Having been to RSA Security it was time to spread the word in the Old World. Hence time to board a Czech Airlines flight to Prague and then off to Brno for SPI2003, a NATO-sponsored conference.
I was invited to speak on IDS and IPv6 and it is difficult to describe what a welcome change it was from RSA Security 2003. Brno is the capital of Moravia and site of their world-famous bike racing track but also the home to particularly hospitable and friendly people. The conference was very well organised including a first for me: simultaneous translation into Czech!
The conference was divided into three days, one each on Network Security, PKI and Cryptography with fascinating papers delivered on each day. Sadly a couple of apparently interesting papers from China were not given as their authors were stuck home due to SARS.
Unfortunately I missed the first invited paper by Eric Vyncke on Introduction and Security Perspective of Peer To Peer Protocols but I managed to speak to the author nonetheless. Despite the clear lack of security in current P2P networks they have an amazing potential to deliver relient network services as data is transparently duplicated all over the place. Although one could argue that this is an inefficient backup strategy there is undoubtedly space for a discussion of the role of P2P in "serious" networks (please allow me to disregard MP3 sharing as a "serious" application in the context of this conference).
The second day was much more dense and both the invited papers are worthy of mention. The first on protection of NATO information was interesting both from the point of view of a citizen wanting to know what exactly was done to protect sensitive data and from the point of view of the security practitioner wondering what was happening in the military world. Well, fortunately a lack of surprises but a lot of insight in to how deploying PKI even in a military infrastructure is far from trivial.
The second paper on e-Government was amazing from the point of view of a layman in the subject (i.e. myself): the austrian government is seriously deploying PKI in an attempt to simplify life. How would it be simplified? Well, the logic was that if less government employees have to spend time answering the same questions at booths perhaps they could do something more productive with their time. Similarly the average citizen wouldn't spend hours in a queue to ask a simple question. Now, the catch comes in the deployment of PKI at a nationwide level: it simply isn't trivial! Read all about it in his paper.
Finally the third and last day. A bright and early start with Mike Bond telling us how to break the cryptographic APIs used by banks. A somewhat mathematical talk but full of interesting information, for example on how PINs are generated: did you know that they start off in hex but then since they can't type A-F on a keyboard at the ATM they remap A-F into 0-9 in some way? I didn't and of course this "decimalisation" process, as it is known in the industry, is rife with attacks. The other papers which were definitely worth listening to were those by Vlastimil Klíma on Side Channel Attacks on CBC Encrypted Messages in The PKCS#7 Format and the one by Bohuslav Rudolf on Ways of Doubling Block Size of Feistel Ciphers Used in Some Candidates for the AES where I learned more about the AES ciphers than I had ever before.
The proceedings should shortly be available on the web at the conference website.
Posted by arrigo at May 7, 2003 02:03 PM