December 24, 1996

The NSA-hosted National Information Systems Security Conference, held in October, 1996, has made a wide range of papers available (in PDF format), and are listed in the Table of Contents at:   (110K)

This is an HTML version of the TOC by jya.

See index for downloading papers at:

19th National Information Systems Security
Conference Proceedings

This is the table of contents to the papers, panel statements and presentations which were submitted in electronic form. Each paper was converted to Adobe's Acrobat format, and a link was made from the table of contents entry to the corresponding Acrobat file. Every attempt was made to generate a legible file. Most papers will not be identical to the wordprocessor or printed original, since no two systems, programs or printers generate identical output. Papers which were submitted in PostScript format as generated by TeX/LaTeX and DVIPS used bitmapped rather than scalable fonts. Those papers will be most legible if they are printed out, or if the display monitor is set to the highest possible resolution (e.g. 1600x1200).

The table of contents is derived from the source for the printed version. The numbers on the left should correspond with the page number of the printed version. The label before each entry, e.g. paper001, corresponds to the directory containing the Acrobat files, which will have the .pdf extension. If the entry is prefaced by [none], the document was not submitted in electronic form, or we were unable to successfully generate the Acrobat file.


Rise of the Mobile State: Organized Crime in the 21st Century

Keynote Speech: August Bequai, Esq.

Refereed Papers

Criteria & Assurance


E4 ITSEC Evaluation of PR/SM on ES/9000 Processors

Naomi Htoo-Mosher, Robert Nasser, Nevenko Zunic, International Business Machines
Julian Straw, Syntegra, UK


A High-Performance Hardware-Based High Assurance Trusted Windowing System

Jeremy Epstein, Cordant Inc.


WWW Technology in the Formal Evaluation of Trusted Systems

E.J McCauley, Silicon Graphics Computer Systems, Inc.


The Certification of the Interim Key Escrow System

Ellen Flahavin, Ray Snouffer, National Institute of Standards and Technology


Configuration Management in Security-related Software Engineering Processes

Klaus Keus, Thomas Gast, Bundesamt fur Sicherheit in der Informationstechnik, Germany


The Department of Defense Information Technology Security Certification and Accreditation Process (DITSCAP)

Jack Eller, DISA
Mike Mastrorocco, Computer Security Consulting
Barry C. Stauffer, CORBETT Technologies, Inc.


Trusted Process Classes

William L. Steffan, Tracor Applied Science, Inc.
Jack D. Clow, SenCom Corporation


Design Analysis in Evaluations Against the TCSEC C2 Criteria

Frank Belvin, Deborah Bode and, Shun Razvi, The MITRE Corporation


System Security Engineering Capability Maturity Model and Evaluations: Partners within the Assurance Framework

Charles G. Menk III, Department of Defense


Applying the IC SEC Guidelines to a Real-Time Embedded System Environment

Jim Alves-Foss, Deborah Frincke, Gene Saghi University of Idaho

Electronic Commerce


EDI Moves from the VAN to the Internet

Brian Bradford, University of Maryland


An International Standard for the Labeling of Digital Products

Victor E. Hampel, Hampel Consulting


The Business-LED Accreditor - OR .. How to Take Risks and Survive

Michael E J Stubbings, Government Communications Headquarters, UK


Integration of Digital Signatures into the European Business Register

Helmut Kurth, Industrieanlagen Betriebsgesellschaft mbH, Germany


Industrial Espionage Today and Information Wars of Tomorrow

Paul M. Joyal, INTEGER Inc.


B is for Business: Mandatory Security Criteria & the OECD Guidelines for Information Systems Security

Prof. William J. Caelli, Queensland University of Technology, Australia


Marketing & Implementing Computer Security

Mark Wilson, National Institute of Standards and Technology


Secure Internet Commerce - Design and Implementation of the Security Architecture of Security First Network Bank, FSB

Nicolas Hammond, NJH Security Consulting, Inc.

In Depth


Automatic Formal Analyses of Cryptographic Protocols

Stephen H. Brackin, Arca Systems, Inc.


