TUTORIAL PROGRAM
Monday, November 18, 1996
Stay on top of the latest technology. Register now for tutorials.
Technology is changing more rapidly than ever before. Whether you
are a programmer, developer, or system administrator, you are
expected to stay on top of the latest improvements and do your job.
Sign up for tutorials and you'll get an immediate payoff from gaining
command of the newest developments and putting them to work in your
organization.
USENIX tutorials aim to deliver the critical information you need.
Taught by hands-on experts, tutorials are practical, intensive, and
essential to your professional development.
Tutorial fees include:
- Admission to the tutorials you select
- Lunch
- Printed and bound tutorial materials from your sessions
Continuing Education Units (CEUs)
USENIX provides CEUs for a small administrative fee. Established
by the International Association for Continuing Education and
Training, the CEU is a nationally recognized standard unit of measure
for continuing education and training, and is used by thousands of
organizations across the United States.
Completion of one full day of the tutorial program qualifies for
0.6 CEUs. You can request CEU credit by checking the appropriate box
on the registration form. USENIX provides a certificate and maintains
transcripts for each attendee who chooses CEU credits. CEUs are not
the same as college credits. Consult your employer or school to
determine their applicability.
Monday, November 18, 9:00 am - 5:00 pm
M1am (half day: 9:00 am - 12:30 pm)
Getting Paid on the Internet
Clifford Neuman, University of Southern California
Who Should Attend: If you sell information, services, and other
products over the Internet, work for a financial institution, or are
a software developer, you will benefit by attending this course.
What You Will Learn:
- A better understanding about how to receive payment for
services and products sold over the Internet.
- The role of financial institutions can play in network
commerce.
- The steps to design protocols and software to take advantage
of network payment systems.
Getting paid on the Internet is one of the most complex challenges
facing companies who want to do business electronically.
You will learn about several alternatives for payment on the
Internet including secure presentation of credit card numbers,
electronic currency, and credit-debit systems, and the situations for
which each is best suited. The predominant examples of each approach
will be described. You will find out about security issues and fraud
prevention, and the security of different payment systems.
Learn how funds flow through the system for each model, the role
of banks and other financial intermediaries, who incurs risk from
fraud and failure to pay, and which parties need to be trusted.
Transaction charges and means of profit for financial intermediaries
will also be covered.
You will find out the steps needed for integration of these
payment systems with network applications, including the changes
needed to Web servers and Web browsers, evolving standards, and
approaches to integration with other network applications. The need
for more standardization at the application/payment service interface
will be discussed.
Dr. Clifford Neuman, a scientist and faculty member at the
Information Sciences Institute of the University of Southern
California, is one of the principal designers of the Kerberos
authentication system. Recent work includes development of the
security infrastructure supporting authorization and accounting. Dr.
Neuman leads the design of the NetCheque and NetCash ® electronic
payment systems.
M2am (half day: 9:00 am - 12:30 pm)
Electronic Payments and Commerce Applications
Taher ElGamal, Netscape Communications Corporation
Who Should Attend: Technical professionals who need the latest
information on the advances in electronic payments and commerce
applications on the Internet.
What You Will Learn: State-of-the-art techniques and protocols;
details of protocols used and proposed for supporting commerce
applications on the Web.
Topics include:
- Basic technology review: RSA, DSA, RC4, SSL
- Credit card processing protocols the SET protocol and its
variants
- Debit card: how to use SET for debit cards
- Protocols for electronic cash and electronic accounts
- Micro transactions and aggregation protocols
- Protocols for electronic checks and variants
Some proposals for protocols supporting banking applications will
also be described, including home banking type applications and
automated bill presentment and payment. In particular, the use of
cryptographic techniques will be outlined throughout the class.
Taher ElGamal is the chief scientist at Netscape Communications
where he is involved in security, electronic commerce, and other
Internet applications. His doctoral thesis included the "ElGamal"
public key cryptosystem and digital signature algorithm that produced
several industry standards and commercial products. He has produced
cryptographic toolkits used by many application developers for
encryption and authentication applications.
M3am (half day: 9:00 am - 12:30 pm)
Secure Java Programming: Fundamentals
Marianne Mueller and David Brownell, JavaSoft
Who Should Attend: Java developers who want to learn more about
how Java security works.
