Internet Society Frontpage

Events Membership
About the Internet Standards
Publications  Public Policy
About ISOC Education


NDSS Symposium 2003

NDSS 2003

The 10th Annual Network and Distributed System Security Symposium
Catamaran Resort Hotel
San Diego, California
6-7 February 2003-Symposium
5 February 2003-Pre-Conference Tutorials
Patron Sponsor: National Security Agency


All tutorials take place on February 5, 2003

Lectures on Selected Topics in Information Security
Dr. Stephen Kent
Network Security Protocols and Current Standards
Radia Perlman, Charlie Kaufman
IPsec: It's simpler than you think!
John Ioannidis, Angelos Keromytis
Crash Course In SSL and TLS
Eric Rescorla
Wireless LAN Security: Problems and Solutions
Bill Arbaugh

Lectures on Selected Topics in Information Security presented by Dr. Stephen Kent

This tutorial consists of a series of lectures on selected topics in information security, presented by the speaker as invited talks at various fora around the world. The lectures include:

Biometrics: A System Security View
PKI Models: What's Trust Got to Do with It?
Improving Certification Authority Security Using Smart Crypto Modules
IPsec: It's Not Just Encryption
Designing Security Protocols
Securing the Border Gateway Protocol (BGP)

Dr. Stephen Kent, Chief Scientist - Information Security, BBN Technologies

In his role as Chief Scientist, Dr. Kent oversees information security activities within BBN Technologies, and works with government and commercial clients, consulting on system security architecture issues. In this capacity he has acted as system architect in the design and development of several network security systems for the Department of Defense and served as principal investigator on a number of network security R&D projects for 25 years.

During this period, Dr. Kent's R&D activities have included the design and development of user authentication and access control systems, network layer encryption and access control systems, secure transport layer protocols secure e-mail technology, multi-level secure (X.500) directory systems, public-key certification authority systems, and key recovery (key escrow) systems. His most recent work focuses on public-key certification infrastructures for government and commercial applications, security for Internet routing, very high speed IP encryption, and high assurance cryptographic modules.

The author of two book chapters and numerous technical papers on network security, Dr. Kent has served as a referee, panelist and session chair for a number of conferences. Since 1977 he has lectured on the topic of network security on behalf of government agencies, universities, and private companies throughout the United States, Europe, Australia, and the Far East. Dr. Kent received the B.S. degree in mathematics from Loyola University of New Orleans, and the S.M., E.E., and Ph.D. degrees in computer science from the Massachusetts Institute of Technology. He is a Fellow of the ACM and a member of the Internet Society and Sigma Xi.

Network Security Protocols and Current Standards presented by Radia Perlman and Charlie Kaufman

Abstract: This tutorial covers the concepts in network security protocols as well as describing the current standards. It approaches the problems first from a generic conceptual viewpoint, covering the problems and the types of technical approaches for solutions. For example, how would encrypted email work with distribution lists? What are the performance and security differences in basing authentication on public key technology versus secret key technology? What kinds of mistakes do people generally make when designing protocols?

Armed with a conceptual knowledge of the toolkit of tricks that allow authentication, encryption, key distribution, etc., we describe the current standards, including Kerberos, S/MIME, SSL, IPsec, PKI, and web security.

Detailed Syllabus:

  • What is the problem? A quick overview of why network security is needed (remote authentication, private and authenticated email, etc)
  • Overview of cryptography: public key, secret key, hash.
  • Secure email issues (including complications such as distribution lists). Also overview of S/MIME and PGP.
  • Key distribution (PKI and secret-key based systems such as Kerberos).
    In all these cases, you need to know a secret for yourself and at least one trusted party. How does the system get bootstrapped? How do you find a path across multiple trust domains to the target?
  • Kerberos details (including Microsoft Kerberos)
  • PKI details (including X.509 and PKIX)
  • Concepts in real-time protocols: authentication handshakes, perfect forward secrecy, session resumption, identity hiding, plausible deniability, denial of service protection. Implications of choosing "layer 3" approach (IPsec) vs "layer 4 approach" (SSL, SSH). How export rules have affected designs.
  • IPsec details: data packet formats (AH and ESP),
    IKE (key establishment protocol). Problems with IKE. Possible successors to IKE.
  • SSL
  • web: URLs, HTTP, cookies

