NDSS Symposium 2003
The 10th Annual Network and Distributed System Security Symposium
Catamaran Resort Hotel
San Diego, California
6-7 February 2003-Symposium
5 February 2003-Pre-Conference Tutorials
Patron Sponsor: National Security Agency
All tutorials take place on February 5, 2003
Lectures on Selected Topics in Information Security
Dr. Stephen Kent
Security Protocols and Current Standards
Perlman, Charlie Kaufman
IPsec: It's simpler than you think!
Ioannidis, Angelos Keromytis
Crash Course In SSL and TLS
Wireless LAN Security: Problems and Solutions
on Selected Topics in Information Security presented by Dr.
This tutorial consists
of a series of lectures on selected topics in information security,
presented by the speaker as invited talks at various fora around the
world. The lectures include:
Biometrics: A System Security View
PKI Models: What's Trust Got to Do with It?
Improving Certification Authority Security Using Smart Crypto Modules
IPsec: It's Not Just Encryption
Designing Security Protocols
Securing the Border Gateway Protocol (BGP)
Kent, Chief Scientist - Information Security, BBN Technologies
In his role as
Chief Scientist, Dr. Kent oversees information security activities within
BBN Technologies, and works with government and commercial clients,
consulting on system security architecture issues. In this capacity
he has acted as system architect in the design and development of several
network security systems for the Department of Defense and served as
principal investigator on a number of network security R&D projects
for 25 years.
During this period,
Dr. Kent's R&D activities have included the design and development
of user authentication and access control systems, network layer encryption
and access control systems, secure transport layer protocols secure
e-mail technology, multi-level secure (X.500) directory systems, public-key
certification authority systems, and key recovery (key escrow) systems.
His most recent work focuses on public-key certification infrastructures
for government and commercial applications, security for Internet routing,
very high speed IP encryption, and high assurance cryptographic modules.
The author of two
book chapters and numerous technical papers on network security, Dr.
Kent has served as a referee, panelist and session chair for a number
of conferences. Since 1977 he has lectured on the topic of network security
on behalf of government agencies, universities, and private companies
throughout the United States, Europe, Australia, and the Far East. Dr.
Kent received the B.S. degree in mathematics from Loyola University
of New Orleans, and the S.M., E.E., and Ph.D. degrees in computer science
from the Massachusetts Institute of Technology. He is a Fellow of the
ACM and a member of the Internet Society and Sigma Xi.
Network Security Protocols and Current Standards presented
by Radia Perlman and Charlie Kaufman
Abstract: This tutorial
covers the concepts in network security protocols as well as describing
the current standards. It approaches the problems first from a generic
conceptual viewpoint, covering the problems and the types of technical
approaches for solutions. For example, how would encrypted email work
with distribution lists? What are the performance and security differences
in basing authentication on public key technology versus secret key
technology? What kinds of mistakes do people generally make when designing
Armed with a conceptual
knowledge of the toolkit of tricks that allow authentication, encryption,
key distribution, etc., we describe the current standards, including
Kerberos, S/MIME, SSL, IPsec, PKI, and web security.
- What is the problem? A quick overview of why network security is needed
(remote authentication, private and authenticated email, etc)
- Overview of cryptography: public key, secret key, hash.
- Secure email issues (including complications such as distribution lists). Also overview of S/MIME and PGP.
- Key distribution (PKI and secret-key based systems such as Kerberos).
In all these cases, you need to know a secret for yourself and at
least one trusted party. How does the system get bootstrapped? How
do you find a path across multiple trust domains to the target?
- Kerberos details (including Microsoft Kerberos)
- PKI details (including X.509 and PKIX)
- Concepts in real-time
protocols: authentication handshakes, perfect forward secrecy, session
resumption, identity hiding, plausible deniability, denial of service
protection. Implications of choosing "layer 3" approach (IPsec)
vs "layer 4 approach" (SSL, SSH). How export rules have affected
- IPsec details:
data packet formats (AH and ESP),
IKE (key establishment protocol). Problems with IKE. Possible successors
- web: URLs, HTTP, cookies
Distinguished Engineer, Sun Microsystems
Radia Perlman is a Distinguished Engineer at Sun Microsystems. She is
known for her contributions to bridging (spanning tree algorithm) and
routing (link state routing) as well as security (sabotage- proof networks).
She is the author of "Interconnections: Bridges, Routers, Switches,
and Internetworking Protocols", and co-author, with Charlie Kaufman,
of Network Security: Private Communication in a Public World",
two of the top 10
Networking reference books, according to Network Magazine. She is one
of the 25 people whose work has most influenced the networking industry,
according to Data Communications Magazine. She has about 50 issued patents,
an S.B. and S.M in mathematics and a Ph.D. in computer science from
MIT and an
honorary doctorate from KTH, the Royal Institute of Technology in Sweden.