What You Will Learn: The basics of Java security and the default
applet security policy, including:
* How to construct an applet, including step by step examples of a
commerce related applet (e.g., shopping cart), and an overview of the
applet API.
* How to write applets that do useful things within the confines
of the applet security policy, including:
-- A description of the default applet security
policy
-- Using the applet's host server to store persistent information
-- How to take advantage of HotJava's more configurable security
environment (e.g., read & write file ACLs)
-- How to send a CGI request from an applet
-- How to send a servlet request from an applet ("servlet" is a
JavaSoft proposal for server side extension -- the servlet API can be
thought of as a replacement for the CGI API).
-- Configuring your web environment so that a browser behind a
firewall can do DNS name resolution of machines outside the firewall
* Overview of Secure Java Platform
-- Language features: private, protected, namespace
partioning, memory management and garbage collection, arrays,
strings, lack of preprocessor. Learn how to take advantage of these
language features to write secure Java applets and applications.
-- Verifier features: Description of what the verifier does for you.
* Learn how to use the bytecode verifier with your standalone Java
application.
-- Security Manager: How you might design and
implement a security manager for a Java standalone application.
* How to get accurate and up-to-date info on Java security bugs
Marianne Mueller and David Brownell are staff engineers at
JavaSoft. Before working on Java security Marianne worked on floating
point, compiler optimizations, and tools for multithreaded
programming. She works on Java security, especially in the context of
Jeeves, the Java web server.
M4pm (half day: 1:30 pm - 5:00 pm)
Secure Java Programming: Enhancements
Marianne Mueller and David Brownell, JavaSoft
Who Should Attend: Java developers familiar with the fundamentals
of the Java security model who want to learn more about recent
enhancements to the Java security toolset.
What You Will Learn: New features in Java such as Java code
signing and Java APIs for access control lists and certificate
management. Topics will include:
* How to create signed applets and signed servlets
- How to create a JAR file. The JAR file is a "Java Archive"
file, and it can contain class files, gif, jpeg, html, etc.
- How to generate a key pair, to use for signing
- How to register your public key with a public key distribution
center
- How to sign the JAR file using a standalone Java signing tool
- How to distribute the signed JAR file (== how to distribute
the signed applet or signed servlet)
- How to use the Java Access Control List package
(java.security.ACL)
- How to associate limited capabilities with a signed servlet
- How to administer the Java web server so that it only accepts
code signed by a set of trusted signatures
- How to administer the Java web server so that it grants
limited capabilities to trusted code
* X509 Certificate Management in Java
Marianne Mueller and David Brownell are staff engineers at
JavaSoft. Before working on Java security, Marianne worked on
floating point, compiler optimizations, and tools for multithreaded
programming. She works on Java security, especially in the context of
Jeeves, the Java web server.
M5pm (half day: 1:30 pm - 5:00 pm)
The Law of Electronic Commerce - Contracts, Records, and
Privacy
Benjamin Wright, Attorney and Author
Who Should Attend: Online and IS professionals, security managers,
EDI and Intranet managers, purchasing managers, lawyers, accountants,
and auditors with a general understanding of business transactions.
What You Will Learn: The application of common sense legal
principles to electronic commerce.
Do you have to know about the law as it applies to electronic
commerce? The application of existing laws as applied to electronic
commerce is a relatively new field that many computing professionals
are required to understand.
You will gain a broad overview of the legal and recordkeeping
issues from a lawyer's perspective, placing legal issues in a
conceptual framework. You will learn in detail the issues of
electronic contract formation, electronic signatures, computer
evidence and privacy, establishing trust in cyberspace, trading
partner agreements, and network service provider agreements. You will
hear a thorough discussion of EC records, particularly those created
for state and federal tax purposes, and the role of third party
recordkeepers. There will be ample time for questions and dialog.
