SECURITY IN THE INFORMATION SOCIETY

Transcription

1 SECURITY IN THE INFORMATION SOCIETY

2 IFIP - The International Federation for Information Processing IFIP was founded in 1960 under the auspices of UNESCO, following the First World Computer Congress held in Paris the previous year. An umbrella organization for societies working in information processing, IFIP's aim is two-fold: to support information processing within its member countries and to encourage technology transfer to developing nations. As its mission statement clearly states, IFIP's mission is to be the leading, truly international, apolitical organization which encourages and assists in the development, exploitation and application of information technology for the benefit of all people. IFIP is a non-profitmaking organization, run almost solely by 2500 volunteers. It operates through a number of technical committees, which organize events and publications. IFIP's events range from an international congress to local seminars, but the most important are: The IFIP World Computer Congress, held every second year; open conferences; working conferences. The flagship event is the IFIP World Computer Congress, at which both invited and contributed papers are presented. Contributed papers are rigorously refereed and the rejection rate is high. As with the Congress, participation in the open conferences is open to all and papers may be invited or submitted. Again, submitted papers are stringently refereed. The working conferences are structured differently. They are usually run by a working group and attendance is small and by invitation only. Their purpose is to create an atmosphere conducive to innovation and development. Refereeing is less rigorous and papers are subjected to extensive group discussion. Publications arising from IFIP events vary. The papers presented at the IFIP World Computer Congress and at open conferences are published as conference proceedings, while the results of the working conferences are often published as collections of selected and edited papers. Any national society whose primary activity is in information may apply to become a full member of IFIP, although full membership is restricted to one society per country. Full members are entitled to vote at the annual General Assembly, National societies preferring a less committed involvement may apply for associate or corresponding membership. Associate members enjoy the same benefits as full members, but without voting rights. Corresponding members are not represented in IFIP bodies. Affiliated membership is open to non-national societies, and individual and honorary membership schemes are also offered.

3 SECURITY IN THE INFORMATION SOCIETY Visions and Perspectives IFlP TCll l7 h International Conference on Information Security (SEC2002) May 7-9,2002, Cairo, Egypt Edited by M. Adeeb Ghonaimy Ain Shams University Egypt Mahmoud T. EI-Hadidi Cairo University Egypt Heba K. Asian Electronic Research Institute Egypt KLUWERACADEMIC PUBLISHERS BOSTON / DORDRECHT / LONDON

4

5 The original version of the book frontmatter was revised: The copyright line was incorrect. The Erratum to the book frontmatter is available at DOI: / _46

6 Contents Preface... xi IFIP/SEC2002 Conference Committees... xiii Part One Information Security Management 1. The Effective Implementation of Information Security in Organizations O.A. HOPPE, J. VAN NIEKERK, and R. VON SOLMS A Practical Approach to Information Security Awareness in the Organization C. VROOM, and R. VON SOLMS RBAC Policies in XML for X.509 Based Privilege Management D. W CHADWICK, and A. OTENKO A Top-Down Approach Towards Translating Organizational Security Policy Directives to System Audit Configuration A. AHMAD, and T. RUIGHAVER Elaborating Quantitative Approaches for IT Security Evaluation D. GRITZALIS, M. KARYDA,.and L.GYMNOPOULOS Part Two Standards of Information Security 6. A Security Evaluation Criteria for Baseline Security Standards WJ. BROOKS, M. WARREN, and W HUTCHINSON Maturity Criteria for Developing Secure IS and SW: Limits, and Prospects M.T. SIPONEN For a Secure Mobile IP and Mobile 1Pv6 Deployment M. LA URENT-MAKNAVICIUS Part Three Threats and Attacks to Information 9. Addressing Internet Security Vulnerabilities: A Benchmarking Study A. ALAYED, S.M. PURNELL and l.m. BARLOW The Threat From Within- An Analysis of Attacks on an Internal Network J. HAGGERTY, Q. SHL and M. MERABTI

