PRIVACY Forum Digest Monday, 28 October 1996 Volume 05 : Issue 20 Moderated by Lauren Weinstein (lauren@vortex.com) Vortex Technology, Woodland Hills, CA, U.S.A. ===== PRIVACY FORUM ===== ------------------------------------------------------------------- The PRIVACY Forum is supported in part by the ACM (Association for Computing Machinery) Committee on Computers and Public Policy, "internetMCI" (a service of the Data Services Division of MCI Telecommunications Corporation), and Cisco Systems, Inc. - - - These organizations do not operate or control the PRIVACY Forum in any manner, and their support does not imply agreement on their part with nor responsibility for any materials posted on or related to the PRIVACY Forum. ------------------------------------------------------------------- CONTENTS Postal "Change of Address" Issues on PRIVACY Forum Radio (Lauren Weinstein; PRIVACY Forum Moderator) Web Search Service Exposes Searches to Public Viewing (Lauren Weinstein; PRIVACY Forum Moderator) "Holographic" Full-Body Security Scanning (Lauren Weinstein; PRIVACY Forum Moderator) Re: Blood and Privacy? (Joe Decker) A new attack on DES (Monty Solomon) IEEE Symposium on Security and Privacy - call for papers (Mary Ellen Zurko) *** Please include a RELEVANT "Subject:" line on all submissions! *** *** Submissions without them may be ignored! *** ----------------------------------------------------------------------------- The Internet PRIVACY Forum is a moderated digest for the discussion and analysis of issues relating to the general topic of privacy (both personal and collective) in the "information age" of the 1990's and beyond. The moderator will choose submissions for inclusion based on their relevance and content. Submissions will not be routinely acknowledged. All submissions should be addressed to "privacy@vortex.com" and must have RELEVANT "Subject:" lines; submissions without appropriate and relevant "Subject:" lines may be ignored. Excessive "signatures" on submissions are subject to editing. Subscriptions are by an automatic "listserv" system; for subscription information, please send a message consisting of the word "help" (quotes not included) in the BODY of a message to: "privacy-request@vortex.com". Mailing list problems should be reported to "list-maint@vortex.com". All messages included in this digest represent the views of their individual authors and all messages submitted must be appropriate to be distributable without limitations. The PRIVACY Forum archive, including all issues of the digest and all related materials, is available via anonymous FTP from site "ftp.vortex.com", in the "/privacy" directory. Use the FTP login "ftp" or "anonymous", and enter your e-mail address as the password. The typical "README" and "INDEX" files are available to guide you through the files available for FTP access. PRIVACY Forum materials may also be obtained automatically via e-mail through the listserv system. Please follow the instructions above for getting the listserv "help" information, which includes details regarding the "index" and "get" listserv commands, which are used to access the PRIVACY Forum archive. All PRIVACY Forum materials are available through the Internet Gopher system via a gopher server on site "gopher.vortex.com". Access to PRIVACY Forum materials is also available through the Internet World Wide Web (WWW) via the Vortex Technology WWW server at the URL: "http://www.vortex.com"; full keyword searching of all PRIVACY Forum files is available via WWW access. ----------------------------------------------------------------------------- VOLUME 05, ISSUE 20 Quote for the day: "A stereo's a stereo. Art is forever." -- Neil (Cheech Marin) "After Hours" (Geffen/Warner Bros.; 1985) ---------------------------------------------------------------------- Date: Sun, 27 Oct 96 16:55 PST From: lauren@vortex.com (Lauren Weinstein; PRIVACY Forum Moderator) Subject: Postal "Change of Address" Issues on PRIVACY Forum Radio Greetings. The next installment of PRIVACY Forum Radio is now available for your listening pleasure. This latest show features two interviews I recently conducted related to controversies surrounding U.S. mail "change of address" issues. The first interview is with Mike Selnick of the United States Postal Service in Washington D.C, regarding commercial use of change of address data. This is followed by John Brugger of the United States Postal Inspection Service (also in D.C.) on the topic of fraudulent activities related to change of address filings. The total running time of the show is approximately 30 minutes. As always, these interviews are accessible at the PRIVACY Forum/PRIVACY Forum Radio links via: http://www.vortex.com --Lauren-- ------------------------------ Date: Fri, 11 Oct 96 11:13 PDT From: lauren@vortex.com (Lauren Weinstein; PRIVACY Forum Moderator) Subject: Web Search Service Exposes Searches to Public Viewing In a new twist related to privacy problems, one of the more major Web search services, the "Magellan Internet Guide" from the Mckinley Group, Inc. (http://www.mckinley.com), has