Surmounting the Effects of Lossy Compression on Steganography

Daniel L. Currie, III, Fleet Information Warfare Center
Cynthia E. Irvine, Naval Post-Graduate School


Key Escrowing Systems and Limited One Way Functions

William T. Jennings, Southern Methodist University & Raytheon E-Systems
James G. Dunham, Southern Methodist University


The Keys to a Reliable Escrow Agreement

Richard Sheffield



The Advanced Intelligent Network - A Security Opportunity

Thomas A. Casey, Jr., GTE Laboratories, Inc.


Security Issues in Emerging High Speed Networks

Vijay Varadharajan, University Of Western Sydney, Australia
Panos Katsavos, Hewlett Packard sponsored student, UK


A Case Study of Evaluating Security in an Open Systems Environment

Daniel L. Tobat, TASC
Errol S. Weiss, Science Applications International Corporation


Internet Firewalls Policy Development and Technology Choices

Leonard J. D'Alotto, GTE Laboratories Inc.


A Case for Avoiding Security-Enhanced HTTP Tools to Improve Security for Web-Based Applications

Bradley J. Wood, Sandia National Lahoratory


Applying the Eight Stage Risk Assessment Methodology to Firewalls

David L. Drake, Katherine L. Morse, Science Applications International Corporation


Lessons Learned: An Examination of Cryptographic Security Services in a Federal Automated Information System

Jim Foti, Donna Dodson, Sharon Keller, National Institute of Standards and Technology

Legal Perspectives


Intellectual Property Rights and Computer Software

Dawn E. Bowman, University of Maryland


Case Study of Industrial Espionage Through Social Engineering

Ira S. Winkler, National Computer Security Association


Legal Aspects of Ice Pick Testing

Dr. Bruce C. Gabrielson, Kaman Sciences Corp.

Management & Administration


Security Through Process Management

Jennifer L. Bayuk, Price Waterhouse, LLP


Malicious Data and Computer Security

W. Olin Sibert, InterTrust Technologies Corporation


Security Issues for Telecommuting

Lisa J. Carnahan, Barbara Guttman, National Institute of Standards and Technology

Research & Development


An Isolated Network for Research

Matt Bishop, L. Todd Heberlein, University of California Davis


GrIDS - A Graph-Based Intrusion Detection System for Large Networks

S. Staniford-Chen, S. Cheung, R. Crawford, M. Dilger, J. Frank,
J. Hoagland, K. Levitt, C. Wee, R. Yip, D. Zerkle, University of California, Davis


Attack Class: Address Spoofing

L. Todd Heberlein, Net Squared
Matt Bishop, University of California, Davis


Generic Model Interpretations: POSIX.1 and SQL

D. Elliott Bell, Mitretek Systems


The Privilege Control Table Toolkit: An Implementation of the System Build Approach

Thomas R. Woodall, Roberta Gotfried, Hughes Aircraft Company


Use of the Zachman Architecture for Security Engineering

Ronda Henning, Harris Corporation


Developing Secure Objects

Deborah Frincke, University of Idaho


Deriving Security Requirements for Applications on Trusted Systems

Raymond Spencer, Secure Computing Corporation


Security Implications of the Choice of Distributed Database Management System Model: Relational vs. Object-Oriented

Stephen Coy, University of Maryland


Management Model for the Federal Public Key Infrastructure

Noel A. Nazario, William E. Burr, W. Timothy Polk, National Institute of Standards and Technology


Security Policies for the Federal Public Key Infrastructure

Noel A. Nazario, National Institute Standards and Technology


A Proposed Federal PKI using X.509 V3 Certificates

William E. Burr, Noel A. Nazario, W. Timothy Polk, National Institute of Standards and Technology


A Security Flaw in the X.509 Standard

Santosh Chokhani, CygnaCom Solutions, Inc.