Distinguished Engineer, IBM
is a Distinguished Engineer at IBM, where he is Chief Security Architect
for Lotus Notes, as well as consulting within IBM on other security-related
areas. He currently serves on the IAB, the architecture board of the
IETF. Within IETF he has contributed to a number of efforts, including
chairing the Web Transaction Security working group, and being the editor
of the new IKE document for IPsec. He has also contributed to sacred
(secure credentials download) and DNSSEC. Previously he was Network
Security Architect for Digital Equipment Corporation. He holds over
25 patents in the fields of computer security and computer networking.
It's simpler than you think! presented by John Ioannidis
and Angelos Keromytis
Who should attend:
Network administrators, system managers, developers of network applications,
and anyone interested in network security. Some familiarity with networking
principles is required, but cryptography is not.
About the tutorial:
The IPsec protocol suite provides network-layer security for the Internet
and is an IETF standard. It is already widely used to implement Virtual
Private Networks (VPNs), and is beginning to make its way into commercial
implementations of desktop operating systems. IPsec offers a remarkable
flexibility not possible at higher or lower layer abstractions: security
can be configured end-to-end, route-to-route, edge-to-edge, or in any
other configuration in which network nodes can be identified as appropriate
endpoints. This flexibility however implies some associated complexity,
which tends to obscure the usefulness of IPsec in engineering a secure
Internet. This tutorial covers every feature of IPsec and its key management
protocol, IKE, gives many real-life examples drawn from a variety of
environments and operating systems, and aims to clear a lot of myths
and misunderstandings about IPsec.
Justification of Network-layer security:
It is not an accident that we have developed a network-layer (rather
than application-layer or link-layer) security protocol for the Internet;
by securing IP, we can secure everything above and below.
Encapsulation, Tunneling, and Overlay Networks:
We digress a bit into a discussion of datagram encapsulation, tunneling,
and overlay networks such as VPNs, the MBONE and 6BONE, in order to
facilitate the understanding of how IPsec works.
The IPsec transforms (ESP and AH):
We present the actual IPsec transforms and their various options, give
details of the packet formats, and explain exactly what is being secured,
directly and by implication.
Transport and Tunnel modes:
More of an accident of nomenclature than a fundamental difference, there
are two IPsec modes: `transport' and `tunnel.' We show which and how
they are actually employed in peer-to-peer, remote access, VPN, and
other usage cases.
The keys used by ESP and AH must be changed frequently. We explain why
this is show, we discuss what is needed of a key setup protocol (automation,
reliability, strong cryptographic properties, etc.).
IKE, the Internet Key Exchange protocol:
We present all the details of IKE, the modes in which it is used, and
the feature negotiation it provides.
Interaction between IPsec/IKE and Firewall/NAT boxes:
Firewalls and NAT boxes are a fact of life, and we have to address them.
We cover how IPsec/IKE interact with these boxes, and how to configure
things so that security is maintained and the firewall policies are
We offer many examples of configuration files for a variety of operating
systems, including Windows 2000. This can be an interactive presentation
if we can carry enough laptops.
Performance considerations (software and hardware):
The argument ``IPsec is slow/no it isn't'' keeps getting repeated. We
present actual performance numbers from a variety of implementations,
and show that there is nothing to fear.
Comparison with TLS/SSL:
Why do we need IPsec when SSL/TLS is so widespread? We address the pros
and cons and we hope this will not start a religious discussion.
A lot has been said about the need for PKIs, and many people see their
non-existence as a reason not to deploy IPsec. We debunk many of these
myths, and show alternatives to the textbook PKI scenario.
This is a catch-all heading for discussing issues such as error management,
Path-MTU and tunnel interactions, IPSRA (IP Secure REmote Access), L2TP
(Layer 2 Tunneling Protocol), IPv6, and other topics related to IPsec.
Future developments 1: Policy:
Neither ESP/AH nor IKE really address the issue of policy management.
While this is still the subject of research and on-going discussion
at the IETF, there is a need for negotiating and distributing policy
information to IPsec nodes. We present some of the issues and solutions
involved, as time permits.
Future developments 2: Additional Key Management protocols:
Since its very inception, IPsec was meant to be able to support multiple
key management protocols. We discuss KINK, a Kerberos-based protocol,
Photuris, a simpler precuror to IKE, and some of the recently suggested
replacements for IKE.
John Ioannidis, Researcher, AT&T Labs
John Ioannidis is a researcher at AT\&T Labs -- Research. He has
contributing in the IETF for over 10 years, and has been with the
IPsec effort since the very beginning. Among his contributions to
IPsec are the first SunOS, BSD and Linux implementations. He has also
worked on policy mechanisms for IPsec, and more recently on JFK, a
proposed successor to the Internet Key Exchange protocol. His many
research interests include security of large distributed systems,
wireless and mobile networking, micropayment systems, and high-speed
Angelos Keromytis, Assistant Professor of Computer Science, Columbia
Angelos Keromytis is an Assistant Professor of Computer Science at
Columbia University. He has been working on IPsec since 1995, both in
defining and refining the standards in the IETF, and in implementing
and measuring its performance. He developed the OpenBSD IPsec stack,
and wrote the first free implementations of the Photuris and IKE key
management protocols for IPsec. More recently, he has been working on
a proposed successor to IKE, named JFK, and has designed and
implemented a cryptographic acceleration framework for IPsec (and
other cryptography-heavy applications). His other research interests
include scalable access control mechanisms, security policy
composition and enforcement, and distributed system virtualization.
