Review the Program. Important Dates to Remember: See the quality. Join us at the Hotel Discount Deadline: Monday, January 5, 1998 Security Symposium. Pre-Registration Deadline: Monday, January 5, 1998 Papers Presented at USENIX Program at-a-Glance Conferences are Refereed. The refereed papers were reviewed by the Sunday, January 25 Program Committee and selected for their 6:00 pm – 9:00 pm On-Site Registration quality from a large number of submissions. We thank the Program Committee for their 6:00 pm – 9:00 pm Welcome Reception hard work. Monday, January 26 Program Committee 7:30 am – 5:00 pm On-Site Registration 9:00 am – 5:00 pm Tutorial Program and Lunch Program Chair Tuesday, January 27 Avi Rubin, AT&T Labs – Research Committee 7:30 am – 5:00 pm On-Site Registration Carlisle Adams, Entrust Technologies 9:00 am – 5:00 pm Tutorial Program and Lunch Dave Balenson, Trusted Information Systems 6:00 pm – 10:00 pm Birds-of-a-Feather Sessions Steve Bellovin, AT&T Labs – Research Wednesday, January 28 Dan Boneh, Stanford University Diane Coe, Concept Five Technologies 7:30 am – 5:00 pm On-Site Registration Ed Felten, Princeton University 9:00 am – 10:30 am Opening Remarks and Keynote Li Gong, JavaSoft 11:00 am – 5:30 pm USENIX Technical Sessions Peter Honeyman, CITI, University of Michigan Noon – 7:00 pm Security ’98 Exhibition Hugo Krawczyk, Technion Jack Lacy, AT&T Labs – Research 7:00 pm – 9:00 pm Symposium Reception Hilarie Orman, DARPA/ITO Thursday, January 29 Mike Reiter, AT&T Labs – Research David Wagner, University of California, Berkeley 8:30 am – 5:00 pm USENIX Technical Sessions Readers 10:00 am – 2:00 pm Security ’98 Exhibition Katherine T. Fithen, CERT Trent Jaeger, IBM Watson Labs Invited Talks Coordinator “The fact that people with Table of Contents Greg Rose, QUALCOMM Australia different backgrounds 4–7 and perspectives gave Tutorials 7–8 About the Speakers their vision made this 9 Exhibition symposium a very vivid, Questions? 10 Keynote Address Email: [email protected] rich, and colorful one.” 10–11 Technical Program Phone: 714.588.8649 12 About USENIX Fax: 714.588.9706 Magda De Jong, 13 Conference Activities & Services Updates: http://www.usenix.org/events/sec98/ 14 Hewlett-Packard, Hotel and Travel Information 15 Registration 1996 Attendee 2 TO REGISTER, USE THE FORM ON PAGE A Letter from the Program Chair Dear Colleague: selecting the best among 65 high-quality sub- I invite you to the USENIX Security missions. These reports of research and new Symposium. This is the place where you will implementations cover a wide range, including: hear, discuss, then put to use the latest research, ■ Security of mobile code well-thought-out approaches, and tools and ■ Electronic commerce in actuality: how techniques for practical system security. Take money is being made on the net home lessons from real-world security practice ■ Intrusion detection: implementations of on how to assess what needs protecting, from superior new systems whom, and how best to go about it. ■ Security of the world wide web As the 7th USENIX Security Symposium Alongside the refereed papers, you’ll find an This is the place “ approaches, we find ourselves in exciting times. incredible line-up of invited speakers: Bill where you will More and more companies are realizing the Cheswick; Daniel Geer; Arjen Lenstra; Alfred hear, discuss, importance of securing their networks, their Menezes; Clifford Neuman; JoAnn Perry; then put to data and their computers. Long-awaited Marcus Ranum; and Shabbir Safdar. This is electronic commerce is becoming a reality, and use the latest your chance to hear it from the real pioneers of people are actually making money on the net. our field. research, well- The advent of Java and other platform- Meet colleagues with similar interests at the thought-out independent languages has enabled computa- Tuesday Birds-of-a-Feather Session or present approaches, tional models that only existed in theory to be your own on-going research in the Work-In- and tools and rapidly developed and deployed. The inherent Progress Session. You’ll want to check out the techniques for security risks have jump-started researchers into Exhibition where vendors will be demonstrat- action. ing products they hope will help you practice practical system The conference kicks off with your opportu- security more efficiently and effectively. Give security.” nity for in-depth study. Choose among tutorials them your feedback on what works and what is led by Bruce Schneier, Carl Ellison, Daniel still needed. Geer, Jon Rochlis, Brad Johnson, Jim Duncan, Please join us. I hope to see you in San Gary McGraw, and Rik Farrow, all experienced, Antonio on January 26–29, 1998. respected instructors. You’ll master both theory and effective approaches and techniques in areas you need: Security on the Web; Windows NT Security; Certification; Java Security; Handling Aviel D. Rubin, Program Chair Security Incidents; Network Security