CORRECTION / RE: Qualified Certificate Request

2005-08-02 Thread Nap van Zuuren
CORRECTION:

You are right about the (real life) notaries function, still being necessary.

As far as I am informed, by my contributorship within CEN  ETSI -EESSI and 
CEN-NIS, there is still no solution for (very) long TERM
Storage AND RETRIEVAL of documents, key pairs, certificates, relating 
algorithms, software used etc.

Greetings, Nap

-Original Message-
From:   Florian Weimer [SMTP:[EMAIL PROTECTED]
Sent:   Friday, July 22, 2005 7:42 PM
To: [EMAIL PROTECTED]
Cc: cryptography@metzdowd.com
Subject:Re: Qualified Certificate Request

* Nap van Zuuren:

 Might be a nice (intellectual) crypto-exercise, but I am afraid that the 
 concept of the Qualified Signature will not get a widespread 
 implementation, expect for very specific areas/disciplines.

That's by design, all those notaries public don't like being replaced
by smartcards.

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]



-- 
No virus found in this incoming message.
Checked by AVG Anti-Virus.
Version: 7.0.338 / Virus Database: 267.9.4/57 - Release Date: 22/07/2005




-- 
No virus found in this outgoing message.
Checked by AVG Anti-Virus.
Version: 7.0.338 / Virus Database: 267.9.7/60 - Release Date: 28/07/2005


-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: Possibly new result on truncating hashes

2005-08-02 Thread Hal Finney
John Kelsey writes:
 The high order bit is that you can't generally guarantee
 that truncating your hash (chopping off some bits) won't
 weaken it.  That is, if you chop SHA256 off to 160 bits as a
 replacement for SHA1 (something I'm working on with Niels
 Ferguson for X9 right now), it's possible that there's no
 attack on SHA256, but there is an attack on SHA160.  

This is a good point, but I think the lesson is that all the bits of a
hash have to be strong, for it to be considered strong.  If you have
a 2^64 attack to find a collision in 160 bits of SHA256, then SHA256
is broken.

It should not be possible to identify any subset of k bits in the output
of a hash function, or more generally any function mapping the hash
output to a k bit result, which can have collisions found in less than
2^(k/2) work.

Whether hash functions like SHA256 can meet this standard is far from
clear, unfortunately.

Hal Finney

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: Last WWII Comanche code talker dies in Oklahoma

2005-08-02 Thread Andreas Hasenack
Em Segunda 01 Agosto 2005 02:40, Udhay Shankar N escreveu:
 [resending this, after it didn't reach the list first time. I seem to have 
 fallen off the list, and am back on now. I hope this isn't a repeat. /udhay]
 
 http://aolsvc.news.aol.com/news/article.adp?id=20050721170009990017
 
 Last WWII Comanche code talker dies in Oklahoma

Wasn't that navajo instead?

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


[Clips] Hackers Hit Microsoft Windows Genuine Advantage

2005-08-02 Thread R.A. Hettinga

--- begin forwarded text


 Delivered-To: [EMAIL PROTECTED]
 Date: Mon, 1 Aug 2005 22:34:52 -0400
 To: Philodox Clips List [EMAIL PROTECTED]
 From: R.A. Hettinga [EMAIL PROTECTED]
 Subject: [Clips] Hackers Hit Microsoft Windows Genuine Advantage
 Reply-To: [EMAIL PROTECTED]
 Sender: [EMAIL PROTECTED]

 http://www.informationweek.com/story/showArticle.jhtml?articleID=166403976

 InformationWeek  Security 


 Genuine Advantage was supposed to block users from pirating Windows, but
 hackers defeated the program in a matter of days.
  By The Associated Press


  Days after Microsoft launched a new anti-piracy program, hackers have
 found a way to get around it.

 The software company's new program, called Windows Genuine Advantage,
 requires computer users to go through a process validating that they're
 running a legitimate copy of the Windows operating system before
 downloading any software updates except for security patches.

 But the check can be bypassed by entering a simple JavaScript command in
 the Web browser's address bar and hitting the Enter key. When that's
 done, the validation does not run and the user is taken directly to the
 download.

