home *** CD-ROM | disk | FTP | other *** search
- PRIVACY Forum Digest Monday, 28 October 1996 Volume 05 : Issue 20
-
- Moderated by Lauren Weinstein (lauren@vortex.com)
- Vortex Technology, Woodland Hills, CA, U.S.A.
-
- ===== PRIVACY FORUM =====
-
- -------------------------------------------------------------------
- The PRIVACY Forum is supported in part by the
- ACM (Association for Computing Machinery)
- Committee on Computers and Public Policy,
- "internetMCI" (a service of the Data Services Division
- of MCI Telecommunications Corporation), and Cisco Systems, Inc.
- - - -
- These organizations do not operate or control the
- PRIVACY Forum in any manner, and their support does not
- imply agreement on their part with nor responsibility
- for any materials posted on or related to the PRIVACY Forum.
- -------------------------------------------------------------------
-
-
- CONTENTS
- Postal "Change of Address" Issues on PRIVACY Forum Radio
- (Lauren Weinstein; PRIVACY Forum Moderator)
- Web Search Service Exposes Searches to Public Viewing
- (Lauren Weinstein; PRIVACY Forum Moderator)
- "Holographic" Full-Body Security Scanning
- (Lauren Weinstein; PRIVACY Forum Moderator)
- Re: Blood and Privacy? (Joe Decker)
- A new attack on DES (Monty Solomon)
- IEEE Symposium on Security and Privacy - call for papers
- (Mary Ellen Zurko)
-
-
- *** Please include a RELEVANT "Subject:" line on all submissions! ***
- *** Submissions without them may be ignored! ***
-
- -----------------------------------------------------------------------------
- The Internet PRIVACY Forum is a moderated digest for the discussion and
- analysis of issues relating to the general topic of privacy (both personal
- and collective) in the "information age" of the 1990's and beyond. The
- moderator will choose submissions for inclusion based on their relevance and
- content. Submissions will not be routinely acknowledged.
-
- All submissions should be addressed to "privacy@vortex.com" and must have
- RELEVANT "Subject:" lines; submissions without appropriate and relevant
- "Subject:" lines may be ignored. Excessive "signatures" on submissions are
- subject to editing. Subscriptions are by an automatic "listserv" system; for
- subscription information, please send a message consisting of the word
- "help" (quotes not included) in the BODY of a message to:
- "privacy-request@vortex.com". Mailing list problems should be reported to
- "list-maint@vortex.com".
-
- All messages included in this digest represent the views of their
- individual authors and all messages submitted must be appropriate to be
- distributable without limitations.
-
- The PRIVACY Forum archive, including all issues of the digest and all
- related materials, is available via anonymous FTP from site "ftp.vortex.com",
- in the "/privacy" directory. Use the FTP login "ftp" or "anonymous", and
- enter your e-mail address as the password. The typical "README" and "INDEX"
- files are available to guide you through the files available for FTP
- access. PRIVACY Forum materials may also be obtained automatically via
- e-mail through the listserv system. Please follow the instructions above
- for getting the listserv "help" information, which includes details
- regarding the "index" and "get" listserv commands, which are used to access
- the PRIVACY Forum archive.
-
- All PRIVACY Forum materials are available through the Internet Gopher system
- via a gopher server on site "gopher.vortex.com". Access to PRIVACY Forum
- materials is also available through the Internet World Wide Web (WWW) via
- the Vortex Technology WWW server at the URL: "http://www.vortex.com";
- full keyword searching of all PRIVACY Forum files is available via
- WWW access.
- -----------------------------------------------------------------------------
-
- VOLUME 05, ISSUE 20
-
- Quote for the day:
-
- "A stereo's a stereo. Art is forever."
