NDSS Symposium 1999
Network and Distributed System Security Symposium
Catamaran Resort Hotel
San Diego, California
03 February 1999 - Technical Tutorials
04 - 05 February 1999 - Symposium
Pre-Conference Technical Tutorials
(additional fee required)
Take your choice of five half-day and two full-day, highly-focused technical tutorials conducted by security experts. Chock full of in-depth, practical information on current and emerging security technologies, they compliment the NDSS '99 Symposium, and can be an important part of your professional development. The tutorials will give you a greater understanding of theories, practices, real-world applications, and critical issues involved in security on the Internet. Whatever your level of expertise, there's a course that will help you shorten a learning curve. You'll leave with new ideas, options, and plans to help you succeed in your job. The Tutorial schedule allows you to attend two separate tutorials before the conference. Our line-up of outstanding educational programs is intended for management, technical staff, network managers, and administrators. Select the ones that are right for you and sign up today.
Tutorial Schedule
Wednesday, February 3, 19999:00am - 5:00pm
9:00am - 12:30pm
- Tutorial #3: Electronic Payment Systems
- Tutorial #4: Windows NT Services, Authentication and Access Control
1:30pm - 5:00pm
- Tutorial #6: Web Security and Beyond: Protecting your Electronic Commerce Application
- Tutorial #7: Mobil Code Security and JAVA Architecture
Tutorial #1: Network Security Principles and Protocol Standards
Open network environments present a variety of security challenges. In this tutorial, the instructor analyzes security issues in these network environments, from an architectural perspective and via examination of cryptographic-based, standard security protocols. The tutorial begins with an discussion of fundamental security concerns that arise in internet environments. It introduces security terminology and explores security services, with an eye toward their placement relative to protocol layers. Basic security mechanisms are examined and their use in security protocols is demonstrated via a detailed examination of two IETF standards: IPsec and TLS (SSL). Cryptographic key management techniques, based on public-key certificate standards (X.509 v3) also are examined.
Instructor: Dr. Stephen Kent: Dr. Stephen Kent is the Chief Technical Officer for CyberTrust Solutions and Chief Scientist- Information Security of BBN Technologies, part of GTE Internetworking, where he has been engaged in network security R&D for over twenty years. He served on the Internet Architecture Board (IAB) for 10 years and on the board of directors for the International Association for Cryptologic Research (IACR) for 7 years. He chaired the Privacy and Security Research Group in the Internet Research Task Force (IRTF) and co-chairs the PKIX Working Group in the Internet Engineering Task Force (IETF). He chaired the ACM Special Panel on Cryptography and Public Policy, served on the U.S. Presidential SKIPJACK review Panel, and chairs a technical advisory committee on key recovery for the Secretary of Commerce. He has served as a panel member, invited speaker, and on program committees for many security conferences and has authored numerous technical articles and two book chapters. Dr. Kent received a masters and a PhD in computer science from MIT, and is a fellow of the ACM.
Tutorial #3: Electronic Payment Systems
This half-day tutorial will cover several alternatives for payment on the Internet including secure presentation of credit card numbers, electronic currency, and credit-debit systems. The situations for which each approach is best suited will be discussed, and the predominant examples of each approach described. Security issues and fraud prevention will be stressed, and the security of different payment systems discussed. The flow of funds through the system will be described for each model, and the role of banks and other financial intermediaries discussed, along with who incurs risk from fraud and failure to pay, and which parties need to be trusted. Transaction charges and means of profit for financial intermediaries will also be covered. The steps needed for integration of these payment systems with network applications will be described, including the changes needed to web servers and changes needed, if any, to the web browsers. Evolving standards will be covered. Approaches to integration with other network applications will be discussed. The need for more standardization at the application - payment service interface will be discussed.
Instructor: Dr. Clifford Neuman, USC/ISI: Dr. Neuman is a senior research scientist at the Information Sciences Institute of the University of Southern California (USC), a faculty member in the Computer Science Department at USC, and Chief Scientist for CyberSafe Corporation. After receiving a Bachelor's degree from the Massachusetts Institute of Technology in 1985 he worked for Project Athena where he was one of the principal designers of the Kerberos authentication system. He received M.S. and Ph.D. degrees from the University of Washington. Dr. Neuman's recent work includes the development of a security infrastructure supporting authorization, accounting, and the NetCheque® electronic payment system.