 Microsoft said it was investigating and that the glitch was not a security
 vulnerability.

 The hack appears only to work when a computer user is trying to download
 software through the Windows Update service. Some software, such as
 Microsoft's AntiSpyware beta, isn't available there but can be found
 elsewhere on microsoft.com.

 Such downloads also require validation, but the hack does not appear to
 work. On Friday, attempts to download the antispyware program resulted in a
 server error, with a message that read, It appears that our activation
 servers are not functioning properly.

 All Windows users, even those with pirated copies, can still download
 security patches. For any other software updates, Microsoft now requires
 computer users to validate that their computers aren't running counterfeit
 copies of Windows.

 --
 -
 R. A. Hettinga mailto: [EMAIL PROTECTED]
 The Internet Bearer Underwriting Corporation http://www.ibuc.com/
 44 Farquhar Street, Boston, MA 02131 USA
 ... however it may deserve respect for its usefulness and antiquity,
 [predicting the end of the world] has not been found agreeable to
 experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire'
 ___
 Clips mailing list
 [EMAIL PROTECTED]
 http://www.philodox.com/mailman/listinfo/clips

--- end forwarded text


-- 
-
R. A. Hettinga mailto: [EMAIL PROTECTED]
The Internet Bearer Underwriting Corporation http://www.ibuc.com/
44 Farquhar Street, Boston, MA 02131 USA
... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


[Clips] Clippre: Leaving a trail of tech

2005-08-02 Thread R.A. Hettinga

--- begin forwarded text


 Delivered-To: [EMAIL PROTECTED]
 Date: Mon, 1 Aug 2005 22:38:26 -0400
 To: Philodox Clips List [EMAIL PROTECTED]
 From: R.A. Hettinga [EMAIL PROTECTED]
 Subject: [Clips] Clippre: Leaving a trail of tech
 Reply-To: [EMAIL PROTECTED]
 Sender: [EMAIL PROTECTED]

 
http://www.newsday.com/news/nationworld/world/ny-woside0802,0,6663269,print.story?coll=ny-top-headlines



 Newsday.com:

 Leaving a trail of tech

 Cell phones and the encryption of files on computers are tools authorities
 now focus on in tracking terror


  BY MARK HARRINGTON
  STAFF CORRESPONDENT

  August 2, 2005

  LONDON --  He may have skipped Britain on an ordinary rail ticket amid the
 country's highest level of security since World War II, but it was not long
 before authorities picked up his signal, literally.

  By the time they seized him in Rome on Friday, Hamdi Issac, also known as
 Osman Hussain -- one of the suspects in London's failed July 21 bombings --
 had made a call to Saudi Arabia, scattered a trail across Europe and even
 tried to throw authorities off his track by changing the electronic chip in
 his cell phone, according to an Italian anti-terror chief yesterday.

  But even as authorities in London celebrated a series of technological
 successes in the complex probe of the city's terror attacks last month,
 they were asking for more powers.

  In a move reminiscent of the fast-track treatment received by the USA
 Patriot Act following the Sept. 11 attacks in 2001, Parliament is expected
 to swiftly weigh a number of anti-terror measures, including legislation
 that would make it a crime for anyone to withhold access codes to computer
 files that have been encrypted. Sentences of up to 10 years in prison are
 reported to be on the table, though any such measure would have to wait
 until Parliament reconvenes in the fall.

  The call for stiffer anti-encryption laws comes as investigators have
 gained unprecedented insight into the movement and training of suspects
 through cell phones and computers.

  In a televised news briefing in Rome yesterday, Italian anti-terror chief
 Carlo De Stefano described in surprising detail the path of suspected
 bomber Issac as he entered Italy and traveled around the country before
 being captured by authorities over the weekend.

  You always have this evolving technological struggle between
 counterterrorism forces and the terrorist, said Jeremy Binnie, an analyst
 with the London-based Jane's Terrorism and Insurgency Center, describing
 why authorities are pushing for tougher rules. The law makes sense if
 authorities are trying to gather evidence and they think the information is
 crucial and can't get it otherwise.

