SE Service & Consulting

Computer Security

TN00738A.gif (1685 bytes)

Authentication - Documents related to authentication of users, communications, and hosts.
Criteria - Documents related to security evaluation criteria for computer systems and protocols.
Cryptography - Documents related to cryptographic protocols and methods.
Firewall - Documents related to the construction and use of network firewalls.
General - Documents that cover computer security in general and other miscellaneous topics.
Legal - Documents related to computer security, the law, and ethics.
Password - Documents related to passwords.
Protocol - Documents related to the design of secure network protocols, and to the security analysis of existing protocols.
Unix - Documents related to the security of the UNIX operating system.
Virus - Documents related to computer viruses, worms, etc.

Authentication

Kerberos: An Authentication Service for Open Network Systems: A description of the Kerberos authentication system.

Designing an Authentication System: A Dialogue in Four Scenes: A ``play'' in which the characters end up designing an authentication system much like Kerberos. Provides an easy-to-understand description of why Kerberos is the way it is.

Limitations of the Kerberos Authentication System: A description of some limitations and weaknesses in the Kerberos authentication system. [149544 bytes]

KryptoKnight Authentication and Key Distribution System: An authentication and key distribution system that provides facilities for secure communication in any type of network environment. [201269 bytes]

Long Running Jobs in an Authenticated Environment: A system for running batch jobs in an environment in which users must have tokens or tickets to run. [78855 bytes]

A Note on the Use of Timestamps as Nonces: A note on the use of timestamps in authentication protocols. [109429 bytes]

Evaluation Criteria

Canadian Trusted Computer Product Evaluation Criteria, Part 1: The Canadian "Orange Book." [101576 bytes]

Canadian Trusted Computer Product Evaluation Criteria, Part 2: The Canadian "Orange Book." [1064802 bytes]

Executive Guide to the Protection of Information Resources: A U.S. National Institute of Standards and Technology publication. [22980 bytes]

Federal Criteria for Information Technology Security, Volume 1: The new "Orange Book." [1036178 bytes]

Federal Criteria for Information Technology Security, Volume 2: The new "Orange Book." [914915 bytes]

Green Book on the Security of Information Systems: A document that sets out the development of a consistent approach to Information Security in Europe, taking into account common interests with other countries. [366303 bytes]

Foundations for the Harmonization of Information Technology Security Standards: An analysis of the differences between the U.S., Canadian, and European Information Technology Security efforts, and discussions of how to make them more similar. [184486 bytes]

Horses and Barn Doors: Evolution of Corporate Guidelines for Internet Usage: A description of how Intel Corp.'s Internet usage policies were developed. [143958 bytes]

Guidelines for the Secure Operation of the Internet - RFC 1281: Provides a set of guidelines to aid in the secure operation of the Internet. [22618 bytes]

Information Technology Security Evaluation Criteria: The European "Orange Book." [298257 bytes]

Management Guide to the Protection of Information Resources: A U.S. National Institute of Standards and Technology publication. [23917 bytes]

Open Systems Security: An Architectural Framework Thesis dissertation presenting an architecture for building secure open systems communication via untrusted global data networks. [453282 bytes]

Protection and Security Issues for Future Systems: An examination of the problems of protection and security as applied to future computer systems. [145068 bytes]

Relating Functionality Class and Security Sub-Profile Specifications: A discussion of various alternatives for associating functionality class and security sub-profile specifications, such as those presented in the Federal Criteria (fcvol1.ps and fcvol2.ps). [178872 bytes]

Department of Defense Trusted Computer System Evaluation Criteria: The "Orange Book." [277123 bytes]

Cryptography

Codes, Keys, and Conflicts: Issues in U.S. Crypto Policy (PS): A report of a special panel of the ACM (Association for Computing Machinery) U.S. Public Policy Committee. [448035 bytes]

