Monday | Tuesday | ||||||
---|---|---|---|---|---|---|---|
M1 | Using the Common Criteria Version 2.1 | T5 | Using the Common Criteria Version 2.1 - Advanced | ||||
M2 | Introduction to Cryptography and Public Key Infrastructure | T6 | Web Security | ||||
M3 | Java Security Essentials Part I |
M4 | Java Security Essentials Part II |
T7 | ATM Security | T8 | Commercial Secure Messaging |
[ TOP ]
Richard Walzer (The MITRE Corporation)
Murray G. Donaldson (Communications-Electronics Security Group (CESG))
The approach to the analysis and assessment of information technology security products and systems is changing, and it is changing significantly. Version 2.1 of the Common Criteria (CC) for Information Technology Security Evaluation (commonly referred to as the "CC") was released on 22 May 1998. The CC was written as a cooperative effort by the Communications Security Establishment (CSE) of Canada, the National Security Agency (NSA) and the National Institute of Standards and Technology (NIST) of the United States, Service Central de la Sécurité des Systèmes d'Information (SCSSI) of France, Bundesamt für Sicherheit in der Informationstechnik (BSI) in Germany, the Netherlands National Communications Security Agency (NLNCSA), and the Communications-Electronics Security Group (CESG) of the United Kingdom.
A Mutual Recognition Arrangement has already been signed by CSE, NSA, NIST, SCSSI, BSI, and CESG (Canada, the United States of America, France, Germany, and the United Kingdom), to recognize the certificates issues by each other for CC-based evaluations. Several products have successfully completed evaluation and are recognized internationally. The CC Version 2.1 is also similar in content to the new International Standard (IS) 15408, currently in its final publication phase at ISO.
As the Common Criteria gains importance and recognition, it will become increasingly important that we learn this new "language" for expressing IT security requirements. This tutorial will introduce you to the Common Criteria and provide you with the necessary background to understand its use.
An overview of this tutorial includes:
This full-day tutorial will be based heavily upon the 1998 ACSAC tutorial of the same name "Using the Common Criteria Version 2.1". It will be expanded to include more of an International presentation (versus last year's U.S.-centric views), and it will include both lecture and discussion.
[ TOP ]
Introduction to Cryptography and Public Key Infrastructure
Ron Tencati (Spyrus, Incorporated)
This full-day tutorial introduces participants to the theory and application of cryptography and Public Key Infrastructure (PKI). A study of both historical and present-day cryptographic applications is presented. Students explore both conventional and public key encryption schemes, study the differences between Diffie-Hellman and RSA public key technologies, and explore modern cryptographic applications such as SSL, IPSEC, Elliptic Curves and Digital Signatures. A study of the components of a Public Key Infrastructure (PKI) system is also included in this tutorial.
The following topics are covered in this tutorial:
[ TOP ]
Java Security Essentials—Part I
Dr. Sub Ramakrishnan (Bowling Green State University)
Java is a powerful object oriented programming language. The Java Cryptographic Extension (JCE) promises plug-in cryptographic libraries and seamless addition of a number of security components and services.
This tutorial provides an overview of the Java security model and the components required to build secure application systems using the Java framework. It introduces basic cryptographic mechanisms and describes how to install JCE and implement simple functions using the Java Cryptographic Architecture.
Note: Tutorial M4, Java Security Essentials—Part II, is a follow-on to this tutorial. Part II provides code samples and discuss additional details of building secure applications using JCE.
[ TOP ]
Java Security Essentials—Part II
Dr. Sub Ramakrishnan (Bowling Green State University)
This tutorial provides an in-depth treatment of how Java is used to build secure stand-alone applications and applets that run over the World Wide Web. Specifically, the tutorial describes the JCE provider architecture and provide a comprehensive treatment of the components in JCE. Finally, the tutorial describes mechanisms for adding a new provider architecture that may be useful to plug-in new algorithms.
Note: This tutorial builds on the concepts presented in Tutorial M3, Java Security Essentials: Part I, which introduced the Java security framework and gave an overview of basic encryption mechanisms. For those that choose to attend only Part II, a brief overview of Part I material will be provided.
[ TOP ]
Rich Walzer, The MITRE Corporation
Based heavily on the hands-on application of the skills learned in the basic course, "Using the Common Criteria Version 2.1", this tutorial will guide students through the development of a simple Protection Profile. A Target of Evaluation (TOE) description will be provided to the students, and throughout the remainder of the day the class will focus on developing the required content of a Protection Profile that ultimately describes the requirements for that TOE. Emphasis will be placed equally on the description of the Environment, the Objectives, the Requirements, and the Rationale.
NOTE: Students taking this course should have completed the related ACSAC tutorial, "Using the Common Criteria Version 2.1". Students desiring to take this course who have not completed the basic tutorial should have sufficient knowledge of the CC to understand the required content of a Protection Profile and must understand how to use Parts 2 and 3 of the Common Criteria Version 2.1.
An overview of this tutorial includes:
[ TOP ]
Web Security
Rolf Oppliger, Ph.D (Swiss Federal Strategy Unit for Information Technology (FSUIT))
With the proliferation of the World Wide Web (WWW) as a platform for electronic commerce and corresponding applications, Web security has become a major concern. In short, the term "Web security" refers to the procedures, practices, and technologies that can be used to protect Web servers and clients, as well as Web users and their surrounding organizations. This tutorial mainly focuses on the technologies that can be used to provide Web security (both in terms of access control and communication security services). In addition, it also addresses security-related topics, such as copyright protection, privacy protection and anonymity services, as well as censorship on the Web. The tutorial is intended for anyone who is seriously concerned about Web security, is in charge of security for a corporate network (e.g., an intranet or an extranet), or manages an organization that uses the Web as a platform for doing business on the Internet. The tutorial attendees will get an overview about the major topics that are relevant for the WWW and the security thereof. The tutorial is organized as follows:
[ TOP ]
ATM Security
Prof. Dr. Christoph Ruland (University of Siegen)
ATM networks are much more important than any other network technologies, due to the fact that they support unlimited data rates and universal interfaces for all types of information traffic. Under security aspects, however, ATM networks are neither more nor less secure than other networks. Therefore, it is absolutely necessary to offer additional security measures to protect users, user information, and networks against possible risks and attacks. For this reason the ATM Forum has developed specifications, which describe how to integrate security in ATM networks.
This tutorial is based on the different specifications of the ATM forum which provide security for the user plane (responsible for the user data traffic) as well as for the control plane (responsible for the signaling traffic of call establishment, call control, etc.). It focuses on the following:
The tutorial starts with a short overview about ATM technology, so it can also be attended by people, that are not yet familiar with ATM. It is directed to all people, who use or plan to use ATM networks and who want to protect their networks and information.
[ TOP ]
Commercial Secure Messaging
Lisa Mitchell (The MITRE Corporation)
One of the most common methods of Internet and intranet communication is electronic mail. E-mail, unfortunately, suffers from a number of security concerns. An e-mail message is analogous to a postcard; anyone that is a user on a machine that handles e-mail can potentially read it. E-mail is easily intercepted; it can be read, altered, destroyed, or rerouted without the knowledge of the sender or the expected recipient. The equivalent of an envelope is needed to secure e-mail. There have been a number of efforts, by individuals, commercial companies, and government, made toward providing this security envelope; of these efforts, the most prevalent commercial solutions are Pretty Good Privacy (PGP) and Secure Multipurpose Internet Mail Extensions (S/MIME).
This tutorial will discuss general issues behind securing e-mail, review the commercial solutions, discuss the efforts made at standardization, look more closely at a number of commercial clients that implement them, and explore issues such as usability and interoperability.