  But Peter Neumann, an international anti-terrorism expert at King's
 College in London, wondered whether tougher laws would simply push
 increasingly sophisticated terrorists to means other than encrypted files
 to hide evidence. He suggested that Issac's apparent failure to understand
 the trail he was leaving behind with his cell phone use is relatively
 uncommon among generally more techno-savvy Islamic terrorists.

  One of the suspects in the July attacks here, he said, has acknowledged
 using Internet tutorials to learn the techniques of bomb-making. While a
 London Metropolitan Police spokeswoman declined to comment, Neumann said it
 is increasingly common for terrorists to plan attacks and outline
 techniques on Web pages that are set up and taken down in a matter of
 hours, before police can discover or trace them. It's a very fluid system
 and very effective, he said.

  Encryption technology is commonly available and relatively easy to use,
 Neumann noted, but it is still considered sophisticated. The big irony of
 these movements is that while they are very medieval in ideology, they are
 also very modern in employing technology, Neumann said.

  Still, legislation that would try to force users to unlock access codes
 may not prove particularly effective if it is enacted for Britain alone.
 National legislation doesn't strike me as something very useful unless
 the effort is undertaken across Europe, he said.

 --
 -
 R. A. Hettinga mailto: [EMAIL PROTECTED]
 The Internet Bearer Underwriting Corporation http://www.ibuc.com/
 44 Farquhar Street, Boston, MA 02131 USA
 ... however it may deserve respect for its usefulness and antiquity,
 [predicting the end of the world] has not been found agreeable to
 experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire'
 ___
 Clips mailing list
 [EMAIL PROTECTED]
 http://www.philodox.com/mailman/listinfo/clips

--- end forwarded text


-- 
-
R. A. Hettinga mailto: [EMAIL PROTECTED]
The Internet Bearer Underwriting Corporation http://www.ibuc.com/
44 Farquhar Street, Boston, MA 02131 USA
... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been 

Re: Possibly new result on truncating hashes

2005-08-02 Thread Joseph Ashwood
- Original Message - 
From: John Kelsey [EMAIL PROTECTED]

Subject: Possibly new result on truncating hashes



How could this work?  Suppose we have an algorithm like the
Wang attacks on MD5, SHA0, or SHA1 for finding a single
collision pair.  The algorithm returns a single collision
pair on the first 160 bits of SHA256 for (say) 2^{64} work.
(Remember that this is just an example--I don't have any
such algorithm!)  Each time the algorithm is run, it gives a
new, unrelated collision pair, and the remaining 96 bits are
completely randomized by the collision pair.

Now, this is an attack on SHA256 truncated to 160 bits.
Does it lead to an attack on SHA256 as a whole?


Actually it does. Such an attack would reduce the difficulty of producing a 
collision in SHA-256 to 2^(64+(96/2)) or 2^112. The math for this is fairly 
easy, the remaining 96 bits will collide in on average 2^(96/2) tries, since 
it takes 2^64 work for each of these tries, we get 2^112 work, hence an 
attack on the original hash has been found.



Let's do the counting argument:  Each time we call the
160-bit collision algorithm, we get a new pair which has the
same first 160 bits of SHA256 output, and random unrelated
last 96 bits of SHA256 output.  Each pair has a probability
of 2^{-96} of colliding in the remaining bits.  So, to get a
collision on the whole SHA256 using this 160-bit collision
algorithm, we expect to have to try about 2^{96} collision
pairs


There's the mistake. To find a collision in the remaining bits requires 
2^(96/2) work, not 2^96 work. For a chosen initial value you will of course 
have the 2^96 work, but there you'll only have 2^(64+96) work instead of 
2^256, the attack still works.
   Joe 




-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


AW: Possibly new result on truncating hashes

2005-08-02 Thread Kuehn, Ulrich
 
John Kelsey wrote:

 Unfortunately, we can't make this argument, because this 
 postulated collision algorithm can't be used to find a 
 collision in the whole SHA256 more efficiently than brute force.
 