7 viii VI Contents 11. Security Vulnerabilities in Event-Driven Systems S. XENITELLIS Denial of Service: Another Example 1.1. fan A Detection Scheme for the SK Virus D. SALAH, HK. ASLAN, and M. T. EL-HADIDl Part Four Education and Curriculum for Information Security 14. An Information Security Curriculum in Finland T. VIRTANEN, and R. ADDAMS-MORING Part Five Social and Ethical Aspects of Information Security 15. Information Security Culture: The Socio-Cultural Dimension in Information Security Management T. SCHLIENGER, and S. TEUFEL Information Security Culture A. MARTINS, and 1. ELOFF Part Six Information Security Services 17. Keystroke Analysis as a Method of Advanced User Authentication and Response P.S. DOWLAND, S.M. FURNELL, andm. PAPADAKI Zero Knowledge Broadcasting Identification Scheme M.S. EL-SOUDANL H.S. EL-REFAEY, and HM. MOURAD A New End-to-End Authentication Protocol for Mobile Users to Access Internet Services LI-SHA HE, N. ZHANG, LI-RONG HE Mandatory Security Policies for CORBA Security Model C.M. WESTPHALL, 1. DA S. FRAGA, C.B. WESTPHALL, and S. C.S. BIANCHI Policap-Proposal, Development and Evaluation of a Policy Service and Capabilities for CORBA Security C.M. WESTPHALL, 1. DA S. FRAGA, M.S. WANGHAM, R.R. OBELHEIRO, and L. C. LUNG Secure Database Connectivity on the WWW M. COETZEE, and 1. ELOFF Towards Semantic Integrity in Rational Database R.A. BOTHA Formal Design of Packet Filtering Systems G. OSMAN, M. G. DARWISH, and M ZAKI Elliptic Curve Cryptosystems on Smart Cards E. MOHAMMED, A. EMARAH, and KH. EL-SHENNA WY

8 Security in the Information Society: Visions and Perspectives ix Vll Part Seven Multilateral Security 26. Establishing Bilateral Anonymous Communication in Open Networks T DEMUTH Part Eight Applications of Information Security 27. BRITS-A Holistic Framework for Hedging Shareholder Value in IT Dependent Business C. MAGNUSSON, and L. YNGSTROM Information Systems Security and the Information Systems Development Project: Towards a Framework for Their Integration T TRYFONAS, and E. KIOUNTOUZIS An Efficient Hybrid Sealed Bid Auction Protocol R. ABDEL-MONEIM, S EL-KASSAS, and H. HOSNY Self-Determination in Mobile Internet: PiMI Prototype Results S FISCHER-HUBNER, M. NILSSON, and H. LINDSKOG Secure Component Distribution Using Web Com S.N. FOLEY, TB. QUILLINAN, and J.P. MORRISON E-Ticket Issuing System with 3-D Pattern Recognition for Mobile Terminals R. UDA, M ITO, K. AWAYA, H. SHIGENO, and Y. MATSUSHITA An Insight Into User Privacy and Accountable Anonymity for Mobile E-Commerce Transactions D. CRITCHLOW, and N. ZHANG Part Nine Infrastructure for Information Security 34. Secure Selective Exclusion in Ad Hoc Wireless Network R.o. DI PIETRO, L. V. MANCINI, and S JAJODIA Part Ten Advanced Topics in Security 35. Optical Network Models for Quantum Cryptography ST FARAJ, F. AL-NAIMA, and S.Y. AMEEN Part Eleven Legislation for Information Security 36. A Unified Regulatory Framework on a European Information Society: Suggested Building Levels P.S. ANASTASIADES Revisiting Legal and Regulatory Requirements for Secure E-Voting L. MITROU, D. GRITZALIS, and S. KATSlKAS

9

10 Preface Human civilization is currently undergoing a transformation into what is called the "Information Society". This transformation is propelled by recent advances in technology and new achievements in software development and its applications. The thoughtful integration of technology and software applications changed the way we perform our daily activities. E-Business, E Government, E-Learning, E-Contracting, E-Voting are just few of the ever growing list of new terms that are shaping up the Information Society. Nonetheless, as "Information" gains more prominence in our society, the task of securing it against all forms of threats, becomes a vital and crucial undertaking. One goal of IFIP/SEC2002 Conference is to address the various security issues confronting our new Information Society. These include : Management, Standards, Threats and Attacks, Education and Curriculum, Social and Ethical Aspects, Services, Multilateral Security, Applications, Infrastructure, Advanced Topics, Legislation, Modeling and Analysis, and Tools. Another goal of IFIP/SEC2002 is to emphasize the organic bond that ties new and old civilizations. It was in Egypt that one of the greatest human civilizations had once prevailed 5000 years ago. A great wealth of information about this civilization was recorded in hieroglyphics on the walls of temples, tombs, and many other artifacts. It then took almost 1400 years before it was possible to decipher hieroglyphics on the hands of the French scholar Jean-Francois Champollion in 1824, and untap this wealth of information. We hope that IFIP/SEC2002 contributes to the betterment of mankind by harmonizing the various cultures, and exchanging new ideas, that help us usher into the Information Society with hope and optimism. A.GHONAIMY TPC Chairman M. EL-HADIDI Secretary General H.ASLAN Co-Editor

