Bruce is a DDJ contributing editor and can be contacted at schneier@chinet.com.
The Second ACM Conference on Computer and Communications Security, held on November 2--4, 1994 in Fairfax, Virginia, brought together 130 people from 13 countries to hear 33 papers and 4 panel discussions. Nonetheless, here are some of the highlights:
Tripwire is a UNIX integrity-checking tool that monitors files and directories for any changes, notifying system administrators of corrupted or altered files. It is available publicly and is being widely used to detect virus or other attacks against a computer's memory.
Matt Blaze of AT&T Bell Laboratories presented his attack against the Clipper key escrow system. He found that he could spoof the Law-Enforcement Access Field (LEAF) on the Fortezza Card (formerly called the "Tesserra Card"). This attack permits a sender to communicate with a Clipper chip while denying law-enforcement the ability to decrypt his communications. Unfortunately, this attack requires 42 minutes of setup each time a call is initiated, so it is not practical for voice communications.
One fascinating paper characterized and organized all ElGamal-like digital signature schemes into a single meta-ElGamal scheme. The paper, written by Patrick Horster, Holder Petersen, and Markus Michels of the University of Technology Chemnitz-Zwickau in Germany, showed how over 5088 different digital signature schemes--including the U.S. government's Digital Signature Algorithm (DSA)--are related. This is more fuel for the argument that the DSA does not infringe on the Schnorr patent.
A paper by Steven Low, Nicholas Maxemchuk, and Sanjoy Paul of AT&T Bell Laboratories discussed anonymous credit cards. The protocol uses several different banks to protect the identity of the customer. Each customer has an account at two different banks. The first bank knows the person's identity and is willing to extend him credit. The second bank knows the customer only under a pseudonym (similar to a numbered "Swiss bank" account). The customer can withdraw funds from the second bank by proving that the account is his. However, the bank does not know the person, and is unwilling to extend him credit. The first bank knows the customer, and transfers funds to the second bank-- without knowing the pseudonym. The customer then spends these funds anonymously. At the end of the month, the second bank gives the first bank a bill, which it trusts the bank to pay. The first bank passes the bill on to the customer, which it trusts the customer to pay. When the customer pays, the first bank transfers additional funds to the second bank. All transactions are handled through an intermediary, which acts sort of like an electronic Federal Reserve: settling accounts among banks, logging messages, and creating an audit trail.
Paul van Oorschot and Michael Wiener of Bell-Northern Research in Canada proposed a brute-force machine to find collisions in a one-way hash function. Finding such collisions would undermine the security of various digital signature protocols, which rely on one-way hash functions for security. The authors estimated that a machine costing $10 million could find collisions in a 128-bit hash function--such as MD4 or MD5--in 24 days. This result strongly suggests that digital signature applications should switch to the Secure Hash Algorithm (SHA) for long-term security.
Arja Lenstra of Bellcore discussed the difficulty of factoring in an invited talk. Lenstra was one of the coordinators of the massive factoring effort of RSA-129 that made the news several months ago. His point is that while factoring is still difficult, it is getting easier, and it is getting easier faster than anyone ever expected. The difficulty of factoring is essential to the security of public key cryptography, and Lenstra pointed out that the security inherent in a 512-bit modulus ten years ago is about the same as the security inherent in a 1024-bit modulus today. This talk strongly implied that even the largest PGP modulus--1024 bits--is too small for long-term security.
Thomas Cain and Alan Sherman of the University of Maryland-Baltimore County presented a successful cryptanalysis of Gifford's cipher, used to secure New York Times and Associated Press wire reports in the Boston area from April 1984 to January 1988.