 Let's do the counting argument:  Each time we call the 
 160-bit collision algorithm, we get a new pair which has the 
 same first 160 bits of SHA256 output, and random unrelated 
 last 96 bits of SHA256 output.  Each pair has a probability 
 of 2^{-96} of colliding in the remaining bits.  So, to get a 
 collision on the whole SHA256 using this 160-bit collision 
 algorithm, we expect to have to try about 2^{96} collision 
 pairs, each found at a cost of 2^{64}.  The resulting work is 
 2^{64} * 2^{96} = 2^{160}, more than a straight brute-force 
 collision search on SHA256.  
 

Hmm, wouldn't you expect a lot of partial collisions among all those 2^96 
collision pairs? That is, after
2^80 runs of the algorithm you would obtain your first partial collision in 
collision pairs, don't you?
For 2^96 that's roughly 2^32 such pairs of pairs. Those might help you to speed 
up your search.

Am I missing something here?

Ulrich


-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Ostiary

2005-08-02 Thread Udhay Shankar N

Sounds interesting. Has anybody used this, and are there any comments?

Udhay

http://ingles.homeunix.org/software/ost/


Tools like ssh and lsh are great for allowing secure remote access to your 
system. They offer essentially full, flexible remote control of a machine, 
in an ecrypted and authenticated manner. But they are complex pieces of 
software; there's no way to do what they do without being complex. And with 
complexity comes bugs. Tools like ssh and lsh, and VPNs like CIPE, PPTP, 
and more have all had serious flaws that would allow an attacker to get 
full control over your system.


If you leave such programs running all the time, you take the risk that 
someone is going to use an exploit on you before you have a chance to apply 
a patch. For some purposes, this is an acceptable - even necessary - 
tradeoff, but it would be nice to enable them only when actually needed, to 
minimize the risk. And for other purposes, ssh et. al. are overkill. 
Perhaps you only really need to remotely initiate a limited set of 
operations. In this case, you don't need a shell prompt, just a way to 
securely kick off scripts from elsewhere.


Enter 'Ostiary'. It is designed to allow you to run a fixed set of commands 
remotely, without giving everyone else access to the same commands. It is 
designed to do exactly and only what is necessary for this, and no more. 
The only argument given to the command is the IP address of the client, and 
only if the authentication is successful. The following are the key design 
goals:


   * First, do no harm. It should not be possible to use the Ostiary 
system itself to damage the host it's running on. In particular, it's 
willing to accept false negatives (denying access to legitimate users) in 
order to prevent false positives (allowing access to invalid users).
   * Insofar as possible, eliminate any possibility of bugs causing 
undesired operations. Buffer overflows, timing attacks, etc. should be 
impossible for an external attacker to execute. There's no point in 
installing security software if it makes you less secure.
   * Be extremely modest in memory and CPU requirements. I want to be able 
to fire off commands on my webserver (running on a Mac SE/30, a 16MHz 68030 
machine) from my Palm Pilot (a 16MHz 68000 machine). Things like ssh 
already take 30 seconds or more to start up - I can't afford anything too 
fancy.
   * Keep things simple. I'm no crypto expert; I know I'm not capable of 
coming up with an ssh replacement. So I need to keep things so utterly 
simple that I can be sure I'm not missing anything important.





--
((Udhay Shankar N)) ((udhay @ pobox.com)) ((www.digeratus.com))


-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: Last WWII Comanche code talker dies in Oklahoma

2005-08-02 Thread Udhay Shankar N

At 04:55 AM 8/2/2005, Andreas Hasenack wrote:


 Last WWII Comanche code talker dies in Oklahoma

Wasn't that navajo instead?


From the article:

Chibitty joined the Army in 1941 at Ft. Sill, Oklahoma, when he and other 
Comanches heard the Army wanted them. Navajo Indians were used for the 
same purpose in the Pacific theater.


By the time the code talkers got to England, the Allies had amassed the 
largest invasion force in history.


Chibitty's unit landed on June 6, 1944, with Brig. Gen. Theodore Roosevelt 
Jr. on Utah beach, but in the wrong place. One of the code talkers sent 
the first message of D-Day: Right beach, wrong place.