implemented a feature which allows anyone to "spy" on other people's searches. Called the "Search Voyeur", the mechanism automatically shows the text of 20 current, randomly selected searches, refreshed every 20 seconds. They certainly haven't been trying to hide it; it was prominently mentioned in one of their press releases. While origin address information is not included, and they say they don't show searches that go beyond their "editorial guidelines" (presumably an obscenity filter), even a brief viewing of the searches flying by suggests a substantial privacy risk. Search keywords often include individuals' names associated with various actions or activities. While some of the searches can best be described as "amusing", it doesn't take too long to see others that are troubling at best and potentially significant privacy violations at worst. While the "Search Voyeur" is listed (without explanation) as a link on their home page along with a search form box, there is no explicit statement warning users that their searches could potentially be viewed by anyone on the net. The entire concept seems ill-advised. The PRIVACY Forum has made repeated email and telephone attempts to obtain any kind of statement or interview from McKinley (and their new owner, Excite, Inc.) about this issue. These attempts have so far been completely unsuccessful; email has been ignored and promised return phone calls have not been forthcoming. --Lauren-- ------------------------------ Date: Sun, 27 Oct 96 15:15 PST From: lauren@vortex.com (Lauren Weinstein; PRIVACY Forum Moderator) Subject: "Holographic" Full-Body Security Scanning According to an article in the Oct-Nov 1996 issue of "Compressed Air" magazine (a wonderful Ingersoll-Rand publication that covers a very wide range of topics), the Federal Aviation Administration is planning to begin testing the use of a full-body "holographic" imaging system at a U.S. airport next year. The system (an earlier version of which was discussed previously in the PRIVACY Forum), actually uses millimeter waves (~30 Ghz) to quickly (within a few seconds) generate a "naked" image of the scannee. The device has been under development for a number of years and appears to be evolving rapidly. The transmitted millimeter radiation passes through clothes but bounces off the body or other objects (e.g., everything from loose change to firearms, hidden money packets, etc.) Outside of the rather obvious broader privacy implications of such a device, two special issues should also be considered. First, even though the millimeter radiation used is non-ionizing (e.g. less energetic than x-rays), there is considerable controversy about the health risks of exposure to non-ionizing radiation at these wavelengths. The statement is made that the system is similar in exposure to supermarket "door opener" microwave scanners, though this seems somewhat difficult to accept given the completely different scanning requirements of the two devices. But another problem may be even more likely to concern the public at large about such equipment. As the photographs included with the article show all too clearly, the device generates quite detailed "nude" images. It is decidedly uncertain how people will feel about being required to pass through a system that creates instant 360 degree naked pictures, possibly archived to tape as well! The promoters of the system suggest that using "same-sex" operators would alleviate these concerns. Excuse me, but are we all living on the same planet? Talk about needing a reality check... I have no doubt that there might be special situations where such a device, as an alternative to "pat-downs" or other intrusive personal searches, could be useful. But broadscale deployment of such systems in airports as a routine body scanning procedure seems unlikely to be acceptable to most of the public. --Lauren-- ------------------------------ Date: Tue, 15 Oct 96 10:28:11 PDT From: joe@synaptics.com (Joe Decker) Subject: Re: Blood and Privacy? John Levine wrote: > * The Red Cross seems to use a scheme where they accept blood from pretty > much anyone, but if your blood flunks a test they'll silently discard all > future donations from you. I presume this is one of the main impetuses for > the SSN tagging. Of course, since they make no attempt to verify the SSN you > provide, a bad guy who had contaminated blood and wanted to subvert their > system need only make up a different SSN on each visit. Yes, it is my understanding as a long-time blood donator that the discarding process is the impetus for the SSN tagging. One nit: I don't believe that the Red Cross is trying to catch malicious people trying to subvert the blood supply. I believe their primary concern is trying to minimize the risk of someone donating blood that has any chance of being (say) HIV-positive. Even if told their blood had tested positive, a dontator might later decide their blood was safe on the basis of other tests, or their own faith, and work to donate their blood anyhow. This is a distinct mindset from 'I'm