-
- -- Neil (Cheech Marin)
- "After Hours" (Geffen/Warner Bros.; 1985)
-
- ----------------------------------------------------------------------
-
- Date: Sun, 27 Oct 96 16:55 PST
- From: lauren@vortex.com (Lauren Weinstein; PRIVACY Forum Moderator)
- Subject: Postal "Change of Address" Issues on PRIVACY Forum Radio
-
- Greetings. The next installment of PRIVACY Forum Radio is now available for
- your listening pleasure. This latest show features two interviews I
- recently conducted related to controversies surrounding U.S. mail "change of
- address" issues. The first interview is with Mike Selnick of the United
- States Postal Service in Washington D.C, regarding commercial use of change
- of address data. This is followed by John Brugger of the United States
- Postal Inspection Service (also in D.C.) on the topic of fraudulent
- activities related to change of address filings.
-
- The total running time of the show is approximately 30 minutes.
- As always, these interviews are accessible at the
- PRIVACY Forum/PRIVACY Forum Radio links via:
-
- http://www.vortex.com
-
- --Lauren--
-
- ------------------------------
-
- Date: Fri, 11 Oct 96 11:13 PDT
- From: lauren@vortex.com (Lauren Weinstein; PRIVACY Forum Moderator)
- Subject: Web Search Service Exposes Searches to Public Viewing
-
- In a new twist related to privacy problems, one of the more major Web search
- services, the "Magellan Internet Guide" from the Mckinley Group, Inc.
- (http://www.mckinley.com), has implemented a feature which allows anyone to
- "spy" on other people's searches. Called the "Search Voyeur", the mechanism
- automatically shows the text of 20 current, randomly selected searches,
- refreshed every 20 seconds. They certainly haven't been trying to hide it;
- it was prominently mentioned in one of their press releases.
-
- While origin address information is not included, and they say they don't
- show searches that go beyond their "editorial guidelines" (presumably an
- obscenity filter), even a brief viewing of the searches flying by suggests a
- substantial privacy risk. Search keywords often include individuals' names
- associated with various actions or activities. While some of the searches
- can best be described as "amusing", it doesn't take too long to see others
- that are troubling at best and potentially significant privacy violations at
- worst.
-
- While the "Search Voyeur" is listed (without explanation) as a link
- on their home page along with a search form box, there is no explicit
- statement warning users that their searches could potentially be
- viewed by anyone on the net.
-
- The entire concept seems ill-advised. The PRIVACY Forum has made repeated
- email and telephone attempts to obtain any kind of statement or interview
- from McKinley (and their new owner, Excite, Inc.) about this issue. These
- attempts have so far been completely unsuccessful; email has been
- ignored and promised return phone calls have not been forthcoming.
-
- --Lauren--
-
- ------------------------------
-
- Date: Sun, 27 Oct 96 15:15 PST
- From: lauren@vortex.com (Lauren Weinstein; PRIVACY Forum Moderator)
- Subject: "Holographic" Full-Body Security Scanning
-
- According to an article in the Oct-Nov 1996 issue of "Compressed Air"
- magazine (a wonderful Ingersoll-Rand publication that covers a very wide
- range of topics), the Federal Aviation Administration is planning to begin
- testing the use of a full-body "holographic" imaging system at a U.S.
- airport next year.
-
- The system (an earlier version of which was discussed previously in the
- PRIVACY Forum), actually uses millimeter waves (~30 Ghz) to quickly (within
- a few seconds) generate a "naked" image of the scannee. The device has been
- under development for a number of years and appears to be evolving rapidly.
- The transmitted millimeter radiation passes through clothes but bounces off
- the body or other objects (e.g., everything from loose change to firearms,
- hidden money packets, etc.)
-
- Outside of the rather obvious broader privacy implications of such a device,
- two special issues should also be considered. First, even though the
- millimeter radiation used is non-ionizing (e.g. less energetic than x-rays),
- there is considerable controversy about the health risks of exposure to
- non-ionizing radiation at these wavelengths. The statement is made that the
- system is similar in exposure to supermarket "door opener" microwave
- scanners, though this seems somewhat difficult to accept given the
- completely different scanning requirements of the two devices.
-
- But another problem may be even more likely to concern the public at large
- about such equipment. As the photographs included with the article show all
- too clearly, the device generates quite detailed "nude" images. It is
- decidedly uncertain how people will feel about being required to pass
- through a system that creates instant 360 degree naked pictures, possibly
- archived to tape as well! The promoters of the system suggest that using
- "same-sex" operators would alleviate these concerns. Excuse me, but are we
- all living on the same planet? Talk about needing a reality check...
