William J. Caelli

A computer package for measuring the strength of encryption algorithms

Designers and users of encryption algorithms used in cipher systems need a systematic approach in examining their ciphers prior to use, to ensure that they are safe from cryptanalytic attack. This paper describes a computer package used for assessing the security of newly-developed encryption algorithms.

Mutual Protection in a Cloud Computing Environment

The term “cloud computing” has emerged as a major ICT trend and has been acknowledged by respected industry survey organizations as a key technology and market development theme for the industry and ICT users in 2010. However, one of the major challenges that faces the cloud computing concept and its global acceptance is how to secure and protect the data and processes that are the property of the user. The security of the cloud computing environment is a new research area requiring further development by both the academic and industrial research communities. Today, there are many diverse and uncoordinated efforts underway to address security issues in cloud computing and, especially, the identity management issues. This paper introduces an architecture for a new approach to necessary “mutual protection” in the cloud computing environment, based upon a concept of mutual trust and the specification of definable profiles in vector matrix form. The architecture aims to achieve better, more generic and flexible authentication, authorization and control, based on a concept of mutuality, within that cloud computing environment.

Information Security for Managers

Part 1: security policy and organizational structure personnel and responsibilities access control and cryptographic controls information flow control security of stored data monitoring and audit trails military and commercial security. Part 2: risk analysis and management conventional computer security risk analysis and management Courtney Technique of risk analysis Cramm risk analysis. Part 3: physical security access control personal computer security contingency planning insurance. Part 4: network security security on IBM systems OSI security. Part 5: identify and authentication of the user PINS privacy, integrity and authentication of financial messages financial network security. Part 6: communications and logical security physical security of office systems procedural and personnel security. Part 7: data protection legal protection of information assets computer crime law and personnel.

Refereed paper: A note on supplying a trusted clock via a secure device

This note describes the design of a trusted clock on a secure device such as a card accepting unit of the type used for financial transactions. The system is resistant to attacks by fraudulent messages and to replays of previous messages. A recommendation on the message formats is made.

Who goes there? internet banking: a matter of risk and reward

There are now more than 7 million internet banking users in Australia. Despite this substantial uptake in Australia, Australian banks continue to concentrate their respective security efforts upon internal mechanisms. Education of bank customers has not for the most part solved the fundamental flaws existent in internet banking. It is widely accepted that the weakest link in internet banking facilities is not with the banks’ internal mechanisms but with customer PC. This paper analyses the research opportunities available to improve internet banking in Australia, which research could be exported to other jurisdictions where internet banking is available.

An Architecture for Trustworthy Open Data Services

This paper addresses the development of trust in the use of Open Data through incorporation of appropriate authentication and integrity parameters for use by end user Open Data application developers in an architecture for trustworthy Open Data Services. The advantages of this architecture scheme is that it is far more scalable, not another certificate-based hierarchy that has problems with certificate revocation management. With the use of a Public File, if the key is compromised; it is a simple matter of the single responsible entity replacing the key pair with a new one and re-performing the data file signing process. Under this proposed architecture, the Open Data environment does not interfere with the internal security schemes that might be employed by the entity. However, this architecture incorporates, when needed, parameters from the entity, e.g. person who authorized publishing as Open Data, at the time that datasets are created/added.

Security in Open and Distributed Systems

Distributed computing systems impose new requirements on the security of the operating systems and hardware structures of the computers participating in a distributed data network environment. It is proposed that multiple level (greater than two) security hardware, with associated full support for that hardware at the operating system level, is required to meet the needs of this emerging environment. The normal two layer (supervisor/user) structure may probably be insufficient to enforce and protect security functions consistently and reliably in a distributed environment. Such two‐layer designs are seen as part of earlier single computer/processor system structures while a minimum three/four‐layer security architecture appears necessary to meet the needs of the distributed computing environment. Such multi‐level hardware security architecture requirements are derived from earlier work in the area, particularly the Multics project of the mid‐1960s, as well as the design criteria for the DEC VAX 11/780 and...

Using a Public Key Registry for Improved Trust and Scalability in National E-Health Systems

An increasing number of countries are faced with an aging population increasingly needing healthcare services. For any e-health information system, the need for increased trust by such clients with potentially little knowledge of any security scheme involved is paramount. In addition notable scalability of any system has become a critical aspect of system design, development and ongoing management. Meanwhile cryptographic systems provide the security provisions needed for confidentiality, authentication, integrity and non-repudiation. Cryptographic key management, however, must be secure, yet efficient and effective in developing an attitude of trust in system users. Digital certificate-based Public Key Infrastructure has long been the technology of choice or availability for information security/assurance; however, there appears to be a notable lack of successful implementations and deployments globally. Moreover, recent issues with associated Certificate Authority security have damaged trust in these schemes. This paper proposes the adoption of a centralised public key registry structure, a non-certificate based scheme, for large scale e-health information systems. The proposed structure removes complex certificate management, revocation and a complex certificate validation structure while maintaining overall system security. Moreover, the registry concept may be easier for both healthcare professionals and patients to understand and trust.

Policy and Law: Denial of Service Threat

A set of relevant quotes could ‘set the scene’ for research into and discussion of the policy and law aspects of DoS/DDoS against global, national and defence information infrastructures (GII, NII, DII), national critical infrastructure (CNI) and the nation state itself (Information Warfare, Cyber-warfare, Electronic Warfare).

Feasibility of Automated Information Security Compliance Auditing

According to AS/NZS ISO/IEC 27001:2006 [11], management of an organization should provide evidence of its commitment to the establishment, implementation, operation, monitoring, review, maintenance and improvement of the organization’s information security management system. The objective of this research project was to explore the feasibility of designing an intelligent documentation system to assist information security managers in meeting this commitment. In particular, this documentation system would assist in the associated tasks of risk assessment and information security compliance auditing. The proposed documentation system, comprising both supporting software and a database model of the organizational information security environment, together with formalized compliance requirements, may be used both for automated and ongoing compliance testing as well as risk assessment. The risk assessment aspect of the documentation system has been described in previous papers [3, 14]. This paper will deal with a feasibility study of automated compliance auditing. Such automated compliance auditing would enable security managers to readily benchmark their current systems against the appropriate information security standards. This study was undertaken to specifically explore the feasibility of automated compliance auditing against an international information security standard. The standard originally selected for the study was AS/NZS ISO/IEC 17799:2001) [9]