Computer Virus Response Using Autonomous Agent Technology

Christine M. Trently, Mitretek Systems


Security Across the Curriculum: Using Computer Security to Teach Computer Science Principles

Major Gregory White, Ph.D.,
Captain Gregory Nordstrom (Ret.), USAF Academy


U.S. Government Wide Incident Response Capability

Marianne Swanson, National Institute of Standards and Technology


MLS DBMS Interoperability Study

Rae K. Burns, AGCS, Inc.
Yi-Fang Koh, Raytheon Electronic Systems


MISSI Compliance for Commercial-Off-The-Shelf Firewalls

Michael Hale, Tammy Mannarino, National Security Agency


Designing & Operating a Multilevel Security Network Using Standard Commercial Products

Richard A. Griffith, Mac E. McGregor, Air Force C4 Technology Validation Office


Real World Anti-Virus Product Reviews and Evaluations - The Current State of Affairs

Sarah Gordon, Richard Ford, Command Systems, Inc.


Security Proof of Concept Keystone (SPOCK)

James McGehee, COACT Inc.


Use of a Taxonomy of Security Faults

Taimur Aslam, Ivan Krsul, Eugene H. Spafford, Purdue University


Protecting Collaboration

Gio Wiederhold, Michel Bilello, Stanford University
Vatsala Sarathy, Oracle Corp.
XiaoLei Qian, SRI International


Design and Management of a Secure Networked Administration System: A Practical Solution

Vijay Varadharajan, University of Western Sydney, Australia


Information Warfare, INFOSEC and Dynamic Information Defense

J.R. Winkler, C. J. O'Shea, M.C. Stokrp, PRC Inc.


Security for Mobile Agents Issues and Requirements

William M. Farmer, Joshua D. Guttman, Vipin Swarup, The MITRE Corporation


Extended Capability: A Simple Way to Enforce Complex Security Policies in Distributed Systems

I-Lung Kao, IBM Corporation
Randy Chow, University of Florida


IGOR: The Intelligence Guard for ONI Replication

R.W. Shore, The ISX Corporation

Invited Papers

Management & Administration


Ethical and Responsible Behavior for Children to Senior Citizens in the Information Age

Gale S. Warshawsky, International Community Interconnected Computing eXchange

Legal Perspectives


Privacy Rights in a Digital Age

William Galkin, Esq., Law Office of William S. Galkin


Criteria & Assurance


Trust Technology Assessment

Program Chair: Tom Anderson, National Security Agency


Pat Toth, National Institute of Standards and Technology


Alternative Assurance: There's Gotta Be a Better Way!

Chair: Douglas J. Landoll, Arca Systems, Inc.


John J. Adams, National Security Agency
TBD, WITAT System Analysis & Operational Assurance Subgroup Chair
M. Abrams, The MITRE Organization, WITAT Impact Mitigation Subgroup Chair
TBD, WITAT Determining Assurance Mix Subgroup Chair


Certification and Accreditation - Processes and Lessons Learned

Chair: Jack Eller, DISA, CISS (ISBEC)


The Certification and Accreditation Process Handbook For Certifiers

Paul Wisniewski, National Security Agency

Standards in Certification and Accreditation

Candice Stark, Computer Science Corporation

The Certification of the Interim Key Escrow System

Ray Snouffer, National Institute of Standards and Technology

Lessons Learned From Application of the Department of Defense Information Technology Security Certification and Accreditation

Barry C. Stauffer, CORBETT Technologies, Inc.


Firewall Testing and Rating

Chair: J. Wack, National Institute of Standards and Technology


The Trusted Product Evaluation Program: Direction for the Future

Chair: J. Pedersen, National Security Agency


Common Criteria Project Implementation Status

Chair: E. Troy, National Institute of Standards and Technology


Lynne Ambuel, National Security Agency
Murray Donaldson, Communications-Electronics Security Group, UK
Robert Harland, Communications Security Establishment, Canada
Klaus Keus, BSI/GISA, Germany
Frank Mulder, Netherlands National Communications Security Agency
Jonathan Smith, Gamma Secure Systems, UK


Developmental Assurance and the Common Criteria

Chair: M. Schanken, National Security Agency


S. Katzke, National Institute of Standards and Technology
E. Troy, National Institute of Standards and Technology
K. Keus, BSI/GISA, Germany
Y. Klein, SCSSJ, France


Secure Networking and Assurance Technologies

Chair: T. Lunt, Defense Advanced Research Projects Agency (DARPA)