Augmented Encrypted Key Exchange: A Password-Based Protocol Secure Against Dictionary Attacks and Password File Compromise: An extension of the protocol described in neke.ps that removes the requirement that the host store passwords in cleartext. [109570 bytes]

A Cryptographic File System for Unix: A description of a UNIX file system implementation that provides transparent encryption and decryption of files stored on the disk. [112302 bytes]

Key Management in an Encrypting File System: A description of how "smart cards" can be used to manage the keys used by the encryption file system described in cfs.ps. [107969 bytes]

A High-Speed Software DES Implementation: Describes a high-speed software implementation of the Data Encryption Standard. [166479 bytes]

Using Content-Addressable Search Engines to Encrypt and Break DES: A very simple parallel architecture using a modified version of content-addressable memory can be used to cheaply and efficiently encipher and decipher data with DES-like systems. Describes how to implement these systems, and also how to construct a large scale engine for exhaustively searching the keyspace of DES. [145306 bytes]

Protocol Failure in the Escrowed Encryption Standard: A description of some protocol weaknesses in the Clinton administration's Escrowed Encryption Standard, also known as the Clipper Chip. [143145 bytes]

Why Cryptosystems Fail: A survey of the failure modes of retail banking systems, the second largest application of cryptography. [203300 bytes]

Encrypted Key Exchange: Password-Based Protocols Secure Against Dictionary Attacks: A combination of public- and private-key cryptography that allows two parties sharing a common password to exchange confidential and authenticated information over an insecure network. The protocol is secure against active attack, and also against off-line "dictionary" attacks. [189798 bytes]

Public-Key Cryptography Standards from RSA Laboratories

Some Examples of the PKCS Standards [125630 bytes]
A Layman's Guide to a Subset of ASN.1, BER, and DER [376834 bytes]
An Overview of the PKCS Standards [274943 bytes]
RSA Encryption Standard 189782 bytes]
Deprecated [12426 bytes]
Diffie-Hellman Key-Agreement Standard [84836 bytes]
Deprecated [12508 bytes]
Password-Based Encryption Standard [88413 bytes]
Extended-Certificate Syntax Standard [83767 bytes]
Cryptographic Message Syntax Standard [286102 bytes]
Private-Key Information Syntax Standard [38955 bytes]
Selected Attribute Types [88579 bytes]
Certification Request Syntax Standard [62716 bytes]

Network Security via Private-Key Certificates: Some practical security protocols that use private-key encryption in the public-key style. [59489 bytes]

Answers to Frequently Asked Questions About Today's Cryptography [1441358 bytes]

Cryptography FAQ [120468 bytes]

SKIPJACK Review: Interim Report: The SKIPJACK Algorithm: The report from the group of non-government cryptologists who reviewed the classified SKIPJACK encryption algorithm used in the Clinton administration's Clipper and Capstone chips. [27036 bytes]

The Architecture and Implementation of Network Layer Security Under Unix: A description of a network-layer security protocol for the IP protocol suite that provides authentication, integrity, and confidentiality of IP datagrams. [124254 bytes]

Visa Protocols for Controlling Inter-Organizational Datagram Flow: A cryptographic method for authenticating and authorizing a flow of datagrams. [235053 bytes]

Visa Protocols for Controlling Inter-Organizational Datagram Flow: Extended Description: A cryptographic method for authenticating and authorizing a flow of datagrams. [339724 bytes]

Firewall

Packet Filtering in an IP Router: A description of how the packet filtering facility in the Telebit NetBlazer was designed and developed. [80467 bytes]

A Network Firewall: A description of Digital Equipment Corporation's network firewall between its corporate network and the Internet. [374064 bytes]

Thinking About Firewalls (PS): A description of some of the considerations and trade-offs in designing network firewalls. [197868 bytes]

An Internet Gatekeeper: A description of how to construct an Internet firewall. [148666 bytes]

The Design of a Secure Internet Gateway: A description of the design of the firewall used by AT&T to protect their corporate network from the Internet. [42373 bytes]

