Tutorial, Symposium, and Workshop Information
Mr. J. Garonzik & Mr. N. Laudermilch,
Registration Code: 01
Trident Data Systems
Standard products and conventions are publicly available to provide various levels of consistency, visibility, and assurance for TCP/IP networks and UNIX systems. This tutorial will provide the details of the most beneficial tools, an assessment of the difficulty in acquiring, porting, configuring, and deploying them, their relationships, costs, and benefits. This tutorial is intended for those who must protect investments in Automated Information Systems (AIS). UNIX, TCP/IP, and security technical content is moderate-to-high.
Dr. C. Michael, Registration Code: 02
Reliable Software Technologies Corporation
From a theoretical standpoint, reliability assessment, probability of failure assessment, mean-time-to-catastrophic-failure assessment (safety), and testability assessment all quantify characteristics needed in assuring trustworthiness. Many computer security researchers and policy makers are ill-informed as to what has occurred in assurance assessment in several of security's sister fields: reliability, testing, dependability, safety, and fault-tolerance. This tutorial will teach the basics of quantitative quality assessment and explain how other disciplines have been able to provide quantitative measures. It will focus heavily on the application of two classes of methods to security: (1) assertions as heuristics for design-for-security and detectability, and (2) fault-injection methods for vulnerability assessment.
Mr. G. Stoneburner, Registration Code: 03
Boeing Defense & Space Group
This tutorial presents both a methodology for achieving an enterprise-wide, distributed security architecture and the application of this methodology to one representative example of real-world, commercial information systems.
Mr. B. Hartman, Registration Code: 04
Odyssey Research Associates
Object technology (OT) is an important emerging paradigm supporting distributed computing. The Common Object Request Broker Architecture (CORBA) as promoted by the Object Management Group (OMG) is a standard set of interface specifications that supports interoperable distributed object-based computing. This tutorial describes the newly proposed CORBA security standard. CORBA Security is a framework that allows many different security and trust models. The framework is sufficiently flexible to allow both high-assurance labeled-based non-disclosure policies for DoD applications as well as commercially oriented policies that emphasize authentication and data integrity. This tutorial will discuss the conformance levels defined within the standard, and how traditional security concepts apply to CORBA. The tutorial also addresses security issues of interest within a distributed object-based architecture, including delegation, security domains, and establishment of a security context.
Mr. S. LaFountain & Ms. L. Ambuel Registration Code: 05
National Security Agency
This tutorial will provide an understanding of how the new international Common Criteria (CC) for Information Technology (IT) will be used to define complete and cohesive sets of IT security functional and assurance requirements, called Protection Profiles (PPs). It will provide information about the CC, how it was developed and how it will be used. The tutorial attendees will develop a sample PP using the CC. The attendees will be encouraged to use their real-life experiences in developing these sample PPs. This tutorial session will be the first public session in which the developers of the CC will provide detailed instructions on how users of the criteria will go through the steps of building PPs.
Dr. H. Podell, Registration Code: 06
This tutorial provides an overview of selected evolving security standards and applications. This overview includes security standards for open systems, such as the security in Electronic Data Interchange (EDI) standards for Message Handling Systems (MHS), and secure messaging specifications, X.400 and X.435. Security applications will be discussed in medical information systems, Executive Information Systems, and internetworking Privacy Enhanced Mail (PEM). Discussion focuses on architectural issues, secure messaging standards, PEM, public key applications, and medical information systems security issues. Basic familiarity with information security issues is a prerequisite.
Dr. C. Irvine, Registration Code: 07
Naval Postgraduate School
This tutorial will illustrate how, for a particular evaluation class, system design and implementation techniques along with additional evidence combine to create a coherent view of the level of trust one can place in a system's ability to enforce its access control policy. After a look at Class C2, Classes B2, B3 and A1 will be examined to see how the evaluation requirements combine to create a coherent combination of functionality and assurance. The application of assurance requirements to more complex systems such as databases and networks will be presented. The course will end with a discussion of some emerging evaluation approaches.
Dr. R. Oppliger, Registration Code: 08
Bundesamt fuer Informatik (BFI)
There are several authentication and key distribution systems currently available that can be used in computer networks and distributed systems to provide end-to-end level security on the application layer. This tutorial motivates interest in the use of these systems on a global scale. Furthermore, the tutorial outlines the authentication and key distribution systems that are currently available, namely Kerberos (OSF DCE V1), NetSP, SPX, TESS and SESAME, and reviews them with regard to the security services they offer, the cryptographic techniques they use, their conformance with international standards, and their availability and exportability.
In cooperation with the ACSAC, the USAF and DISA are co-sponsoring an INFOWAR-Defend (IW-D) symposium to foster a better community understanding of DoD's IW-D initiatives at the mid to senior management levels. The symposium will exchange information regarding the DoD Services' and Agencies' roles in this new, emerging area. In addition, the goal is to identify how the DoD community can work together to ensure a highly-integrated and coordinated approach to IW-D.
The symposium is unclassified, but will be open to U.S. citizens
only. No contractors
other than those sponsored by DoD organizations will be allowed. For
about this symposium including registration, contact Nancy Hancharik,
703/681-1344, DSN: 761-1344, e-mail: email@example.com.
Chair: H. Rubinovitz
Tuesday, December 12, 1995, 8:30 am - 4:30 pm
In recent years, electronic commerce (EC) has received much
attention. Many of the
EC issues are similar to their nonelectronic counterparts but require
solutions to maintain their integrity. Using the Internet or other
media for EC
has great potential but also poses a number of special challenges due to
its lack of security
mechanisms. Until security is completely solved, people are unlikely to
this technology. Some of the areas utilizing EC are electronic currency
software copy protection, and publishing. Some of the issues are
privacy, fraud, and legal issues. This workshop will focus on security
with implementation, deployment, and management of EC applications.
ACM's Special Interest Group on Security, Audit, and Control (SIGSAC) sponsors this workshop. Registration is requested, although there is no charge for the workshop. Papers are encouraged and will be published in SIGSAC Review.
617/271-3076, The MITRE Corporation, M/S A150, 202 Burlington
Rd., Bedford, MA 01730, if you plan to attend.