Abstract: Attaching digital signatures to state update messages in global distributed shared object (DSO) systems is not trivial. If the DSO consists of a number of autonomous local representative that use open, public networks for maintaining the state consistency, allowing a local representative to sign state update messages is not appropriate. More sophisticated schemes are required to prevent unauthorized state updates by malicious local representative or external parties. This paper examines the problem in detail, compares a number of possible solutions, and identifies the most suitable one and demonstrates how the state update messages can be signed using the identified solution.

Abstract: During the last fifty years Information and Communication Technology (ICT) has contributed to almost all sectors of organized societies. As a result, information security is fundamental for several social and business processes that rely on ICT. One dimension of information security concerns availability of information and computational resources. It is essential for a system’s correct operation and its acceptance from end-users to respond with proper reaction times to authorized requests. But whereas other security parameters have been studied and analysed very well, availability has not. Throughout this paper this fundamental parameter of ICT security is under study through a qualitative perspective. We aim at providing the basis for a consequent formalistic foundation of information availability. Approaches like these may be useful for the conceptual description of the problem domain, whilst this conceptualisation may also help in the realization of the guidelines, which are essential for the development of secure information systems.

Abstract: Effective management in any organisation requires a holistic approach in focusing on information security. Senior managers have to know how well their organisations are performing as measured against internationally accepted best practices. Part of the information security management problem is that it is viewed either from a technological perspective focussing on product evaluation only, or from a procedural and management perspective focussing on evaluation of the management processes. This paper aims to provide a consolidated perspective that takes both these aspects into consideration when measuring and evaluating the information security level of an organisation.

Abstract: This paper describes a project involving the planning and management of information security at a large private hospital. A high level model derived using the Soft Systems Methodology [5] named the Orion Strategy, was implemented and further developed during its application using Action Research. This method features a high level of user participation, including education seminars and workshops with senior and middle managers of the hospital. The project resulted in a noticeable improvement in information security measures at the hospital, a raised awareness of security issues and an acceptance of ownership by staff of the resultant security plan

Abstract: Information security research has a bias towards formal and small-scale policies. This research tradition, albeit important, has neglected the non-formal and non-computer oriented security policies. Yet the current classifications concerning security policies do not fully address the issues in security policies within information systems. Firstly, a new classification of (two categories) security policies will be depicted. Secondly, and the main contribution ofthis paper, five approaches to construction of end-user guidelines will be put forth, including the strengths and weaknesses of these approaches.

Abstract: Cryptographic file systems ensure information confidentiality even in the presence of attacks which successfully circumvented the access controls of the underlying operating system. The paper presents our new system called GSFS which overcomes several severe deficiencies found in popular cryptographic file systems. In contrast to these systems GSFS offers a transparent group-based access control which supports a comfortable sharing of file between user groups. A prototype is available running integrated into the Linux operating system.

Abstract: On the Internet many electronic commerce applications can be used today, but most of them provide only weak security or even none whatsoever. A major cause of this problem is the variety of technologies used to create such applications. Most existing security architectures are not designed to work in different environments.

Abstract: To protect the information systems of an organisation an appropriate set of security controls needs to be installed and managed properly. Through a risk analysis exercise, the most effective set of controls is recommended. This analysis or identification process can be subjective and many assumptions are made about the environment. A possible solution may be the definition of suitable protection profiles that will include the best suitable security controls for specific information technology environments. This paper will provide some guidelines in the formation of a fully defined security control. Sets of these controls can be used in the determination of an information security profile that will encompass all aspects of security such that no assumptions need to be made, thereby leading towards a totally secure organization.

Abstract: We propose a model for fair electronic cash issued by multiple banks for the first time. A scheme of electronic cash with multiple banks in which a user can be traced is presented by using the improved group signature scheme of Cam97[4] and the group blind signature scheme of Lys98[14]. A weakness in the design of withdrawal and payment protocols using the existing group signature schemes is pointed out with its reasons analyzed.

Abstract: Privacy of information is becoming more and more important as we start trusting unknown computers, servers and organisations with more and more of our personal information. Thus far, no reliable and practical method to enforce privacy has been discovered. Often a set of private information has to be supplied simply to enable the recipient to verify that one member of the set is correct given the other methods. An income tax return is an example where such information has to be supplied simply to verify taxable income. The object of this paper is to consider mechanisms to safeguard our private information in cases where this information is required not for the contents, but as input to verify calculations. We shall present an encryption method to protect private information where the private information consists of a set of numeric values S on which some function G has to be applied and the result α = G(S) has to be supplied to a target organisation. The result α must be verifiable by the target organisation, without disclosing S. We apply this method to the specific case of protecting the privacy of electronic income tax returns, and discuss other possible applications.