Profiles; AT&T Labs – Research Introduction to Cryptography; and Internet For Security Symposium Program Committee Crypto Protocols. Expect to hear about the latest research. The Program Committee had the pleasure of PS: Register early for tutorials—they often fill up fast. You can use our on-line registration form: http://www.usenix.org/events/sec98/ R EGISTER ON-LINE AT: http://www.usenix.org/events/sec98/ 3 Tutorial Program Monday –Tuesday, January ‒, ecurity is one of the most urgent topics in Continuing Education Units today’s computing environments. USENIX USENIX provides Continuing Education Units (CEUs) Stutorials at Security ’98 provide you with the for a small additional administrative fee. The CEU is Gain command in-depth and immediately-useful instruction you a nationally recognized standard of unit of measure of the newest need to meet the demands. These tutorials survey for continuing education and training, and is used by security tools, the topic and then dive into the specifics of what- thousands of organizations. Each full-day USENIX to-do and how-to-do it. Instructors are well-known tutorial qualifies for 0.6 CEUs. You can request CEU techniques, and experts in their topics and selected with care for credit by completing the CEU section on the regis- approaches, then their ability to teach complex subjects. Attend the tration form. USENIX provides a certificate for each USENIX tutorials. attendee taking a tutorial for CEU credit and main- put them to tains transcripts for all CEU students. CEUs are not Our guarantee: If you’re not happy, we’re not the same as college credits. Consult your employer work in your happy. If you feel a tutorial does not meet the high or school to determine their applicability. organization standards you have come to expect from USENIX, let us know by the first break and we will change Register now to guarantee your first choice. Seating immediately. you to any available tutorial immediately. is limited. Register by January 5, and save $50. Tutorial Overview Full day tutorials run from 9:00 AM to 5:00 PM. Half-day tutorials, marked “AM” or “PM” run either from 9:00 AM to 12:30 PM or from 1:30 PM to 5:00 PM. Full-day tutorials may not be split. Monday, January 26 Tuesday, January 27 Register M1 Security on the World Wide Web T1 Handling Computer and Network early for M2 Windows NT Security Security Incidents T2 Network Security Profiles: M3AM Certification: Identity, Trust, tutorials — What Every Hacker Already Knows and Empowerment About You, and What To Do About It they often M4PM Towards Secure Executable Content: T3AM sell out. Java Security Using Cryptography T4PM Cryptography for the Internet Tutorial fees include: • Admission to the tutorials you select • Printed and bound tutorial materials Registration from your session Discount Deadline • Lunch Jan. 5th Hotel Discount Deadline • Admission to the Vendor Exhibition January 5th, 1998 4 FAX .. FOR MORE INFORMATION Tutorial Program Monday –Tuesday, January ‒, Monday, January 26 Windows NT is the result of an unusual couriers carrying keys between people to open marriage between disparate operating systems: secure channels. This suggestion has grown into a completely reworked replacement for Digital public key certificates, binding names to keys, M1 Security on the World Wide Equipment’s VMS and Windows 3.1. On the and to suggestions for national or global Public Web one hand, there are security features to satisfy Key Infrastructures (PKIs). Many people advo- the most avid control freak: centralized control Daniel Geer, CertCo, LLC, and cate using such certificates or PKIs without over user accounts, file sharing, desktop appear- realizing what they are getting in return. They Jon Rochlis, SystemExperts Corp. ance, fine grained object access, encryption, a take the word of professional cryptographers. Who should attend: Anyone responsible security monitor, and auditing sensitive enough Professional cryptographers, meanwhile, are for running a web site who wants the under- to capture most security related events. On the sloppy in their use of words (using “name” and stand the tradeoffs in making it secure. Anyone other hand, it provides support for an API that “identity” as if they were interchangeable) and seeking to understand how the web is likely to has been the main target for virus writers, and using “trust” without any qualifiers (as in “In be secured application programmers who have never even God We Trust”). considered the notion of security. In fact, each kind of certificate empowers The World Wide Web This tutorial explains the security mech- a public key in some way. This tutorial will “Excellent exe- is perhaps the most anisms in Windows NT, and how they can teach people how to identify what kind of cution of intro- important enabler (so best be used to improve the security of net- empowerment they need for their public keys to concept-to far) of electronic com- worked NT systems.