-
- I have no doubt that there might be special situations where such a device,
- as an alternative to "pat-downs" or other intrusive personal searches, could
- be useful. But broadscale deployment of such systems in airports as a
- routine body scanning procedure seems unlikely to be acceptable to most of
- the public.
-
- --Lauren--
-
- ------------------------------
-
- Date: Tue, 15 Oct 96 10:28:11 PDT
- From: joe@synaptics.com (Joe Decker)
- Subject: Re: Blood and Privacy?
-
- John Levine wrote:
- > * The Red Cross seems to use a scheme where they accept blood from pretty
- > much anyone, but if your blood flunks a test they'll silently discard all
- > future donations from you. I presume this is one of the main impetuses for
- > the SSN tagging. Of course, since they make no attempt to verify the SSN you
- > provide, a bad guy who had contaminated blood and wanted to subvert their
- > system need only make up a different SSN on each visit.
-
- Yes, it is my understanding as a long-time blood donator that the discarding
- process is the impetus for the SSN tagging.
-
- One nit: I don't believe that the Red Cross is trying to catch
- malicious people trying to subvert the blood supply. I believe their
- primary concern is trying to minimize the risk of someone donating
- blood that has any chance of being (say) HIV-positive. Even if told
- their blood had tested positive, a dontator might later decide their
- blood was safe on the basis of other tests, or their own faith, and
- work to donate their blood anyhow. This is a distinct mindset from
- 'I'm trying to subvert the blood supply.', and without knowing numbers,
- many of the checks in the donation process seemed to be aimed at
- overcoming the ability of the donator to deny (to themselves or others)
- any risks their blood might contain.
-
- (I do not speak for the Red Cross.)
-
- --joe
-
- joe@synaptics.com decker@alumni.caltech.edu jdecker@pacbell.net
-
- ------------------------------
-
- Date: Tue, 22 Oct 1996 03:41:13 -0400
- From: Monty Solomon <monty@roscom.COM>
- Subject: A new attack on DES
-
- Excerpt from RISKS DIGEST 18.54
-
- Date: Fri, 18 Oct 1996 16:58:50 +0200
- From: Shamir Adi <shamir@wisdom.weizmann.ac.il>
- Subject: A new attack on DES
-
- You have recently referred in RISKS [18.50, 18.52] to the ingenious new
- attack against public key cryptosystems developed at Bellcore. All the
- published information on the subject (including Bellcore's press release)
- stress that the attack is not applicable to secret key cryptosystems. Well,
- Eli Biham and I have just released a research announcement in which we show
- that an extension of the attack can, under the same realistic fault model,
- break almost any secret-key algorithm, including DES, multiple DES, IDEA,
- etc. The attack on DES was actually implemented on a PC, and it found the
- key by analysing fewer than 200 ciphertexts generated from unknown
- cleartexts.
-
- Adi Shamir
-
- = = = = = =
-
- Research announcement: A new cryptanalytic attack on DES
-
- Eli Biham Adi Shamir
- Computer Science Dept. Applied Math Dept.
- The Technion The Weizmann Institute
- Israel Israel
-
- 18 October 1996
- (DRAFT)
-
- In September 96, Boneh Demillo and Lipton from Bellcore announced an
- ingenious new type of cryptanalytic attack which received widespread
- attention (see, e.g., John Markoff's 9/26/96 article in the New York Times).
- Their full paper had not been published so far, but Bellcore's press release
- and the authors' FAQ (available at
- http://www.bellcore.com/PRESS/ADVSRY96/medadv.html) specifically state that
- the attack is applicable only to public key cryptosystems such as RSA, and
- not to secret key algorithms such as the Data Encryption Standard (DES).
- According to Boneh, "The algorithm that we apply to the device's faulty
- computations works against the algebraic structure used in public key
- cryptography, and another algorithm will have to be devised to work against
- the nonalgebraic operations that are used in secret key techniques." In
- particular, the original Bellcore attack is based on specific algebraic
- properties of modular arithmetic, and cannot handle the complex bit
- manipulations which underly most secret key algorithms.