trying to subvert the blood supply.', and without knowing numbers, many of the checks in the donation process seemed to be aimed at overcoming the ability of the donator to deny (to themselves or others) any risks their blood might contain. (I do not speak for the Red Cross.) --joe joe@synaptics.com decker@alumni.caltech.edu jdecker@pacbell.net ------------------------------ Date: Tue, 22 Oct 1996 03:41:13 -0400 From: Monty Solomon Subject: A new attack on DES Excerpt from RISKS DIGEST 18.54 Date: Fri, 18 Oct 1996 16:58:50 +0200 From: Shamir Adi Subject: A new attack on DES You have recently referred in RISKS [18.50, 18.52] to the ingenious new attack against public key cryptosystems developed at Bellcore. All the published information on the subject (including Bellcore's press release) stress that the attack is not applicable to secret key cryptosystems. Well, Eli Biham and I have just released a research announcement in which we show that an extension of the attack can, under the same realistic fault model, break almost any secret-key algorithm, including DES, multiple DES, IDEA, etc. The attack on DES was actually implemented on a PC, and it found the key by analysing fewer than 200 ciphertexts generated from unknown cleartexts. Adi Shamir = = = = = = Research announcement: A new cryptanalytic attack on DES Eli Biham Adi Shamir Computer Science Dept. Applied Math Dept. The Technion The Weizmann Institute Israel Israel 18 October 1996 (DRAFT) In September 96, Boneh Demillo and Lipton from Bellcore announced an ingenious new type of cryptanalytic attack which received widespread attention (see, e.g., John Markoff's 9/26/96 article in the New York Times). Their full paper had not been published so far, but Bellcore's press release and the authors' FAQ (available at http://www.bellcore.com/PRESS/ADVSRY96/medadv.html) specifically state that the attack is applicable only to public key cryptosystems such as RSA, and not to secret key algorithms such as the Data Encryption Standard (DES). According to Boneh, "The algorithm that we apply to the device's faulty computations works against the algebraic structure used in public key cryptography, and another algorithm will have to be devised to work against the nonalgebraic operations that are used in secret key techniques." In particular, the original Bellcore attack is based on specific algebraic properties of modular arithmetic, and cannot handle the complex bit manipulations which underly most secret key algorithms. In this research announcement, we describe a related attack (which we call Differential Fault Analysis, or DFA), and show that it is applicable to almost any secret key cryptosystem proposed so far in the open literature. In particular, we have actually implemented DFA in the case of DES, and demonstrated that under the same hardware fault model used by the Bellcore researchers, we can extract the full DES key from a sealed tamperproof DES encryptor by analysing fewer than 200 ciphertexts generated from unknown cleartexts. The power of Differential Fault Analysis is demonstrated by the fact that even if DES is replaced by triple DES (whose 168 bits of key were assumed to make it practically invulnerable), essentially the same attack can break it with essentially the same number of given ciphertexts. We would like to greatfully acknowledge the pioneering contribution of Boneh Demillo and Lipton, whose ideas were the starting point of our new attack. In the rest of this research announcement, we provide a short technical summary of our practical implementation of Differential Fault Analysis of DES. Similar attacks against a large number of other secret key cryptosystems will be described in the full version of our paper. TECHNICAL DETAILS OF THE ATTACK The attack follows the Bellcore fundamental assumption that by exposing a sealed tamperproof device such as a smart card to certain physical effects (e.g., ionizing or microwave radiation), one can induce with reasonable probability a fault at a random bit location in one of the registers at some random intermediate stage in the cryptographic computation. Both the bit location and the round number are unknown to the attacker. We further assume that the attacker is in physical possession of the tamperproof device, so that he can repeat the experiment with the same cleartext and key but without applying the external physical effects. As a result, he obtains two ciphertexts derived from the same (unknown) cleartext and key, where one of the ciphertexts is correct and the other is the result of a computation corrupted by a single bit error during the computation. For the sake of simplicity, we assume that one bit of the right half of the data in one of the 16 rounds of DES is flipped from 0 to 1 or vice versa, and that both the bit position and the round number are uniformly distributed. In the first step of the attack we identify the round in which the fault occurred. This identification is very simple and effective: If the fault occurred in the right half of round 16, then only one bit in the right half of the