Course In SSL and TLS presented by Eric Rescorla
This tutorial is
an in-depth look at SSL and TLS. In this tutorial,
we'll cram as much SSL/TLS knowledge into your head as possible in a
single day. In the morning we'll cover the protocol itself, including
some exotic and badly documented details. After, lunch we'll discuss
what it's like to use SSL in real applications. Finally, we'll discuss
what's coming in future versions.
basic SSL handshake (i.e. server-only RSA)
- The major variants:
- Session resumption
- client authentication
- ephemeral RSA (export)
- Known attacks
- PRNG -- (Wagner/Goldberg)
- Export ciphers and distributed cracking
- Million-message attack
- Some downgrade attacks
- Differences between different versions
- SSLv3 vs. TLS
- Integration with HTTP
- virtual hosting
- Upgrade and why it doesn't work well
- Using SSL with your HTTP server (mod_ssl, ApacheSSL, IIS...)
- Browser issues, especially certificates
- Integration with other protocols (problems with using SSL)
- Algorithm choice
- Some bad design decisions in SSL
- Implementation issues
- Programming with SSL
- Where to get an implementation
- Not as easy as it looks...
- New algorithms
- Wireless (not WTLS)
Anyone who wants to understand SSL/TLS
Attendees should be familiar with TCP/IP. Familiarity with basic cryptography
(encryption, public key, message digests, etc.) is desirable. We'll
start with a brief primer on cryptography if a substantial portion of
the class needs it.
Eric Rescorla, Principal Engineer, RTFM, Inc.
Eric Rescorla is Principal Engineer of RTFM, Inc., an independent security
consulting firm. He has been working in Internet Security since 1993.
He has been a member of the TLS working group from before the beginning
and has written several commercial SSL implementations as well as the
free Java toolkit PureTLS and the SSL protocol analyzer ssldump. He
is the author of "SSL and TLS: Designing and Building Secure Systems"
(Addison-Wesley 2000) as well as the RFCs defining Secure-HTTP and HTTP
Wireless LAN Security: Problems and Solutions
presented by Bill Arbaugh
Wireless local area
networks (WLAN) based on the IEEE 802.11a/b/g standards are inexpensive
and easy to deploy. As a result, a large number of organizations have
installed WLAN's or are planning to install them in the near future.
While the benefits of a WLAN are clear, the risks associated with them
are just now becoming known. In this class, students will learn and
see first hand what an attacker can do against a WLAN in both passive
and active attacks. Once the student understands the threats against
a WLAN, they will learn several approaches that can be implemented to
mitigate the threats against deployed WLAN's, as well as how to design
and deploy a new WLAN that mitigates the known threats. Next, simple
auditing techniques for monitoring the security of a deployed WLAN will
The class will contain
several demonstrations of actual attacks, and the configuration of an
open source server (RADIUS) to support WiFi Protected Access (WPA) and
Robust Security Network (RSN) based infrastructures. The class will
also include detailed configuration information for several commonly
deployed access points, and operating system clients to use the IEEE
802.1X protocol and WPA (if vendor support available).
- Why wireless security is different
- Introduction to 802.11 base protocol
- Wired Equivalent Privacy (WEP)
- Authentication (1999 standard)
- Access control (non-standard)
- Attacks against WEP, authentication, and access control
- Open source tools that facilitate cracking .11 networks
- Finding .11 networks, aka "war driving"
- WEP crackers
- Denial of service tools
- What you can do to mitigate the risks now
- WiFi Protected Access (WPA)
- IEEE 802.1X
- Robust Security Network (RSN)
- AES CCM
- AES OCB
- Key hierarchy
- Inter-access point protocol (IAPP) and roaming issues
- Wireless and open source tools
- How to build and configure an open source AP
- How to install and configure open source servers
- Putting it all together
- Configuring common access points for IEEE 802.1X
- Configuring clients for IEEE 802.1X
- How to audit a wireless network
- Open source tools
- Commercial tools
- Intrusion detection and wireless networks
- Detecting war-drivers
- Detecting attacks
- Recent standards activities
Dr. William Arbaugh
Bill Arbaugh joined
the Computer Science department at Maryland after spending sixteen years
with the U.S. Department of Defense- first as a commissioned officer
in the Army and then as a civilian. During the sixteen years, Prof.
Arbaugh served in several leadership positions in diverse areas ranging
from tactical communications to advanced research in information security
and networking. In his last position, Prof. Arbaugh served as a senior
technical advisor in an office of several hundred computer scientists,
engineers, and mathematicians conducting advanced networking research
and engineering. Prof. Arbaugh received a B.S. from the United States
Military Academy at West Point, a M.S. in computer science from Columbia
University in New York City, and a PhD in computer science from the
University of Pennsylvania in Philadelphia. Prof. Arbaugh's research
interests include information systems security and privacy with a focus
on embedded systems and configuration management. In his limited spare
time, Prof. Arbaugh enjoys spending time with his family and playing
an occasional round of golf.