-
- In this research announcement, we describe a related attack (which we call
- Differential Fault Analysis, or DFA), and show that it is applicable to
- almost any secret key cryptosystem proposed so far in the open literature.
- In particular, we have actually implemented DFA in the case of DES, and
- demonstrated that under the same hardware fault model used by the Bellcore
- researchers, we can extract the full DES key from a sealed tamperproof DES
- encryptor by analysing fewer than 200 ciphertexts generated from unknown
- cleartexts. The power of Differential Fault Analysis is demonstrated by the
- fact that even if DES is replaced by triple DES (whose 168 bits of key were
- assumed to make it practically invulnerable), essentially the same attack
- can break it with essentially the same number of given ciphertexts.
-
- We would like to greatfully acknowledge the pioneering contribution of Boneh
- Demillo and Lipton, whose ideas were the starting point of our new attack.
-
- In the rest of this research announcement, we provide a short technical
- summary of our practical implementation of Differential Fault Analysis of
-
- DES. Similar attacks against a large number of other secret key cryptosystems
- will be described in the full version of our paper.
-
- TECHNICAL DETAILS OF THE ATTACK
-
- The attack follows the Bellcore fundamental assumption that by exposing a
- sealed tamperproof device such as a smart card to certain physical effects
- (e.g., ionizing or microwave radiation), one can induce with reasonable
- probability a fault at a random bit location in one of the registers at some
- random intermediate stage in the cryptographic computation. Both the bit
- location and the round number are unknown to the attacker.
-
- We further assume that the attacker is in physical possession of the
- tamperproof device, so that he can repeat the experiment with the same
- cleartext and key but without applying the external physical effects. As a
- result, he obtains two ciphertexts derived from the same (unknown) cleartext
- and key, where one of the ciphertexts is correct and the other is the result
- of a computation corrupted by a single bit error during the computation. For
- the sake of simplicity, we assume that one bit of the right half of the data
- in one of the 16 rounds of DES is flipped from 0 to 1 or vice versa, and
- that both the bit position and the round number are uniformly distributed.
-
- In the first step of the attack we identify the round in which the fault
- occurred. This identification is very simple and effective: If the fault
- occurred in the right half of round 16, then only one bit in the right half
- of the ciphertext (before the final permutation) differs between the two
- ciphertexts. The left half of the ciphertext can differ only in output bits
- of the S box (or two S boxes) to which this single bit enters, and the
- difference must be related to non-zero entries in the difference
- distribution tables of these S boxes. In such a case, we can guess the six
- key bit of each such S box in the last round, and discard any value which
- disagree with the expected differences of these S boxes (e.g., differential
- cryptanalysis). On average, about four possible 6-bit values of the key
- remain for each active S box.
-
- If the faults occur in round 15, we can gain information on the key bits
- entering more than two S boxes in the last round: the difference of the
- right half of the ciphertext equals the output difference of the F function
- of round 15. We guess the single bit fault in round 15, and verify whether
- it can cause the expected output difference, and also verify whether the
- difference of the right half of the ciphertext can cause the expected
- difference in the output of the F function in the last round (e.g., the
- difference of the left half of the ciphertext XOR the fault). If
- successful, we can discard possible key values in the last round, according
- to the expected differences. We can also analyse the faults in the 14'th
- round in a similar way. We use counting methods in order to find the key.
- In this case, we count for each S box separately, and increase the counter
- by one for any pair which suggest the six-bit key value by at least one of
- its possible faults in either the 14'th, 15'th, or 16'th round.
-
- We have implemented this attack on a personal computer. Our analysis
- program found the whole last subkey given less than 200 ciphertexts,
- with random single-faults in all the rounds.