A Network Perimeter With Secure External Access: A description of the firewall in use at whitehouse.gov. [268510 bytes]

Packets Found on an Internet: A description of the types of packets, particularly the anomalous ones, that appeared at the AT&T firewall. [102918 bytes]

Network (In)Security Through IP Packet Filtering: A description of how to use the packet filtering features of commercial routers as a security tool. [123151 bytes]

Simple and Flexible Datagram Access Controls for Unix-based Gateways: A description of the screened packet filtering system. [133159 bytes]

TCP Wrapper: Network Monitoring, Access Control, and Booby Traps (Text): A description of the author's tcpwrapper software. [58952 bytes]

A Toolkit and Methods for Internet Firewalls (PS): A description of the Trusted Information Systems Firewall Toolkit. [185431 bytes]

An Architectural Overview of UNIX Network Security: A description of a number of UNIX-related components of network security, particularly as they pertain to firewalls. [125171 bytes]

X Through the Firewall, and Other Application Relays: A description of how to create application-specific relays to pass traffic through a network firewall. [430237 bytes]

General

An Evening With Berferd: In Which a Cracker is Lured, Endured, and Studied: A description of how the author kept an attacker ``on the line'' for several months in order to learn his methods. [81747 bytes]
Computer Emergency Response - An International Problem: A call for international cooperation between computer emergency response teams, and suggested methods for achieving it. [160110 bytes]
Compromise: What if Your Machines are Compromised by an Intruder: Suggestions for securing a system after it has already been compromised. [~80000 bytes]
There Be Dragons: A description of the wide variety of attacks attempted on the AT&T Internet firewall. [185040 bytes]
Establishing a Computer Security Incident Response Capability: Procedures and issues for establishing a computer security incident response team. [292992 bytes]
Software Forensics: Can We Track Code to its Authors?: An idea that it may be possible to identify the authors of malicious software by the style and features of their programs. [55685 bytes]
How to Set Up a Secure Anonymous FTP Site: Methods for numerous different operating systems.
Security Breaches: Five Recent Incidents at Columbia University: A detailed account of five break-ins at Columbia University, and the steps taken to stop them. [93312 bytes]
The Social Organization of the Computer Underground: The author's thesis for a master's degree in sociology. [148104 bytes]
Site Security Handbook - RFC 1244: The product of the Site Security Policy Handbook Working Group of the Internet Engineering Task Force. [253471 bytes]
Computer Break-ins: A Case Study: A study of multiple break-in attempts at Vrije Universiteit in Amsterdam. [94107 bytes]
Electronic Currency for the Internet: A framework for electronic currency for the Internet that provides a real-time electronic payment system. [71547 bytes]
NetCash: A Design for Practical Electronic Currency on the Internet: A framework for electronic currency for the Internet that provides a real-time electronic payment system. [197412 bytes]
Computer User's Guide to the Protection of Information Resources: A report from the U.S. National Institute of Standards and Technology. [15703 bytes]
An Introduction to Computer Security: The NIST Handbook (part 1) (part 2) (part 3) (part 4) (part 5): A publication of the U.S. National Institute of Standards and Technology. This is a draft copy, included with permission.
Security Patches FAQ for Your System: The Patch List: A list of security patches for most any operating system, and how to obtain them. [~11684 bytes]
Proxy-Based Authorization and Accounting for Distributed Systems: A method to support both authorization and accounting in a distributed environment. [157835 bytes]
Pseudo-Network Drivers and Virtual Networks: A method for creating pseudo-networks, much like the pseudo-terminals in use on many UNIX systems. [86678 bytes]
Coping with the Threat of Computer Security Incidents: A Primer from Prevention through Recovery: A basic text for the author's one-day seminar on the practical aspects of computer security in an unclassified networked environment. [293589 bytes]
Automated Tools for Testing Computer System Vulnerability: Discusses some of the automated tools for checking the security of a wide variety of systems. [309577 bytes]
Vendor Security Contacts: Reporting Vulnerabilities and Obtaining New Patches: Contact names, numbers, and addresses for most major operating systems. [~13970 bytes]

Legal

Defamation Liability of Computerized Bulletin Board Operators and Problems of Proof: A discussion of the libel and slander laws, and how they apply to bulletin board operators.