Radia Perlman, Distinguished Engineer, Sun Microsystems

Radia Perlman is a Distinguished Engineer at Sun Microsystems. She is known for her contributions to bridging (spanning tree algorithm) and
routing (link state routing) as well as security (sabotage- proof networks). She is the author of "Interconnections: Bridges, Routers, Switches, and Internetworking Protocols", and co-author, with Charlie Kaufman, of Network Security: Private Communication in a Public World", two of the top 10
Networking reference books, according to Network Magazine. She is one of the 25 people whose work has most influenced the networking industry, according to Data Communications Magazine. She has about 50 issued patents, an S.B. and S.M in mathematics and a Ph.D. in computer science from MIT and an
honorary doctorate from KTH, the Royal Institute of Technology in Sweden.

Charlie Kaufman, Distinguished Engineer, IBM

Charlie Kaufman is a Distinguished Engineer at IBM, where he is Chief Security Architect for Lotus Notes, as well as consulting within IBM on other security-related areas. He currently serves on the IAB, the architecture board of the IETF. Within IETF he has contributed to a number of efforts, including chairing the Web Transaction Security working group, and being the editor of the new IKE document for IPsec. He has also contributed to sacred (secure credentials download) and DNSSEC. Previously he was Network Security Architect for Digital Equipment Corporation. He holds over 25 patents in the fields of computer security and computer networking.

IPsec: It's simpler than you think! presented by John Ioannidis and Angelos Keromytis

Who should attend:
Network administrators, system managers, developers of network applications, and anyone interested in network security. Some familiarity with networking principles is required, but cryptography is not.

About the tutorial:
The IPsec protocol suite provides network-layer security for the Internet and is an IETF standard. It is already widely used to implement Virtual Private Networks (VPNs), and is beginning to make its way into commercial implementations of desktop operating systems. IPsec offers a remarkable flexibility not possible at higher or lower layer abstractions: security can be configured end-to-end, route-to-route, edge-to-edge, or in any other configuration in which network nodes can be identified as appropriate security
endpoints. This flexibility however implies some associated complexity, which tends to obscure the usefulness of IPsec in engineering a secure Internet. This tutorial covers every feature of IPsec and its key management protocol, IKE, gives many real-life examples drawn from a variety of environments and operating systems, and aims to clear a lot of myths and misunderstandings about IPsec.

Justification of Network-layer security:
It is not an accident that we have developed a network-layer (rather than application-layer or link-layer) security protocol for the Internet; by securing IP, we can secure everything above and below.

Encapsulation, Tunneling, and Overlay Networks:
We digress a bit into a discussion of datagram encapsulation, tunneling, and overlay networks such as VPNs, the MBONE and 6BONE, in order to facilitate the understanding of how IPsec works.

The IPsec transforms (ESP and AH):
We present the actual IPsec transforms and their various options, give details of the packet formats, and explain exactly what is being secured, directly and by implication.

Transport and Tunnel modes:
More of an accident of nomenclature than a fundamental difference, there are two IPsec modes: `transport' and `tunnel.' We show which and how they are actually employed in peer-to-peer, remote access, VPN, and other usage cases.

Key Management:
The keys used by ESP and AH must be changed frequently. We explain why this is show, we discuss what is needed of a key setup protocol (automation, reliability, strong cryptographic properties, etc.).

IKE, the Internet Key Exchange protocol:
We present all the details of IKE, the modes in which it is used, and the feature negotiation it provides.

Interaction between IPsec/IKE and Firewall/NAT boxes:
Firewalls and NAT boxes are a fact of life, and we have to address them. We cover how IPsec/IKE interact with these boxes, and how to configure things so that security is maintained and the firewall policies are not circumvented.

We offer many examples of configuration files for a variety of operating systems, including Windows 2000. This can be an interactive presentation if we can carry enough laptops.