ciphertext (before the final permutation) differs between the two ciphertexts. The left half of the ciphertext can differ only in output bits of the S box (or two S boxes) to which this single bit enters, and the difference must be related to non-zero entries in the difference distribution tables of these S boxes. In such a case, we can guess the six key bit of each such S box in the last round, and discard any value which disagree with the expected differences of these S boxes (e.g., differential cryptanalysis). On average, about four possible 6-bit values of the key remain for each active S box. If the faults occur in round 15, we can gain information on the key bits entering more than two S boxes in the last round: the difference of the right half of the ciphertext equals the output difference of the F function of round 15. We guess the single bit fault in round 15, and verify whether it can cause the expected output difference, and also verify whether the difference of the right half of the ciphertext can cause the expected difference in the output of the F function in the last round (e.g., the difference of the left half of the ciphertext XOR the fault). If successful, we can discard possible key values in the last round, according to the expected differences. We can also analyse the faults in the 14'th round in a similar way. We use counting methods in order to find the key. In this case, we count for each S box separately, and increase the counter by one for any pair which suggest the six-bit key value by at least one of its possible faults in either the 14'th, 15'th, or 16'th round. We have implemented this attack on a personal computer. Our analysis program found the whole last subkey given less than 200 ciphertexts, with random single-faults in all the rounds. This attack finds the last subkey. Once this subkey is known, we can proceed in two ways: We can use the fact that this subkey contains 48 out of the 56 key bits in order to guess the missing 8 bits in all the possible 2^8=256 ways. Alternatively, we can use our knowledge of the last subkey to peel up the last round (and remove faults that we already identified), and analyse the preceding rounds with the same data using the same attack. This latter approach makes it possible to attack triple DES (with 168 bit keys), or DES with independent subkeys (with 768 bit keys). This attack still works even with more general assumptions on the fault locations, such as faults inside the function F, or even faults in the key scheduling algorithm. We also expect that faults in round 13 (or even prior to round 13) might be useful for the analysis, thus reducing the number of required ciphertext for the full analysis. OTHER VULNERABLE CIPHERS Differential Fault Analysis can break many additional secret key cryptosystems, including IDEA, RC5 and Feal. Some ciphers, such as Khufu, Khafre and Blowfish compute their S boxes from the key material. In such ciphers, it may be even possible to extract the S boxes themselves, and the keys, using the techniques of Differential Fault Analysis. Differential Fault Analysis can also be applied against stream ciphers, but the implementation might differ by some technical details from the implementation described above. ------------------------------ Date: Mon, 14 Oct 1996 10:50:00 -0400 From: Mary Ellen Zurko Subject: IEEE Symposium on Security and Privacy - call for papers CALL FOR PAPERS 1997 IEEE Symposium on May 4-7, 1997 Security and Privacy Oakland, California sponsored by IEEE Computer Society Technical Committee on Security and Privacy in cooperation with The International Association for Cryptologic Research (IACR) The Symposium on Security and Privacy has, for 16 years, been the premier forum for the presentation of developments in computer security and for bringing together researchers and practitioners in the field. We seek to build on this tradition of excellence by re-emphasizing work on engineering and applications while maintaining our interest in theoretical advances. We continue to seek to broaden the scope of the Symposium. We want to hear not only about new theoretical results, but also about the design and implementation of secure systems in specific application areas and about policies relating to system security. We are particularly interested in papers on policy and technical issues relating to privacy in the context of the information infrastructure, papers that relate software and system engineering technology to the design of secure systems and papers on hardware and architectural support for secure systems. Papers or Panels which discuss the application of theory to practice which describe not only the successes but the failures and the lessons learned are of special interest. Topics on which papers and panel sessions proposals are invited include, but are not limited to, the following: Commercial and Industrial Security, Security and other Critical System Properties, Secure Systems, Distributed Systems, Network Security, Database Security, Data Integrity, Access Controls, Information Flow , Security