K. Levitt, University of California, Davis
S. Kent, BBN


Secure Mobile Networks

J. McHugh, Portland State University

Adaptable Dependable Wrappers

D. Weber, Key Software Generic Software

Wrappers for Security and Reliability

L. Badger, Trusted Information Systems, Inc.

Defining an Adaptive Software Security Metric From A Dynamic Software Fault-Tolerance Measure

J. Voas, Reliable Software Technologies

Electronic Commerce


Using Security to Meet Business Needs: An Integrated View From The United Kingdom

Chair: Alex Mclntosh, PC Security, Ltd


Dr. David Brewer, Gamma Secure Systems, Ltd
Nigel Hickson, Department of Trade & Industry
Denis Anderton, Barclays Bank PLC
Dr. James Hodsdon, CESG
Michael Stubbings, Government Communications Headquarters, UK


Security APIs: CAPIs and Beyond

Chair: Amy Reiss, National Security Agency


John Centafont, National Security Agency
TBD, Microsoft
Lawrence Dobranski, Canadian Communications Security Establishment, Canada
David Balenson, Trusted Information Systems, Inc.


Are Cryptosystems Really Unbreakable?

Chair: Dorothy E. Denning, Georgetown University


Steven M. Bellovin, AT&T Research
Paul Kocher, Independent Crvptography Consultant
Eric Thompson, AccessData Corporation


The Mathematical Primitives: Are They Really Secure?

Arjen K. Lenstra, Citibank

In Depth


Best of the New Security Paradigms

Workshop Chair: J. T. Haigh, Secure Computing Corporation


New Paradigms for Internetwork Security

J. T. Haigh, Secure Computing Corporation

The Emperor's Old Armor

R. Blakely, International Business Machines

Position Statement for New Paradigms Internetwork Security Panel

S. Greenwald, Naval Research Laboratory

Reactive Security and Social Control

S. Janson, Swedish Institute of Computer Science, Sweden

NISS Whitepaper: A New Model of Security for Distributed Systems

W. Wulf, University of Virginia


Series: Public Key Infrastructure: From Theory to Implementation

Public Key Infrastructure Technology

Chair: D. Dodson, National Institute of Standards and Technology


R. Housley, Spyrus
C. Martin, Government Accounting Office
W. Polk, National Institute of Standards and Technology
S. Chokani, Cygnacom Solutions, Inc.
V. Hampel, Hampel Consulting

Public Key Infrastructure Implementations

Chair: W. Polk, National Institute of Standards and Technology


P. Edfors, Government Information Technology Services (GITS) Working Group
D. Heckman, National Security Agency
D. Dodson, National Institute of Standards and Technology
J. Galvin, CommerceNet
W. Redden, Communications Security Establishment


Establishing an Enterprise Virus Response Program

Christine Trently, Mitretek Systems


Data Warehousing I

Chair: John Campbell, National Security Agency


Jesse C. Worthington, Informix Software, Inc.


Data Warehousing, Data Mining, and Security: Developments and Challenges

Dr. Bhavani Thuraisingham, The MITRE Corporation

Data Warehousing, Data Mining, and the Security Issues

Dr. John Campbell, National Security Agency


Data Warehousing II. The Technology

Chair: John Davis, NCSC


Dr. Bhavani Thuraisingham, The MITRE Corporation
Dr. John Campbell, National Security Agency



Introduction to Infowarfare Terminology

Francis Bondoc, Klein & Stump


Information Warfare: Real Threats, Definition Changes, and Science Fiction

Chair: Wayne Madsen, Computer Sciences Corporation


Martin Hill, Office of the Assistant Secretary of Defense C3I/Information Warfare
Frederick G. Tompkins, Matthew Devost, Science Applications International Corporation
Scott Shane, The Baltimore Sun
John Stanton, Journal of Technology Transfer


Security in World Wide Web Browsers: More than Visa cards?

