NATO Workshop “Advanced Security Technologies in Networking” was organized in Portorož, Slovenia from May 29th to June 2nd, 2000. Key speakers from NATO countries together with some experts from Slovenia, Austria, Ireland and Switzerland took care of the required transfer of knowledge, promotion of security technology, rise of the awareness and the importance of usage through presentations, demonstration of products and services, and practical work. Major covered aspects were the following:
- providing basic knowledge about security mechanisms and services,
- public key infrastructures, getting experiences in the usage of the PKI technology,
- information on security provision at the network level,
- stimulating the usage of security technology based products and services in electronic business operation,
- building confidence in electronic commerce and telecommunication related security services,
- encouraging the development in the provision of secure communication,
- awareness raising about the applications in the network that use regularly security technology products.
The Workshop was supported both by NATO under the Advanced Workshop activity of the Research Infrastructure Support Sub-programme of the NATO Science Programme, and by European Union under the ICE-CAR project.
The Workshop programme consisted of 8 different sessions which covered all areas of security provision in networking. Presentations of the first session with a title “Basic concepts in secure communications” described the importance of security and gave an overview of security problems, threats, mechanisms and services. Several security mechanisms, e.g. symmetric and asymmetric encryption, digital signatures, and authentication protocols, were presented in more detail. One of the most important issues in security provision in global computer networks is public-key cryptography. For authentication of public keys digital certificates and public-key infrastructures are necessary. Public-key infrastructures session gave a deep insight into X.509 public-key certificate and certificate revocation list format. Public-key certificates are also denoted as identity certificates since they bind a public key with user’s identity. These certificates are used primarily for authentication. For authorisation, another type of X.509 certificates is more useful, i.e. attribute certificates which bind user’s identity with a set of attributes other than a public key. Attribute certificate format and their use in privilege management infrastructures (PMIs) were also presented in detail. The last presentation from this session dealt with wireless communication security which is becoming more and more important. Special problems of security provision in a wireless environment, together with security technologies and protocols, such as WTLS (Wireless Transport Layer Security), were described.
In the third session, security provision at network and transport level was discussed. IPSec was presented in detail as well as SSL (Secure Sockets Layer), TLS (Transport Layer Security), and S-BGP. Security services in ATM (Asynchronous Transfer Mode) networks were also addressed. Of special interest for participants who are working as system administrators were talks on secure directories and firewall technologies. An emphasis in the first talk was put on an X.500 model of a directory, LDAP protocol and security issues and implications of the directory. Presentation on firewalls gave participants a thorough view on advantages and disadvantages of firewalls, packet filtering routers, application level firewalls as well as on firewall configurations.
Secure applications presentations were divided into two sessions. One of these sessions covered WWW security and secured networked video services, while the second session gave a more detailed view on secure e-mail, certificate policies and CPSs, and concrete examples of security provision in practice, for example in health systems, health insurance systems, and city and school administration. A talk on WWW security presented Web transaction security, browser security and server security. In addition, Java security, XML and XML digital signatures were discussed. Part of the presentation on secured multicast conferencing was also a technical demonstration and practical work of participants. Two users obtained their public-key certificates, registered with the conference store at UCL and then established a secure video and audio connection. Third user tried to intercept the communication – unsuccessfully when all exchanged data was encrypted. A presentation on secure electronic mail overviewed security requirements of electronic mail and described PEM and, in detail, S/MIME (Secure Multipurpose Internet Mail Extension) standard. Very interesting for the participants were practical examples of secure applications in health systems (secure access to patient confidential data via the Internet), health insurance systems (PKI for the German health care system) and school (Politecnico di Torino) and city (Torino) administration.
A special attention was paid to the legal issues. Two speakers presented legislation on electronic signatures in European Union and USA. The last session “Secure Electronic Commerce” gave an overview over some of the most promising electronic payment systems. It explained how they work and what can one do with them.