Verification, Viruses and Worms, Security Protocols, Authentication, Biometrics, Smartcards, Auditing, Intrusion Detection, Privacy Issues, Policy Modeling A continuing feature of the symposium will be a session of 5-minute talks. We want to hear from people who are advancing the field in the areas of system design and implementation, but may lack the resources needed to prepare a full paper. Abstracts of these talks will be distributed at the Symposium. INSTRUCTIONS FOR AUTHORS: This year we are instituting mechanisms for "electronic" submission of papers for the refereeing process. Final papers will still be submitted in hard copy. We will continue to accept papers submitted via various forms of mail, but not fax. Papers should include an abstract, must not exceed 7500 words, and must report original work that has not been published previously and is not under consideration for publication elsewhere. The names and affiliations of authors should appear on a separate cover page only, as "blind" refereeing is used. Authors must certify prior to December 27, 1996 that all necessary clearances for publication have been obtained. The committee strongly encourages authors to include archival sources as references (books, journal articles, etc.) and to include references to "WEB" or other "NET" sources only if they can be backed up by some archival source. In this way, we can ensure that people who read the paper 5 years from now will have access to the information used as background and justification of the arguments presented. Panel proposals should include a title, an abstract which describes the topic(s) to be discussed, the names of all proposed participants and assurances that the participants agree to serve on the panel, a proposed length and format for the panel and any other information that the panel proposer thinks would support their proposal. We will publish the Panel Abstract in the Proceedings as well as any position papers submitted by the panelists in support of the panel proposal. Those submitting papers via "hard copy" should send six copies of their paper or panel proposal to: George W. Dinolt, Program Co-Chair Lockheed Martin Western Development Laboratories, Mail Stop X20, 3200 Zanker Road, San Jose, CA 95134. Please mark the envelope "IEEE Security and Privacy Symposium." The title, abstract and authors names should be on a separate cover page so that we can support the "blind refereeing process." We would also like to have an electronic, ascii text version of the abstract sent seperately to secprv97@wdl.lmco.com. The electronic version of the abstract should include the title and the abstract as it appears in the paper. Authors who wish to submit an electronic version of a paper or panel proposal for evaluation should follow the instructions that will be posted on our "Web" site at http://www.itd.nrl.navy.mil/ITD/5540/ieee or by sending mail to secprv97@wdl.lmco.com with the word "Instructions" in the Subject line. Instructions will be included in the reply. Papers and panel proposals must be received (however sent) by 6:00 P.M. (PST) on Monday Dec. 2, 1996 (The deadline has been extended from the original call). Authors will be notified by mid-January about the status of their papers. Authors who submit an abstract for a 5-minute talk should include a title, all authors names and their affiliations, where appropriate, and text. The whole should fit easily on one 8.5" by 11" page. Abstracts for 5-minute talks should be sent to George W. Dinolt at the above address U.S. Postal address to be received no later than Friday, April 19, 1997 at 6:00 P.M local time. We will review abstracts and accept as many as we can. Please mark the envelope "IEEE Security and Privacy Symposium - 5 minute Abstracts" General Chair: Steve Kent, BBN, USA Vice Chair: Mike Reiter, AT&T Laboratories - Research, USA Program Co-Chairs: George Dinolt, Lockheed Martin WDL, USA Paul Karger, IBM, USA Treasurer: Charlie Payne, SCTC, USA Program Committee: Deborah Cooper, The DMC Company Terry Vickers Benzel, Trusted Information Systems Lee Benzinger, Lockheed Martin WDL Yair Frankel, Sandia Labs Li Gong, Sun Microsystems Heather Hinton, Ryerson Polytechnic University Canada Cynthia Irvine, Naval Postgraduate School Suchil Jajodia, George Mason University Dale Johnson, MITRE Carl Landwehr, Naval Research Laboratory Teresa Lunt, DARPA/ITO John McHugh, Portland State University John McLean, Naval Research Laboratory Catherine A. Meadows, Naval Research Laboratory Richard B. Neely, CTA Richard E. Newman-Wolfe, Univeristy of Florida Sylvan Pinsky, National Security Agency Sue Rho, Trusted Information Systems Mike Reiter,AT&T Laboratories --- Research Peter Ryan, DRA Malvern, United Kingdom Pierangela Samarati, Universita' di Milano, Italy Tom Schubert, Portland State University Elisabeth Sullivan, Sequent Paul Syverson, Naval Reseach Laboratory Tom Van Vleck, CyberCash Inc. Shyhtsun F. Wu, North Carolina State University Mary Ellen Zurko, OSF ------------------------------ End of PRIVACY Forum Digest 05.20 ************************