Abstract: Electronic payment systems have been intensively studied in recent years. Generally speaking, e-payment systems can be classified into two categories, i.e., the systems with on-line verification and the systems with off-line verification. The former establishes security under the principle of preventionbefore-the-fact while the latter’s security is based on the principle of detectionafter-the-fact. On-line systems are less risky, thus more likely to be adopted by the business community. A critical issue for on-line systems is how to make a transaction fair to each transacting party such that neither party can gain advantages over the other party in a transaction. This can be addressed with a fundamental technique of fair on-line verification. In this paper, we propose a solution to fair on-line verification for electronic payment systems, in which the customer gives verifiable encryption (by a TTP’s public key) of the digital money to the shop for on-line verification, instead of giving shop the money itself. The paper not only shows the principle of applying verifiable encryption to e-payment systems, but also focuses on building up a concrete payment system.

Abstract: Secure Distributed Computing addresses the problem of performing a computation with a number of mutually distrustful participants, in such a way that each of the participants has only limited access to the in­ formation needed for doing the computation. Over the past decade, a number of solutions for this problem have been developed. The various proposed solutions differ in the cryptographic primitives that are used, and in the class of computations that can be performed. However, all sufficiently general solutions have one thing in common: the communic­ ation overhead between the involved parties seems to be prohibitive. In this paper, we consider a concrete instance (with considerable practical interest) of the general problem of secure distributed comput­ ing, and we investigate how bad the communication overhead really is. This involves tailoring the different general solutions to the specific problem at hand, optimizing them for minimal communication over­ head, and evaluating the resulting communication overhead.

Abstract: Increasingly complex networks and distributed services entail new challenges concerning interoperability and integration of security mechanisms. The currently available solutions, e.g. directory services or distributed authentication systems have disadvantages that can be overcome by a new approach based on mapping identities. Identity mapping allows assigning the identity of one human to different users in various systems. The security features of every system can be fully used and no common denominator limits the power of a single system. This papet describes the different types of mappings that are necessary to implement such a system. Mappings cannot occur only on a user-user basis but also roles and groups have to be considered to correctly represent modern security issues.

Abstract: Mobile software agents are becoming a major trend of distributed systems in the next decade. Electronic commerce and information retrieval are two prospective applications of mobile agents. Nevertheless, security is a crucial concern for such systems. Attacks to agents by malicious hosts are the most challenging part of the problem unsolved. In this paper, a Shopping Information Agent System (SIAS) is built based on mobile agent technology. Possible security attacks by malicious hosts to agents in the system are discussed, and solutions to prevent these attacks are presented. Security of the solutions is analysed, and the performance overhead introduced is evaluated.

Abstract: This paper suggests a framework that can be used to identify the security requirements for a specific electronic commerce environment. The first step is to list all the security requirements for an electronic commerce environment in general. Next, all participants need to be identified. This is followed by the breaking down of the transactions into different autonomous actions. These actions are then mapped onto the participants involved, which serve as a model for the electronic commerce environment. This information is then used to identify the security requirements for a secure electronic commerce environment. The security requirements, in turn, are then used to develop the security architecture, consisting of appropriate security procedures and mechanisms and policy.

Abstract: Although computer fraud continues to be a thorn in the side of many organizations, fresh perspectives to addressing this type of crime are rare. This paper advances a preventive approach which reduces those criminal opportunities that permit computer fraud to take place. The construction of crime specific opportunity structures, which enable the relevant parties to conceptualize the fraud environment, is advocated. This aids and promotes an inter-departmental preventive effort, so vital to combating and containing fraud.

Abstract: The impetus for the work presented in this paper arose from the need to provide copyright protection for digital audio, including CD-quality music and DVD, under heavy compression rates, conventional audio processing manipulations, and transmission through noisy media. Our approach is established on modelling audio watermark as information transmitted through a probabilistic communication channel represented by digital music. Watermark information is embedded within significant portions of the audio streams making it tightly coupled with audio content and able to sustain even the most severe attacks intended to remove the hidden data. This paper presents how highly transparent, robust and secure watermark information can be embedded into digital audio streams using the model for acquiring significant audio components in conjunction with conventional spread spectrum data hiding techniques.

Abstract: This paper describes a new receipt-free electronic voting system for an open network. In our system, the voters vote with anonymous voting passes, which is motivated by the E-Cash protocol [l]. We have modified the E-Cash protocol such that the pass is non-transferable. A modified commitment scheme is also employed so that the administrator cannot change the vote even if it knows the content of the ballot. Our system is designed for realising the digitalization of large-scale elections conducted by the government. Various aspects involved in an election are considered during protocol design so that the potential cheats of either the voters or the administrators are prevented.