Tutorial #4: Windows NT Services, Authentication and Access Control
The tutorial will cover common Windows NT network services such as file sharing and HTTP, how and when remote users are authenticated, and how file and object security permissions affect the services. IIS 4.0 will be used as an example service to illustrate points. The intended goal is to give the attendee a better understanding of how NT security features support network service security. There will also be a short discussion on the limitations of NT 4.0 security features and how NT 5.0 will help solve some of these issues.
Instructor: Dominique Brezinski: Dominique Brezinski is a Network Security Professional at Secure Computing Corporation where he provides secure network architecture, penetration testing, and security assessment services. He previously worked for ISS, CyberSafe, and Microsoft in NT security and networking related positions.
Tutorial #6: Web Security and Beyond: Protecting your Electronic Commerce Application
This half-day tutorial will cover the steps needed to secure and electronic commerce application. Potential points of attack on Internet applications will be shown. Security techniques that can be applied to protect such applications will be described. These techniques including encryption, authentication, authorization, firewalls, and other forms of compartmentalization can be applied at different layers of the system, and the benefits and drawbacks to these approaches will be discussed. The most important step in protecting an electronic commerce application is to think about the data to be protected, where it will be stored, and who must have access to it. Examples of potential commerce applications will be discussed and scenarios for the protection and attack will be used to provide a more intuitive feel for some of the mistakes that can be made when implementing such applications, and how to avoid them.
Instructor: Dr. Clifford Neuman, USC/ISI: Dr. Neuman is a senior research scientist at the Information Sciences Institute of the University of Southern California (USC), a faculty member in the Computer Science Department at USC, and Chief Scientist for CyberSafe Corporation. After receiving a Bachelor's degree from the Massachusetts Institute of Technology in 1985 he worked for Project Athena where he was one of the principal designers of the Kerberos authentication system. He received M.S. and Ph.D. degrees from the University of Washington. Dr. Neuman's recent work includes the development of a security infrastructure supporting authorization, accounting, and the NetCheque® electronic payment system.
Tutorial #7: Mobil Code Security and JAVA Architecture
Mobile code is code that traverses a network during its lifetime and is able to execute at
the destination machine. The idea behind mobile code is actually quite simple---sending
around data that can be automatically executed wherever it arrives, anywhere on the
network. The problem is this: running someone else's code on your computer is a risky
activity. Who is to say what the code might try to do and whether or not its activities
will be malicious? This is not a new problem by any stretch of the imagination. In fact,
it's really an old problem with a new twist. There are many well-known systems for
creating and using mobile code. From a security perspective, Java clearly leads the pack.
Java is especially cool since it is cross-platform, object oriented, network-savvy, and
uses modern memory management. In addition, Java's designers have attempted to create a
system that simultaneously ensures type safety, allows dynamic class loading, and offers
policy-based fine-grained access control built on stack inspection. This tutorial uses
Java as a case study of security architecture design. It covers both what works in the
Java security architecture and what doesn't. The talk discusses both the base sandbox
model from JDK 1.0.2 and the code-signing architecture of JDK 1.2.
Instructor: Dr. Gary McGraw, Reliable Software Technologies (RST). Gary
McGraw, Ph.D. is Vice President at Reliable Software Technologies. He holds a dual PhD in
Cognitive Science and Computer Science from Indiana University and a BA in Philosophy from
UVa. Dr. McGraw is a noted authority on Java security and co-authored "Java Security:
Hostile Applets, Holes, & Antidotes" (John Wiley & Sons, 1996), with Prof. Ed
Felten of Princeton University. Their second book, "Securing Java: Getting down to
business with mobile code", will be published in Winter 1998. Along with RST
co-founder Dr. Jeff Voas, McGraw wrote "Software Fault Injection: Inoculating
Programs Against Errors" (Wiley, 1998). Dr. McGraw has also written over fifty
peer-reviewed technical publications. He is principal investigator on grants from Air
Force Research Labs, DARPA, and NIST's Advanced Technology Program.