Chair: R. Dobry, National Security Agency


C. Kolcun, Microsoft
B. Atkins, National Security Agency
K. Rowe, NCSA



Chair: J. David, The Fortress


S. Bellovin, AT&T
W. Cheswick, AT&T
P. Peterson, Martin Marietta
M. Ranum, V-One


The Web Series

I. The Web - What is it, Why/How is it Vulnerable
II. Securing the Web

Chair: J. David, The Fortress


J. Freivald, Charter Systems, Inc.
P. Peterson, Martin Marietta
D. Dean, Princeton University

Legal Perspectives


Electronic Data: Privacy, Security, Confidentiality Issues

Chair: Kristin R. Blair, Esq., Duvall, Harrington, Hale and Hassan


Virginia Computer Crime Law

The Honorable Leslie M. Alden, Judge, Fairfax County Circuit Court

Electronic Data: Privacy, Security and Confidentiality

Ronald J. Palenski, Esq., Gordon and Glickson, P. C.
Steve A. Mandell, Esq., The Mandell Law Firm

Monitoring Your Employees: How Much Can You Do And What Should You Do When You Uncover Wrongdoing?

Steven W. Ray, Esq., Kruchko & Fries


Computer Crime on the Internet - Sources and Methods

Chair: Christine Axsmith, Esq. The Orkand Corporation


Special Agent Mark Pollitt, Federal Bureau of Investigation
Phil Reitinger, Esq., Department of Justice
Barbara Fraser, CERT, Carnegie Mellon University


Legal Liability for Information System Security Compliance Failures: New Recipes for Electronic Sachertorte Algorithms

Chair: Fred Chris Smith, Esq., Private Practice, Santa Fe, New Mexico


John Montjoy Sr., BBN Corporation
Edward Tenner, Princeton University
David J. Loundy, Esq., Private Practice, Highland Park, Illinois


V-Chip: Policies and Technology

Chair: Hilary Hosmer, Data Security, Inc.


D. Moulton, Esq., Chief of Staff Office of Congressman Markey, HR
Dr. D. Brody, MD, American Academy of Child and Adolescent Psychiatry
Ms. S. Goering, Esq., American Civil Liberties Union
W. Diffie, Sun Microsystems


Protecting Medical Records and Health Information

Chair: Joan D. Winston, Trusted Information Systems, Inc.


Gail Belles, VA Medical Information Security Service
Bill Braithwaite, US Department of Health and Human Services
Paula S. Bruening, Information Policy Consultant
Patricia Taylor, US General Accounting Office


Crimes in Cyberspace: Case Studies

Chair: William S. Galkin, Esq., Law Office of William S. Galkin


Arnold M. Weiner, Esq., Weiner, Astrachan, Gunst, Hillman & Allen
Kenneth C. Bass, III, Venable, Baejter, Howard & Civeletti

Management & Administration


Current Challenges in Computer Security Program Management

Chair: Mark Wilson, National Institute of Standards and Technology


Lynn McNulty, McNulty and Associates
Paul M. Connelly, White House Communications Agency
Ann F. Miller, Fleet and Industrial Supply Center
Barbara Guttman, National Institute of Standards and Technology


Achieving Vulnerability Data Sharing

Chair: Lisa J. Carnahan, National Institute of Standards and Technology


Matt Bishop, University of California, Davis
James Ellis, CERT/Coordination Center, Carnegie Mellon University
Ivan Krsul, COAST Laboratory, Purdue University


Incident Handling Policy, Procedures, and Tools

Chair: Marianne Swanson, National Institute of Standards and Technology


Kelly Cooper, BBN Planet
Thomas Longstaff, Computer Emergency Response Team/Coordination Center
Peter Richards, Westinghouse Savannah River Company
Ken van Wyk, Science Applications International Corporation


Interdisciplinary Perspectives on Information Security Mandatory Reporting

Chair: M. E. Kabay, Ph.D., National Computer Security Association


Bruce Butterworth, Federal Aviation Administration
Barbara Smith Jacobs, Securities and Exchange Commission
Bob Whitmore, Occupational Health and Safety Administration
Dr. Scott Wetterhall, Centers for Disease Control and Prevention


International Perspectives on Cryptography Policy

Chair: Dorothy E. Denning, Georgetown University


Peter Ford, Attorney General's Department, Australia
David Herson, Commission of the European Communities, Belgium


International Perspectives on Cryptography Policy: A UK Perspective

Nigel Hickson, Department of Trade and Industry, UK


Security Protocols/Protocol Security

Chair: D. Maughan, National Security Agency


Surviving the Year 2000 Time Bomb

Grace L. Hammonds, AGCS, Inc.