Performance considerations (software and hardware):
The argument ``IPsec is slow/no it isn't'' keeps getting repeated. We present actual performance numbers from a variety of implementations, and show that there is nothing to fear.

Comparison with TLS/SSL:
Why do we need IPsec when SSL/TLS is so widespread? We address the pros and cons and we hope this will not start a religious discussion.

About PKIs:
A lot has been said about the need for PKIs, and many people see their non-existence as a reason not to deploy IPsec. We debunk many of these myths, and show alternatives to the textbook PKI scenario.

Miscellaneous topics:
This is a catch-all heading for discussing issues such as error management, Path-MTU and tunnel interactions, IPSRA (IP Secure REmote Access), L2TP (Layer 2 Tunneling Protocol), IPv6, and other topics related to IPsec.

Future developments 1: Policy:
Neither ESP/AH nor IKE really address the issue of policy management. While this is still the subject of research and on-going discussion at the IETF, there is a need for negotiating and distributing policy information to IPsec nodes. We present some of the issues and solutions involved, as time permits.

Future developments 2: Additional Key Management protocols:
Since its very inception, IPsec was meant to be able to support multiple key management protocols. We discuss KINK, a Kerberos-based protocol, Photuris, a simpler precuror to IKE, and some of the recently suggested replacements for IKE.

John Ioannidis, Researcher, AT&T Labs

John Ioannidis is a researcher at AT\&T Labs -- Research. He has been
contributing in the IETF for over 10 years, and has been with the
IPsec effort since the very beginning. Among his contributions to
IPsec are the first SunOS, BSD and Linux implementations. He has also
worked on policy mechanisms for IPsec, and more recently on JFK, a
proposed successor to the Internet Key Exchange protocol. His many
research interests include security of large distributed systems,
wireless and mobile networking, micropayment systems, and high-speed
network monitoring.

Angelos Keromytis, Assistant Professor of Computer Science, Columbia University

Angelos Keromytis is an Assistant Professor of Computer Science at
Columbia University. He has been working on IPsec since 1995, both in
defining and refining the standards in the IETF, and in implementing
and measuring its performance. He developed the OpenBSD IPsec stack,
and wrote the first free implementations of the Photuris and IKE key
management protocols for IPsec. More recently, he has been working on
a proposed successor to IKE, named JFK, and has designed and
implemented a cryptographic acceleration framework for IPsec (and
other cryptography-heavy applications). His other research interests
include scalable access control mechanisms, security policy
composition and enforcement, and distributed system virtualization.

Crash Course In SSL and TLS presented by Eric Rescorla

This tutorial is an in-depth look at SSL and TLS. In this tutorial,
we'll cram as much SSL/TLS knowledge into your head as possible in a
single day. In the morning we'll cover the protocol itself, including
some exotic and badly documented details. After, lunch we'll discuss
what it's like to use SSL in real applications. Finally, we'll discuss
what's coming in future versions.

  1. The basic SSL handshake (i.e. server-only RSA)
  2. The major variants:
    1. Session resumption
    2. client authentication
    3. ephemeral RSA (export)
    4. SGC/Step-Up
    5. DSS/DH
    6. Rehandshake
  3. Known attacks
    1. PRNG -- (Wagner/Goldberg)
    2. Export ciphers and distributed cracking
    3. Million-message attack
    4. Some downgrade attacks
  4. Differences between different versions
    1. SSLv2
    2. SSLv3 vs. TLS
    3. WTLS
  5. Integration with HTTP
    1. virtual hosting
    2. proxies
    3. Upgrade and why it doesn't work well
    4. Using SSL with your HTTP server (mod_ssl, ApacheSSL, IIS...)
    5. Browser issues, especially certificates
  6. Integration with other protocols (problems with using SSL)
  7. Performance
    1. Algorithm choice
    2. Some bad design decisions in SSL
    3. Acceleration
    4. Implementation issues
  8. Programming with SSL
    1. Where to get an implementation
    2. Not as easy as it looks...
  9. Futures
    1. New algorithms
    2. Extensions
    3. Wireless (not WTLS)
Network Architects
Security engineers
Anyone who wants to understand SSL/TLS

Attendees should be familiar with TCP/IP. Familiarity with basic cryptography (encryption, public key, message digests, etc.) is desirable. We'll start with a brief primer on cryptography if a substantial portion of the class needs it.