Specific topics include:
- An electronic contract lawsuit in the drug industry
- Admission of email evidence in a famous lawsuit
- Different business models for establishing trust
- The Model EDI Trading Partner Agreement
- Digital signature legislation in Utah, California and Florida
- Digital signature guidelines from the American Bar Association
- An IRS regulation on the recording of electronic transactions
- A model policy for recording electronic messages for tax
purposes
- Model for third-party recordkeeper
Benjamin Wright is the author of The Law of Electronic Commerce:
EDI, E- mail and Internet He is also editor of EDI Forum, a quarterly
journal covering technology, business, legal and security issues in
electronic commerce. A graduate of Georgetown University Law School,
Mr. Wright is an attorney practicing electronic commercial law from
Dallas, Texas. Mr Wright will also be giving an Invited Talk on
Tuesday.
M6pm (half day: 1:30 pm - 5:00 pm)
Breaking into the Web (Pun Intended)
Daniel Geer, Open Market, Inc.
Who Should Attend: Those running an Internet site who need to
understand the tradeoffs in making it secure or how the Internet is
likely to be secured.
What You Will Learn: Threat models, both technical and social
engineering, and countermeasures; tools to make plans that will work
and will convince management that they work.
Are you really doing business on the Internet by now? Were you
blocked from doing so by security issues, real or imagined? Are you
the only one worried and no one is listening?
Simple math says that the growth rate of the Internet means the
skill level of the average Internet user is going down fast. Simple
avarice says that there is a lot of money to made (or saved) by
converting much of today's commerce to an electronic one. Simple
deviousness says that the combination of a rising flux of money and a
decreasing skill level are an irresistible target. Simple engineering
says that the optimal solution is not one-size-fits-all, and it is on
that that we will focus.
You will find out about threat models, both technical and social
engineering, and countermeasures. You will walk away with the tools
to make plans that will work and will convince management that they
work. Luckily, we have some good counterexamples to work from.
Daniel E. Geer, Jr. is director of engineering at Open Market,
Inc., a leader in electronic commerce technology. Formerly he was
chief scientist, vice president of technology and managing director
of security consulting services for OpenVision Technologies. He
earned a doctor of science in biostatistics from Harvard University.
TECHNICAL PROGRAM
Tuesday through Thursday November 19-21, 1996
Tuesday, November 19,
7:30 am - 8:20 am - Continental Breakfast
8:20 am - 8:30 am - Introduction and Welcome - Doug Tygar,
Carnegie Mellon University
8:30 am - 10:00 am
Session I: Hardware Tokens
Session Chair: Clifford Neuman, University of Southern California
Tamper Resistance -- a Cautionary Note
Ross Anderson, Cambridge University and Markus Kuhn,
Erlangen/Purdue University
Token-Mediated Certification and Electronic Commerce
Daniel E. Geer, Open Market, Inc. and Donald T. Davis, SystemExperts
Smart Cards in Hostile Environments
Howard Gobioff, Carnegie Mellon University; Sean Smith, Los Alamos
National Laboratory/IBM Research; Doug Tygar, Carnegie Mellon
University; Bennet Yee, University of California, San Diego
10:00 am - 10:15 pm Break
10:15 am - 11:45 am
Session II: Protocol Analysis
Session Chair: Ross Anderson, Cambridge University
Analysis of the SSL 3.0 Protocol
David Wagner, University of California, Berkeley and Bruce Schneier,
Counterpane Systems
Fast, Automatic Checking of Security Protocols
Darrell Kindred and Jeannette Wing, Carnegie Mellon University
Verifying Cryptographic Protocols for Electronic
Commerce
Randall W. Lichota, Hughes; Grace L. Hammonds, AGCS; Stephen H.
Brackin, Arca
11:45 am - 1:30 pm Lunch - on your own
1:30 pm - 2:30 pm
Invited Talk: Legal Signatures and Proof in Electronic Commerce
Benjamin Wright, Attorney and Author -The Law of Electronic Commerce
A critical goal of electronic commerce is to create evidence of
transactions so they can later be authenticated in court. Mr. Wright
will consider alternative strategies for legally authenticating
transactions, including the new Utah Digital Signature Act and
biometric signing methods. He will also describe techniques for
making reliable electronic archives.
2:30 pm - 2:45 pm Break
2:45 pm - 3:45 pm
Session III: Policy and Economics
Session Chair: Hal Varian, University of California, Berkeley
Digital Currency and Public Networks: So What If It Is Secure,
Is It Money?