Complete text of the Computer Fraud and Abuse Act of 1986, 18 U.S.C. 1030.

Frequently Asked Questions About Copyright

Computer Security and the Law: A review of legal issues surrounding computer security, for the system administrator.

Cubby v. CompuServe: The complete text of the judge's decision in the Cubby v. CompuServe libel case, in which CompuServe was found not to be responsible for material posted on one of their bulletin boards.

Complete text of the Electronic Communications Privacy: Act of 1986, United States Public Law 99-508.

E-Law: Legal Issues Affecting Computer Information Systems and System Operator Liability: First appeared in the Albany Law Journal of Science and Technology, Volume 3 , Number 1.

Are Computer Hacker Break-ins Ethical?: Lists and refutes many of the reasons given to justify computer break-ins.

The complete text of the U.S. Family Educational Right to Privacy Act ( the Buckley Amendment), 20 U.S.C.

Information about the computer crime laws in France.

Legal Issues, A Site Manager's Nightmare Examines the legal ramifications of computer security laws on system administrators.

Internet Libel: Is the Provider Responsible?: An examination of the Cubby v. CompuServe case as it applies to Internet service providers.

Computer Electronic Mail and Privacy: A discussion of the Electronic Communications Privacy Act as it applies to electronic mail.

Some Musings on Ethics and Computer Break-Ins: A discussion of ethics and responsibility, particularly as they pertain to the Internet Worm of November, 1988.

Complete text of the Privacy Act of 1974 and Amendments, 5 U.S.C. 552a.

An Introduction to Computer Security for Lawyers: A number of articles serving to introduce lawyers to the concepts behind computer security.

Revised Computer Crime Sentencing Guidelines: A description of the new federal sentencing guidelines that address the Computer Fraud and Abuse Act.

Computer crime laws, listed by state.

Password

Department of Defense Password Management Guideline: Enumerates a number of good password management practices.

Standard for Automated Password Generator: Federal Information Processing Standard No. 181.

Foiling the Cracker: A Survey of, and Improvements to, Password Security: Demonstrates the ease with which most passwords can be guessed by a motivated attacker.

Observing Reusable Password Choices: A method for observing password choices made by users, and how to protect it from being compromised.

OPUS: Preventing Weak Password Choices: A system that uses Bloom filters to implement a constant-time dictionary lookup, regardless of dictionary size, to check a user's password choice for " goodness"

User Authentication and Related Topics: An Annotated Bibliography

Password Security: A Case History: A description of the original UNIX password algorithm, and the reasons for replacing it with the current one.

UNIX Password Security - Ten Years Later: A reexamination of the UNIX password algorithm after ten years of advances in software and hardware.

The S/Key One-Time Password System: A freely available implementation of one-time passwords.

Protocol

Highjacking AFS: A description of security weaknesses in the Andrew File System (AFS).

An End-to-End Argument for Network Layer, Inter-Domain Access Controls: A method by which different administrative domains of an internetwork can interconnect without exposing their internal resources to unrestricted access.

Identification Protocol - RFC 1413: A description of the Identification Protocol, a means to determine the identity of the user of a particular TCP connection.

Security Problems in the TCP/IP Protocol Suite: A description of several attacks on TCP/IP protocols including sequence number spoofing, routing attacks, source address spoofing, and authentication attacks.

A Unix Network Protocol Security Study: Network Information Service: A discussion of the security weaknesses in the Network Information Service (Yellow Pages) protocol from Sun Microsystems.