Eric Rescorla, Principal Engineer, RTFM, Inc.

Eric Rescorla is Principal Engineer of RTFM, Inc., an independent security consulting firm. He has been working in Internet Security since 1993. He has been a member of the TLS working group from before the beginning and has written several commercial SSL implementations as well as the free Java toolkit PureTLS and the SSL protocol analyzer ssldump. He is the author of "SSL and TLS: Designing and Building Secure Systems" (Addison-Wesley 2000) as well as the RFCs defining Secure-HTTP and HTTP over TLS.

Wireless LAN Security: Problems and Solutions presented by Bill Arbaugh

Wireless local area networks (WLAN) based on the IEEE 802.11a/b/g standards are inexpensive and easy to deploy. As a result, a large number of organizations have installed WLAN's or are planning to install them in the near future. While the benefits of a WLAN are clear, the risks associated with them are just now becoming known. In this class, students will learn and see first hand what an attacker can do against a WLAN in both passive and active attacks. Once the student understands the threats against a WLAN, they will learn several approaches that can be implemented to mitigate the threats against deployed WLAN's, as well as how to design and deploy a new WLAN that mitigates the known threats. Next, simple auditing techniques for monitoring the security of a deployed WLAN will be described.

The class will contain several demonstrations of actual attacks, and the configuration of an open source server (RADIUS) to support WiFi Protected Access (WPA) and Robust Security Network (RSN) based infrastructures. The class will also include detailed configuration information for several commonly deployed access points, and operating system clients to use the IEEE 802.1X protocol and WPA (if vendor support available).

Tutorial Outline

  1. Why wireless security is different
  2. Introduction to 802.11 base protocol
  3. Wired Equivalent Privacy (WEP)
  4. Authentication (1999 standard)
  5. Access control (non-standard)
  6. Attacks against WEP, authentication, and access control
  7. Open source tools that facilitate cracking .11 networks
    1. Finding .11 networks, aka "war driving"
    2. WEP crackers
    3. Denial of service tools
  8. What you can do to mitigate the risks now
  9. WiFi Protected Access (WPA)
    1. TKIP
    2. MICHAEL
  10. IEEE 802.1X
  11. Robust Security Network (RSN)
    1. AES CCM
    2. AES OCB
    3. Key hierarchy
  12. RADIUS
  13. TLS
  14. EAP
    1. EAP-MD5
    2. EAP-TLS
    3. PEAP
  15. Inter-access point protocol (IAPP) and roaming issues
  16. Wireless and open source tools
    1. How to build and configure an open source AP
    2. How to install and configure open source servers
  17. Putting it all together
    1. Configuring common access points for IEEE 802.1X
    2. Configuring clients for IEEE 802.1X
  18. How to audit a wireless network
    1. Open source tools
    2. Commercial tools
  19. Intrusion detection and wireless networks
    1. Detecting war-drivers
    2. Detecting attacks
  20. Recent standards activities

Dr. William Arbaugh

Bill Arbaugh joined the Computer Science department at Maryland after spending sixteen years with the U.S. Department of Defense- first as a commissioned officer in the Army and then as a civilian. During the sixteen years, Prof. Arbaugh served in several leadership positions in diverse areas ranging from tactical communications to advanced research in information security and networking. In his last position, Prof. Arbaugh served as a senior technical advisor in an office of several hundred computer scientists, engineers, and mathematicians conducting advanced networking research and engineering. Prof. Arbaugh received a B.S. from the United States Military Academy at West Point, a M.S. in computer science from Columbia University in New York City, and a PhD in computer science from the University of Pennsylvania in Philadelphia. Prof. Arbaugh's research interests include information systems security and privacy with a focus on embedded systems and configuration management. In his limited spare time, Prof. Arbaugh enjoys spending time with his family and playing an occasional round of golf.