John du Pre Gauntt, London School of Economics
Modeling the Risks and Costs of Digitally Signed Certificates
in Electronic Commerce
Ian Simpson, Carnegie Mellon University
3:45 pm - 4:00 pm Break
4:00 pm - 5:30 pm
Session IV: Standard Payment Interfaces
Session Chair: Bennet Yee, University of California, San Diego
Generic Payment Services: Framework and Functional
Specification
Alireza Bahreman, EIT
UPAI: A Universal Payment Application Interface
Steven P. Ketchpel, Hector Garcia-Molina, Andreas Paepcke, Scott
Hassan, and Steve Cousins, Stanford University
Payment Method Negotiation Service: Framework and Programming
Interface
Alireza Bahreman and Rajkuman Narayanaswamy, EIT
6:00 pm - 8:30 pm
Reception and Tour of Fisher Center, UC Berkeley - (Shuttle
Service Provided)
Wednesday, November 20, 7:30 am - 8:30 am
Continental Breakfast
8:30 am - 10:00 am
Session V: Atomic transactions
Session Chair: Mark Manasse, Digital Equipment Corporation
Anonymous Atomic Transactions
Jean Camp, Sandia National Laboratory; Michael Harkavy and Doug
Tygar, Carnegie Mellon University; Bennet Yee, University of
California, San Diego
Strongboxes for Electronic Commerce
Thomas Hardjono and Jennifer Seberry, University of Wollongong
Model Checking Electronic Commerce Protocols
Nevin Heintze, Bell Labs; Doug Tygar, Jeannette Wing, and H. C. Wong,
Carnegie Mellon University
10:00 am - 10:15 pm Break
10:15 am - 11:45 pm
Session VI: Experience
Session Chair: Nathaniel Borenstein, First Virtual Holdings, Inc.
BigDog: Hierarchical Authentication, Session Control, and
Authorization for the Web
Benjamin Fried and Andrew Lowry, Morgan Stanley
Financial EDI Over the Internet: Case Study II
Arie Segev, Jaana Porra, and Malu Roldan, University of California,
Berkeley
Scalable Document Fingerprinting
Nevin Heintze, Bell Labs
11:45 am - 2:00 pm Hosted Luncheon with Speaker
Designing New Rules of the Road for Electronic Commerce in Digital
Information
Pamela Samuelson, University of California, Berkeley
Congress is currently considering legislative proposals to
strengthen the rights of copyright owners in cyberspace and to create
a new law to protect database developers against unauthorized
extractions and reuses of database contents. Contract lawyers are
working on new rules of the road for contracts about digital
information products and services. As attractive as the idea of
adopting new rules for electronic commerce in digital information may
be, current proposals may be based on assumptions that will not prove
workable in the electronic environment.
Pamela Samuelson is a Professor of Law and of Information
Management at the University of California at Berkeley. Her principal
expertise is intellectual property law; her principal interests are
in the challenges posed by digital technologies to existing legal
regimes. She is a Contributing Editor of Communications of the ACM
for which she writes a regular "Legally Speaking" column.
2:00 pm - 3:30 pm
Session VII: Protocols
Session Chair, Daniel Geer, Open Market, Inc.
A Protocol for Secure Transactions
Douglas H. Steves, Chris Edmondson-Yurkanan and Mohamed Gouda,
University of Texas, Austin
PayTree: ``Amortized-Signature'' for Flexible
MicroPayments
Charanjit Jutla and Moti Yung, IBM
A Minimal Distributed Protocol for Electronic Commerce
Eran Gabber and Abraham Silberschatz, Bell Labs
3:30 pm - 3:45 pm Break
3:45 pm - 6:00 pm
Panel Discussion: Electronic Commerce in Practice -- What Have
We Learned?