-
- This attack finds the last subkey. Once this subkey is known, we can
- proceed in two ways: We can use the fact that this subkey contains 48 out of
- the 56 key bits in order to guess the missing 8 bits in all the possible
- 2^8=256 ways. Alternatively, we can use our knowledge of the last subkey to
- peel up the last round (and remove faults that we already identified), and
- analyse the preceding rounds with the same data using the same attack. This
- latter approach makes it possible to attack triple DES (with 168 bit keys),
- or DES with independent subkeys (with 768 bit keys).
-
- This attack still works even with more general assumptions on the fault
- locations, such as faults inside the function F, or even faults in the key
- scheduling algorithm. We also expect that faults in round 13 (or even prior
- to round 13) might be useful for the analysis, thus reducing the number of
- required ciphertext for the full analysis.
-
- OTHER VULNERABLE CIPHERS
-
- Differential Fault Analysis can break many additional secret key
- cryptosystems, including IDEA, RC5 and Feal. Some ciphers, such as Khufu,
- Khafre and Blowfish compute their S boxes from the key material. In such
- ciphers, it may be even possible to extract the S boxes themselves, and the
- keys, using the techniques of Differential Fault Analysis. Differential
- Fault Analysis can also be applied against stream ciphers, but the
- implementation might differ by some technical details from the
- implementation described above.
-
- ------------------------------
-
- Date: Mon, 14 Oct 1996 10:50:00 -0400
- From: Mary Ellen Zurko <zurko@osf.org>
- Subject: IEEE Symposium on Security and Privacy - call for papers
-
- CALL FOR PAPERS
-
- 1997 IEEE Symposium on May 4-7, 1997
- Security and Privacy Oakland, California
-
- sponsored by
- IEEE Computer Society Technical Committee on Security and Privacy
- in cooperation with
- The International Association for Cryptologic Research (IACR)
-
- The Symposium on Security and Privacy has, for 16 years, been the
- premier forum for the presentation of developments in computer
- security and for bringing together researchers and practitioners in the
- field. We seek to build on this tradition of excellence by
- re-emphasizing work on engineering and applications while maintaining
- our interest in theoretical advances.
-
- We continue to seek to broaden the scope of the Symposium. We want to
- hear not only about new theoretical results, but also about the design
- and implementation of secure systems in specific application areas and
- about policies relating to system security. We are particularly
- interested in papers on policy and technical issues relating to privacy
- in the context of the information infrastructure, papers that relate
- software and system engineering technology to the design of secure
- systems and papers on hardware and architectural support for secure
- systems. Papers or Panels which discuss the application of theory to
- practice which describe not only the successes but the failures and
- the lessons learned are of special interest.
-
- Topics on which papers and panel sessions proposals are invited
- include, but are not limited to, the following:
-
- Commercial and Industrial Security,
- Security and other Critical System Properties,
- Secure Systems,
- Distributed Systems,
- Network Security,
- Database Security,
- Data Integrity,
- Access Controls,
- Information Flow ,
- Security Verification,
- Viruses and Worms,
- Security Protocols,
- Authentication,
- Biometrics,
- Smartcards,
- Auditing,
- Intrusion Detection,
- Privacy Issues,
- Policy Modeling
-
- A continuing feature of the symposium will be a session of 5-minute
- talks. We want to hear from people who are advancing the field in the
- areas of system design and implementation, but may lack the resources
- needed to prepare a full paper. Abstracts of these talks will be
- distributed at the Symposium.
-
- INSTRUCTIONS FOR AUTHORS:
- This year we are instituting mechanisms for "electronic" submission
- of papers for the refereeing process. Final papers will still be
- submitted in hard copy.
-
- We will continue to accept papers submitted via various forms of mail,
- but not fax. Papers should include an abstract, must not exceed 7500
- words, and must report original work that has not been published
- previously and is not under consideration for publication
- elsewhere. The names and affiliations of authors should appear on a
- separate cover page only, as "blind" refereeing is used. Authors must
- certify prior to December 27, 1996 that all necessary clearances for
- publication have been obtained. The committee strongly encourages
- authors to include archival sources as references (books, journal
- articles, etc.) and to include references to "WEB" or other "NET"
- sources only if they can be backed up by some archival source. In this
- way, we can ensure that people who read the paper 5 years from now
- will have access to the information used as background and
- justification of the arguments presented.