11 IFIP/SEC2002 Security in the Information Society Visions and Perspectives Cairo University o.t' Iil \ 4A.o is organised by IFIP IFIP Department of Electronics & Electrical Communications Technical Committee 11 Under the auspices of Dr. Moufid Shehab Minister of Higher Education and Scientific Research Egypt Honorary Conference Chair Dr. Nageeb Goher President of Cairo University Conference Chair Dr. Aly Abdel-Rahman Dean of Faculty of Engineering Cairo University

12 IFIP/SEC2002 Conference Committees Technical Program Committee Chairman: Adeeb GHONAIMY (Ain Shams University, Egypt) Vice-Chairman: Gamal DARWISH (Cairo University, Egypt) Vice Chairman: Jan ELOFF (Rand Afrikaans University, South Africa) Hossam AFIFI (Institut National des Telecommunications, France) Heba ASLAN (Electronics Research Institute, Egypt) William 1. CAELLI (Queensland University of Technology, Australia) Yves DESW ARTE (LAAS-CNRS, France) Taber EL-GAMAL (SECURIFY, USA) Yousri EL-GAMAL (Arab Academy for Science and Technology, Egypt) Mahmoud EL-HADIDI (Cairo University, Egypt) Sherif EL-KASSAS (American University in Cairo, Egypt) Magdi EL-SOUDANI (Cairo University, Egypt) Aly A. FAHMY (Cairo University, Egypt) Dimitris GRITZALIS (Athens U. of Economics and Business, Greece) Sushil JAJODIA (George Mason University, USA) Sokratis KATSIKAS (University of Aegean, Greece) Kinji MORI (Tokyo Institute of Technology, Japan) Reinhard POSCH (IAIK-Graz University of Technology, Austria) Sihan QING (China) Kai RANNENBERG (Microsoft Research Cambridge, United Kingdom) Tarek SAADA WI (City University of New York, USA) Pierangela SAMARATI (Universita' di Milano, Italy) Mostafa SHERIF (AT&T, USA) Rossouw von SOLMS (Port Elizabeth Technikon, South Africa) S. H. von SOLMS (Rand Afrikaans University, South Africa) Leon A.M. STROUS (De Nederlandsche Bank, The Netherlands) Ahmed TANTAWY (IBM, Egypt) Louise YNGSTROM (Stockholm University, Sweden) Amr YOUSSEF (Cairo University, Egypt)

13 Xli xiv Organizing Committee Chairman: Mahmoud EL-HADIDI (Cairo University, Egypt) Shadia AGGOUR (Cairo University, Egypt) - accommodations Heba ASLAN (Electronics Research Institute, Egypt) - publications Gamal DARWISH (Cairo University, Egypt) Yousri EL-GAMAL (Cairo University, Egypt) - tutorials SherifEL-KASSAS (Cairo University, Egypt) - sponsors Hisham EL-SHISHINY (IBM, Egypt) - plenary sessions Magdi EL-SOUDANI (Cairo University, Egypt) - treasurer AIy A. FAHMY (Cairo University, Egypt) - publicity Adeeb GHONAIMY (Ain Shams University, Egypt) Ahmed HAMDY (Cairo University, Egypt) - technical support Heba-AIlab MOURAD (Cairo University, Egypt) - social events Ahmed SHAMS (Cairo University, Egypt) - web publishing Referees Hussein ABDEL-W AHAB (Old Dominican University, USA) Heba ASLAN (Electronics Research Institute, Egypt) Bart De DECKER (K.U. Leuven, Belgium) Yves DESW ARTE (LAAS-CNRS, France) Taber EL-GAMAL (SECURlFY, USA) Yousri EL-GAMAL (Arab Academy for Science and Technology, Egypt) SherifEL-KASSAS (American University in Cairo, Egypt) Magdi EL-SOUDANI (Cairo University, Egypt) Adeeb GHONAIMY (AiD Shams University, Egypt) Dimitris GRITZALIS (Athens U. of Econornics and Business, Greece) Sokratis KATSlKAS (University of Aegean, Greece) Kwok-Yan LAM (PrivyLink Pte, Singapore) Juha E. MIETTINEN (Sonera Corporation, Finland) Kinji MORI (Tokyo Institute of Technology, Japan) Hartmut POHL (Fachhochschule Bonn-Rhein-Sieg, Gennany) Kai RANNENBERG (Microsoft Research Cambridge, United Kingdom) Tarek SAADAWI (City University of New York, USA) Pierangela SAMARA TI (Universita' di Milano, Italy) Mostafa SHERIF (AT&T, USA) Rossouw von SOLMS (Port Elizabeth Technikon, South Africa) Leon A.M. STROUS (De Nederlandsche Bank, The Netherlands) JozefVYSKOC (VaF, r.s.o., Slovak Republic) Louise YNGSTROM (Stockholm University, Sweden) Amr YOUSSEF (Cairo University, Egypt)