Abstract: The remarkable growth of the World Wide Web in recent years has made it possible to distribute information to users in the form of an unorganized and unstructured collection of documents. While security is an important aspect in such a scenario, access control systems available today result too rigid and limited. We present an approach to specify and enforce access restrictions to Web documents. The approach provides flexible, as it allows to enforce a variety of security policies and requirements at a fine-grained level without affecting the data organization.

Abstract: The aim of the paper to explore what Information Warfare is and the impact that it could have upon a country. The paper will then discuss the impact that information warfare could have upon Australia. This assessment will take the form of evaluating two national studies undertaken within Australia into Information Warfare and look at the risks that could effect E-commerce. The paper will also describe the steps that some countries are taking to protect themselves against the threat of Information Warfare.

Abstract: IT security certification and IT security evaluation criteria have changed their character compared with the first efforts ca. 20 years ago. They have also gained more interest within civilian and commercial application areas. There­ fore this paper compares them with earlier criticism and with the new chal­ lenges in IT security. After an introduction into the concept of security certifi­ cation the established IT security certification schemes and the related criteria are presented. Then their weaknesses and problems are described, in particular with regard to nowadays security requirements. Improvements of the criteria and the certification systems are presented, and suggestions for using current certification and evl;lluation schemes despite their shortcomings are made.

Abstract: Public key cryptography is widely recognised as the technology to develop effective authentication, integrity, confidentiality and non-repudiation services. The provision of public key-based security services for complex and large scale organisations requires a Public Key Infrastructure (PKI) in charge of securely managing cryptographic keys/certificates. An essential PKI service is the certificate status validation (CSV) system that supports the publishing and the consistent usage of certificate status information for wide range of applications. Several CSV solutions, such as Certificate Revocation Lists or the On-line Certificate Status Protocol, are available, but none can meet the requirements for all applications, in particular of timeliness and performance. The lack of a comprehensive CSV solution calls for the development of a flexible framework that can integrate all available validation mechanisms and permit the selection of alternative validation strategies, depending on application requirements. The paper describes this framework that provides PKI users with a flexible, dynamic and transparent CSV support. In addition, the paper claims that the framework flexibility, dynamicity and transparency can greatly benefit from the adoption of the Mobile Agent (MA) technology because it exhibits the same intrinsic features, by presenting an MA-based prototype for CSV.

Abstract: A postgraduate (MSc-type) programme in Information and Communication Systems Security is described in detail in this paper. The programme description (syllabus) herein is full in the academic sense, i.e. it includes the programme overall structure, as well as credits per course, academic prerequisites, degree prerequisites, course timings, etc.

Abstract: Jacobian varieties of hyperelliptic curves have been recently used in cryptosystems. However, lacking of efficient point-counting algorithms for such varieties over finite fields makes the design of secure cryptosystems very difficult. This paper presents efficient algorithms to calculate the CM type and ideal factorization of Frobenius endomorphisms of Jacobian varieties over finite fields F p in polynomial time of log p. Then we show how to construct secure hyperelliptic curves of small genera over large prime fields F p in polynomial time of log p.

Abstract: Designing and implementing security protocols is a difficult task. A graphical specification environment helps one to cope with this complexity by enabling the visualization of hierarchical message structures and providing suitable abstraction and encapsulation so that designers can retain a high-level perspective while also being free to hone in on the details of the design. The graphical interface framework described in this paper isolates the critical issues in a protocol design and presents the user with an appropriate level of detail. This is accomplished through the use of a high-level view of the message flow and a more detailed component view that shows the structure of each protocol message. Each view can be easily manipulated by using standard graphical interface mechanisms such as drag-and-drop and context specific pop-up menus. An added advantage of this interface is that it is possible to connect to analysis or code generation routines via a GGSE-API.

Abstract: This paper suggests a model, based on the continuous measuring and monitoring of information security parameters, by which information security management can be made more dynamic and relevant.

Abstract: In this paper, an integrated multi-agent approach to construction of Network Security System (NSS) is considered. The NSS consists of a multitude of specialized intelligent agents that are distributed over the computer network. The architecture of the NSS is outlined. Emphasis is given to a description of the operation and learning mechanisms implemented in the security agents.

Abstract: The roles are changing dramatically for patent and copyright protection as legal mechanisms for protecting software and communication technologies. While copyright protection has traditionally been the primary protection method for software, recent case law in the United States and elsewhere has reduced the scope of protection provided by the copyright laws. At the same time, courts, including the U.S. Supreme Court and the U.S. Court of Appeals for the Federal Circuit, have increasingly allowed broader patent protection for these technologies. Given that patents protect the useful, functional features of an invention, as opposed to copyrights protecting only the way a work is tangibly and non-functionally expressed, patents are increasingly becoming the legal protection tool of choice for software and communication technology developers. The explosive growth of E-Commence further strengthens the trend to use software patents as business assets and to provide a company with significant leverage and defensive rights.