Moderator: Clifford Neuman, University of Southern California
Panelists:
Nathaniel Borenstein, First Virtual Holdings,
Inc.;
Marc Briceno, DigiCash;
Steve Crocker, Cybercash;
Daniel Geer, Open Market, Inc.;
Arie Segev, University of California, Berkeley;
David Van Wie, InterTrust
6:00 pm Dinner - on your own
9:00 pm - 11:00 pm
Birds-of-a-Feather Sessions
Thursday, November 21, 8:00 am - 9:00 am
Continental Breakfast
9:00 am - 10:30 am
Session VIII: Security
Session Chair: Stefan Brands, CWI
Organizing Electronic Services into Security Taxonomies
Sean Smith, Los Alamos National Laboratory/IBM Research and Paul
Pedersen, Los Alamos National Laboratory
WWW Electronic Commerce and Java Trojan Horses
Doug Tygar and Alma Whitten, Carnegie Mellon University
On Shopping Incognito
Ralf Hauser, McKinsey Consulting, Switzerland and Gene Tsudik,
University of Southern California
10:30 am - 10:45 am Break
10:45 am - 11:45 am
Session IX: Software Agents
Session Chair: Doug Tygar, Carnegie Mellon University
Market-Based Negotiation for Digital Library Services
Tracy Mullen and Michael P. Wellman, University of Michigan, Ann
Arbor
Information and Interaction in MarketSpace -- Towards an Open
Agent-based Market Infrastructure
Joakim Erriksson and Niclas Finne, Telia Research; Sverker Janson,
Swedish Institute of Computer Science
A Peer-to-Peer Software Metering System
Bruce Schneier and John Kelsey, Counterpane Systems
HOTEL AND TRAVEL INFORMATION
Hotel Discount Reservation Deadline - Wednesday, October 16, 1996
USENIX has negotiated special rates for workshop attendees at the
Claremont Resort and Conference Center. Contact the hotel directly to
make your reservation. You must mention USENIX to get the special
rate. A one-night room deposit must be guaranteed to a major credit
card. To cancel your reservation, you must notify the hotel at least
24 hours before your planned arrival date.
The Claremont Resort and Conference Center
Ashby and Domingo Avenue
Oakland, CA 94623-0363
Toll Free: 800.551.7266
Local Telephone: 510.843.3000
Reservation Fax: 510.549.8582
Single/Double Occupancy......................$110.00
(plus room tax, currently 11%)
Note: Requests for hotel reservations made after the deadline will
be handled on a space and rate available basis only.
Discount Airfares
Special airline discounts will be available for USENIX attendees.
Please call for details:
JNR, Inc. Toll Free 800.343.4546 (USA and Canada)
Telephone 714.476.2788
AIRPORT TO HOTEL TRANSPORTATION
From San Francisco (SFO) & Oakland International Airports
Shuttle Service - The Bayporter Express offers shuttles to and
from both Oakland Airport and SFO Airport. ADVANCED RESERVATIONS ARE
REQUIRED for Oakland pick ups and to avoid delays at SFO. Call
415.467.1800. Cost of shuttle is $12 from Oakland Airport and $13
from SFO Airport, one way. Travel time to the hotel is approximately
30-45 minutes from Oakland and one hour from SFO. Return trips
require reservations to be made one day in advance.
Taxi service from Oakland Airport usually ranges $30 one way, and
$50 from SFO.
BART - If you live in the Bay Area and will be using BART, take
the Concord Line to the Rockridge Station (one mile from the
Claremont). At the station, taxi service is available to the hotel
for an approximate cost of $5 one way.
POINTS OF INTEREST
Telegraph Avenue - This is the heart of student Berkeley.
Besides its wonderful array of bookstores, expresso shops, and
student food, you can get a tattoo, get a body part pierced, and buy
paraphernalia of all kinds.
Sproul Plaza - Berkeley's Campus is a great place to people
watch, listen to music, and mingle with students.
Entertainment - Berkeley has a lively local entertainment
scene. The Pacific Film Archives screens different films every night.
A variety of night clubs feature music ranging from jazz to
alternative.
About the Hotel
The Claremont is a world-class resort located just one mile from
the UC Berkeley campus, in the hills overlooking the San Francisco
Bay. The hotel is an historic, turn-of-the-century resort, with
modern facilities that include two swimming pools, saunas, jacuzzi,
tennis courts, fitness center and a luxurious European-style health
spa.
EC '96 REGISTRATION FORM
Note: For your convenience, the registration form is provided
in
ASCII and
Postscript form.