A Security Analysis of the NTP Protocol: A security analysis of the Network Time Protocol (NTP).

Protocol Design for Integrity Protection: A design method for message integrity protection.

Privacy-Enhanced Electronic Mail: A description of the Internet Privacy-Enhanced Mail protocols.

A Weakness in the 4.2BSD TCP/IP Software: A description of a security weakness of the TCP/IP protocol suite as implemented in 4.2BSD UNIX.

Security Analyses of Network Time Services: An analysis of the security requirements for a network time service.

Secure Control of Transit Internetwork Traffic: Methods for controlling traffic traversing a local network on its way from one remote network to another.

Access Control and Policy Enforcement in Internetworks (part1) (part2) (part3): Methods of controlling access policy between different administrative domains of an internetwork.

Unix

The COPS Security Checker System: A description of one of the most popular UNIX security scanners.

Improving the Security of Your Site by Breaking Into It: Discussion of a number of commonly used attacks on UNIX systems, and how to check your systems for vulnerability to them.

Next-Generation Intrusion Detection Expert System (NIDES)

Detecting Intruders in Computer Systems

Software Requirements Specification: Next Generation Intrusion Detection Expert System

SAFEGUARD Final Report: Detecting Unusual Program Behavior Using the NIDES Statistical Component

The NIDES Statistical Component: Description and Justification

Automated Audit Trail Analysis and Intrusion Detection: A Survey

Life Without Root: A method for authorizing users to perform certain system administration tasks without giving them the super-user password.

UNIX Password Security: A discussion of the importance of well-chosen passwords, and how passwords are cracked.

On the Security of UNIX: The original UNIX security paper.

The `Session TTY' Manager: A method for controlling access to terminals by background processes after the user has logged out.

Improving the Security of Your UNIX System (PS): A description of many of the security features of the average UNIX system, and how to use them.

UNIX Security Tools: An excellent summary of most of the public domain UNIX security tools, and where to obtain them.

The Design and Implementation of Tripwire: A File System Integrity Checker: Tripwire computes checksums of files on the system, and then scans later for any changes to those files.

Experiences With Tripwire: Using Integrity Checkers for Intrusion Detection: A description of how the Tripwire integrity checker (see tripwire.ps) has performed in the field.

UNIX & Security: Describes many of the security features of the UNIX operating system, as well as features that could be added to result in an evaluatable system at Class C2.

UTnet Guide to UNIX System Security: A guide to UNIX security resources.

Virus

Computer Viruses as Artificial Life: A consideration of computer viruses as artificial life - self-replicating organisms.

Frequently Asked Questions on VIRUS-L/comp.virus

Organizing a Corporate Anti-Virus Effort: A description of how IBM Corp. has learned to cope with computer viruses and related threats.

Computer Security: The G.A.O.'s report on the Internet Worm of November, 1988, and on the then-current state of Internet vulnerabilities and prosecution of computer virus cases.

The Internet Worm Program: An Analysis: A description of the algorithms used by the Internet Worm program of November 2, 1988.

The Internet Worm Incident: A description of the events involved in the Internet Worm of November 2, 1988.

An Overview of Computer Viruses in a Research Environment: An examination of computer viruses as malicious logic in a research and development environment and current techniques in controlling the threats of viruses and other malicious logic programs.

Computer Viruses and Related Threats: A Management Guide: Guidelines for preventing, deterring, containing, and recovering from attacks of viruses and related threats. A report from the U.S. National Institute of Standards and Technology.

With Microscope and Tweezers: An Analysis of the Internet Virus of November 1988: A detailed description of the events of the Internet Worm of November 2, 1988 from one of the teams of people who combated it.

A Guide to the Selection of Anti-Virus Tools and Techniques: Criteria for judging the functionality, practicality, and convenience of anti-virus tools. A report from the U.S. National Institute of Standards and Technology.

A Tour of the Worm: A tour of the Internet Worm of November 2, 1988.