-
- Panel proposals should include a title, an abstract which describes
- the topic(s) to be discussed, the names of all proposed participants
- and assurances that the participants agree to serve on the panel, a
- proposed length and format for the panel and any other information
- that the panel proposer thinks would support their proposal. We will
- publish the Panel Abstract in the Proceedings as well as any position
- papers submitted by the panelists in support of the panel proposal.
-
- Those submitting papers via "hard copy" should send six copies of
- their paper or panel proposal to:
-
- George W. Dinolt, Program Co-Chair
- Lockheed Martin Western Development Laboratories,
- Mail Stop X20,
- 3200 Zanker Road,
- San Jose, CA 95134.
-
- Please mark the envelope "IEEE Security and Privacy Symposium."
-
- The title, abstract and authors names should be on a separate cover
- page so that we can support the "blind refereeing process." We would
- also like to have an electronic, ascii text version of the abstract
- sent seperately to secprv97@wdl.lmco.com. The electronic version of
- the abstract should include the title and the abstract as it appears
- in the paper.
-
- Authors who wish to submit an electronic version of a paper or panel proposal
- for evaluation should follow the instructions that will be posted
- on our "Web" site at
-
- <a href=http://www.itd.nrl.navy.mil/ITD/5540/ieee>
- http://www.itd.nrl.navy.mil/ITD/5540/ieee</a>
-
- or by sending mail to secprv97@wdl.lmco.com with the word
- "Instructions" in the Subject line. Instructions will be included in
- the reply. Papers and panel proposals must be received (however sent)
- by 6:00 P.M. (PST) on Monday Dec. 2, 1996 (The deadline has been
- extended from the original call). Authors will be notified by
- mid-January about the status of their papers.
-
- Authors who submit an abstract for a 5-minute talk should include a
- title, all authors names and their affiliations, where appropriate,
- and text. The whole should fit easily on one 8.5" by 11" page.
- Abstracts for 5-minute talks should be sent to George W. Dinolt at the
- above address U.S. Postal address to be received no later than Friday,
- April 19, 1997 at 6:00 P.M local time. We will review abstracts and
- accept as many as we can. Please mark the envelope
-
- "IEEE Security and Privacy Symposium - 5 minute Abstracts"
-
- General Chair: Steve Kent, BBN, USA
- Vice Chair: Mike Reiter, AT&T Laboratories - Research, USA
- Program Co-Chairs: George Dinolt, Lockheed Martin WDL, USA
- Paul Karger, IBM, USA
- Treasurer: Charlie Payne, SCTC, USA
-
- Program Committee:
- Deborah Cooper, The DMC Company
- Terry Vickers Benzel, Trusted Information Systems
- Lee Benzinger, Lockheed Martin WDL
- Yair Frankel, Sandia Labs
- Li Gong, Sun Microsystems
- Heather Hinton, Ryerson Polytechnic University Canada
- Cynthia Irvine, Naval Postgraduate School
- Suchil Jajodia, George Mason University
- Dale Johnson, MITRE
- Carl Landwehr, Naval Research Laboratory
- Teresa Lunt, DARPA/ITO
- John McHugh, Portland State University
- John McLean, Naval Research Laboratory
- Catherine A. Meadows, Naval Research Laboratory
- Richard B. Neely, CTA
- Richard E. Newman-Wolfe, Univeristy of Florida
- Sylvan Pinsky, National Security Agency
- Sue Rho, Trusted Information Systems
- Mike Reiter,AT&T Laboratories --- Research
- Peter Ryan, DRA Malvern, United Kingdom
- Pierangela Samarati, Universita' di Milano, Italy
- Tom Schubert, Portland State University
- Elisabeth Sullivan, Sequent
- Paul Syverson, Naval Reseach Laboratory
- Tom Van Vleck, CyberCash Inc.
- Shyhtsun F. Wu, North Carolina State University
- Mary Ellen Zurko, OSF
-
- ------------------------------
-
- End of PRIVACY Forum Digest 05.20
- ************************
-