of, and Improvements to, Password Security

Demonstrates the ease with which most passwords can be guessed by a motivated attacker.

Observing Reusable Password Choices

A method for observing password choices made by users, and how to protect it from being compromised.

OPUS: Preventing Weak Password Choices

A system that uses Bloom filters to implement a constant-time dictionary lookup, regardless of dictionary size, to check a user's password choice for " goodness"

User Authentication and Related Topics: An Annotated Bibliography

Password Security: A Case History

A description of the original UNIX password algorithm, and the reasons for replacing it with the current one.

UNIX Password Security - Ten Years Later

A reexamination of the UNIX password algorithm after ten years of advances in software and hardware.

The S/Key One-Time Password System

A freely available implementation of one-time passwords.

Protocol

Highjacking AFS

A description of security weaknesses in the Andrew File System (AFS).

An End-to-End Argument for Network Layer, Inter-Domain Access Controls

A method by which different administrative domains of an internetwork can interconnect without exposing their internal resources to unrestricted access.

Identification Protocol - RFC 1413

A description of the Identification Protocol, a means to determine the identity of the user of a particular TCP connection.

Security Problems in the TCP/IP Protocol Suite

A description of several attacks on TCP/IP protocols including sequence number spoofing, routing attacks, source address spoofing, and authentication attacks.

A Unix Network Protocol Security Study: Network Information Service

A discussion of the security weaknesses in the Network Information Service (Yellow Pages) protocol from Sun Microsystems.

A Security Analysis of the NTP Protocol

A security analysis of the Network Time Protocol (NTP).

Protocol Design for Integrity Protection

A design method for message integrity protection.

Privacy-Enhanced Electronic Mail

A description of the Internet Privacy-Enhanced Mail protocols.

A Weakness in the 4.2BSD TCP/IP Software

A description of a security weakness of the TCP/IP protocol suite as implemented in 4.2BSD UNIX.

Security Analyses of Network Time Services

An analysis of the security requirements for a network time service.

Secure Control of Transit Internetwork Traffic

Methods for controlling traffic traversing a local network on its way from one remote network to another.

Access Control and Policy Enforcement in Internetworks (part1) (part2) (part3)

Methods of controlling access policy between different administrative domains of an internetwork.

Unix

The COPS Security Checker System

A description of one of the most popular UNIX security scanners.

Improving the Security of Your Site by Breaking Into It

Discussion of a number of commonly used attacks on UNIX systems, and how to check your systems for vulnerability to them.

Next-Generation Intrusion Detection Expert System (NIDES)

Detecting Intruders in Computer Systems

Software Requirements Specification: Next Generation Intrusion Detection Expert System

SAFEGUARD Final Report: Detecting Unusual Program Behavior Using the NIDES Statistical Component

The NIDES Statistical Component: Description and Justification

Automated Audit Trail Analysis and Intrusion Detection: A Survey

Life Without Root

A method for authorizing users to perform certain system administration tasks without giving them the super-user password.

UNIX Password Security

A discussion of the importance of well-chosen passwords, and how passwords are cracked.

On the Security of UNIX

The original UNIX security paper.

The `Session Tty' Manager

A method for controlling access to terminals by background processes after the user has logged out.

Improving the Security of Your UNIX System (PS)

A description of many of the security features of the average UNIX system, and how to use them.

UNIX Security Tools

An excellent summary of most of the public domain UNIX security tools, and where to obtain them.

The Design and Implementation of Tripwire: A File System Integrity Checker

Tripwire computes checksums of files on the system, and then scans later for any changes to those files.

Experiences With Tripwire: Using Integrity Checkers for Intrusion Detection

A description of how the Tripwire integrity checker (see tripwire.ps) has performed in the field.

UNIX & Security

Describes many of the security features of the UNIX operating system, as well as features that could be added to result in an evaluatable system at Class C2.

UTnet Guide to UNIX System Security

A guide to UNIX security resources.

Virus

Computer Viruses as Artificial Life

A consideration of computer viruses as artificial life - self-replicating organisms.

Frequently Asked Questions on VIRUS-L/comp.virus

Organizing a Corporate Anti-Virus Effort

A description of how IBM Corp. has learned to cope with computer viruses and related threats.

Computer Security

The G.A.O.'s report on the Internet Worm of November, 1988, and on the then-current state of Internet vulnerabilities and prosecution of computer virus cases.

The Internet Worm Program: An Analysis

A description of the algorithms used by the Internet Worm program of November 2, 1988.

The Internet Worm Incident

A description of the events involved in the Internet Worm of November 2, 1988.

An Overview of Computer Viruses in a Research Environment

An examination of computer viruses as malicious logic in a research and development environment and current techniques in controlling the threats of viruses and other malicious logic programs.

Computer Viruses and Related Threats: A Management Guide

Guidelines for preventing, deterring, containing, and recovering from attacks of viruses and related threats. A report from the U.S. National Institute of Standards and Technology.

With Microscope and Tweezers: An Analysis of the Internet Virus of November 1988

A detailed description of the events of the Internet Worm of November 2, 1988 from one of the teams of people who combatted it.

A Guide to the Selection of Anti-Virus Tools and Techniques

Criteria for judging the functionality, practicality, and convenience of anti-virus tools. A report from the U.S. National Institute of Standards and Technology.

A Tour of the Worm

A tour of the Internet Worm of November 2, 1988.

Up to Unix Security Information