James W. White, National Director of the Millennium Solutions Center, OAO Corporation
Andrew Hodyke, United States Air Force, ESC/AXS

Research & Development


Database Systems Today: Safe. Information at My Fingertips?

Chair: John R. Campbell, National Security Agency


Tim Ehrsam, Oracle
Dick O'Brien, Security Computing Corporation
Thomas Parenty, Sybase Corporation
LTC Ken Pointdexter, DISA
Satpal S. Sahni, 3 S Group Incorporated


Webware. Nightmare or Dream Come True?

Chair: Peter G. Neumann, SRI International


Java - Threat or Menace?

Steve Bellovin, A T& T Research

Language-based Protection: Why? Why Now?

Ed Felten, Drew Dean, Dan S. Wallach, Princeton University

Untrusted Application Need Trusted Operating Systems

Paul Karger, International Business Machines

Webware: Widely Distributed Computation Coming of Age

James A. Roskind, Netscape Communications Corporation


Secure Systems and Access Control

Chair: T. Lunt, Defense Advanced Research Projects Agency


Domain and Type Enforcement Firewalls

D. Sterne, Trusted Information Systems, Inc.

Task-based Authorization: A Research Project in Next-Generation Active Security Models

R. Thomas, ORA

User-centered Security and Adage

M. Zurko, OSF

Encapsulated Environments Using the Flux Operating System

J. Lepreau, University Of Utah


Facing the Challenge: Secure Network Technology for the 21st Century

Chair: R. Schaeffer, National Security Agency


R. Meushaw, National Security Agency
C. McBride, National Security Agency
U. Muzzy, National Security Agency
B. Burnham, National Security Agency


Toward a Common Framework for Role-Based Access Control

Chair: David Ferraiolo, National Institute of Standards and Technology


Dr. Ravi Sandu, George Mason University
Dr. Virgil Gligor, University of Maryland
Rick Kuhn, National Institute of Standards and Technology
Thomas Parently, Sybase



MISSI Security Management Infrastructure The Certificate Management Infrastructure: Now and In the Next Year

Chair: A. Arsenault, National Security Agency


D. Heckman, National Security Agency
S. Capps, National Security Agency
S. Hunt, National Security Agency

Future Of Trust in Commercial Operating Systems

Chair: T. Inskeep, National Security Agency


K. Moss, Microsoft
J. Alexander, Sun Microsystems
J. Spencer, Data General
M. Branstad, Trusted Information Systems, Inc.
G. Liddle, Hewlett Packard


Vendors Experience with Security Evaluations

Chair: Jeff DeMello, Oracle Corporation


Janice Caywood, Digital Equipment Corporation


Duncan Harris, Oracle Corporation
Ken Moss, Microsoft Corporation
Ian Prickett, Sun Microsystems


Workshop Report on the Role of Optical Systems and Devices for Security

Chair: Terry Mayfield, Institute Defense Analyses
Mark Krawczewicz, National Security Agency


Security Issues For All-Optical Networks

Muriel Medard, MIT Lincoln Laboratory

Security for All-Optical Networks

Jeff Ingles, Scott McNown, National Security Agency

Optical Processing Systems for Encryption, Security Verification, and Anticounterfeiting

Bahram Javidi, University of Connecticut

Closing Plenary Session


Information Systems Security: Directions and Challenges

Chair: Dr. Willis H. Ware, Corporate Research Staff, Emeritus, The Rand Corporation


J. F. Mergan, BBN
Stephen Smaha, Haystack Labs
Charles Stuckey, Security Dynamics


Information Security Challenges in the Financial Services Industry

C. Thomas Cook, Banc One Services Corporation

Information Systems Auditing Requirements

John W. Lainhart IV, Inspector General, US. House of Representatives


Willis Ware, The Rand Corporation


The Next Generation of Cybercriminals

Chair: Mark Gembicki, WarRoom Research, LLC


Jim Christy, Air Force Office of Special Investigation
Bill Perez, Federal Bureau of Investigation
Doug Waller, Time Magazine

[End TOC]