--
((Udhay Shankar N)) ((udhay @ pobox.com)) ((www.digeratus.com))


-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: Ostiary

2005-08-02 Thread Ian Grigg
On Tuesday 02 August 2005 13:26, Udhay Shankar N wrote:
 Sounds interesting. Has anybody used this, and are there any comments?
 
 Udhay
 
 http://ingles.homeunix.org/software/ost/

 ... 
 Perhaps you only really need to remotely initiate a limited set of 
 operations. In this case, you don't need a shell prompt, just a way to 
 securely kick off scripts from elsewhere.
 
 Enter 'Ostiary'. It is designed to allow you to run a fixed set of commands 
 remotely, without giving everyone else access to the same commands. It is 
 designed to do exactly and only what is necessary for this, and no more. 

I recently wrote this as a login program that was
hard coded to run the commands concerned.

The reason for doing this instead of the Ostiary
approach is that SSH had to be running anyway,
and SSH provides the key management regime.
Without that, I'd have to invent my own which
in Ostiary's case was the Hashing mechanisms.
So on this point it would come down to whether
we cared enough to replace SSH's authentication
regime, which I'd think would be rarer (perhaps
in the embedded market where Unix doesn't need
maintaining??).

Also, efficiency of command sending was not
an issue - each send was about 10 seconds in
my tests.


 * Keep things simple. I'm no crypto expert; I know I'm not capable of 
 coming up with an ssh replacement. So I need to keep things so utterly 
 simple that I can be sure I'm not missing anything important.

I think it is smart to keep things simple regardless
of ones expertise :)  Also, I wouldn't overdo the
hackability argument.  If flaws are found, you'll
find time to fix them, and for the cost of a few
hacked boxes, you'll have the benefit of a lot
more secured boxes.

iang
-- 
Advances in Financial Cryptography, Issue 2:
   https://www.financialcryptography.com/mt/archives/000498.html
Mark Stiegler, An Introduction to Petname Systems
Nick Szabo, Scarce Objects
Ian Grigg, Triple Entry Accounting

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: Last WWII Comanche code talker dies in Oklahoma

2005-08-02 Thread Victor Duchovni
On Mon, Aug 01, 2005 at 08:25:35PM -0300, Andreas Hasenack wrote:

 Em Segunda 01 Agosto 2005 02:40, Udhay Shankar N escreveu:
  [resending this, after it didn't reach the list first time. I seem to have 
  fallen off the list, and am back on now. I hope this isn't a repeat. /udhay]
  
  http://aolsvc.news.aol.com/news/article.adp?id=20050721170009990017
  
  Last WWII Comanche code talker dies in Oklahoma
 
 Wasn't that navajo instead?
 

No, the Navajo code talkers were used in the Pacific, in Europe it was
the Comanches.

-- 

 /\ ASCII RIBBON  NOTICE: If received in error,
 \ / CAMPAIGN Victor Duchovni  please destroy and notify
  X AGAINST   IT Security, sender. Sender does not waive
 / \ HTML MAILMorgan Stanley   confidentiality or privilege,
   and use is prohibited.

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: Ostiary

2005-08-02 Thread Karl Chen
As an authentication protocol, it looks vulnerable to a time
synchronization attack: an attacker that can desynchronize the server
and client's clocks predictably can block the client's authentication
and use it as his own.  (Assuming the server's clock is monotonically
increasing, the command can only be used once.)  If the command utilizes
the IP address (e.g. as a port knock), this is a security hole.

Karl

On Tue, 2005-08-02 at 17:56 +0530, Udhay Shankar N wrote:
 Sounds interesting. Has anybody used this, and are there any comments?
 
 Udhay
 
 http://ingles.homeunix.org/software/ost/


-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: Ostiary

2005-08-02 Thread Nicolas Rachinsky
* Karl Chen [EMAIL PROTECTED] [2005-08-02 09:24 -0700]:
 As an authentication protocol, it looks vulnerable to a time
 synchronization attack: an attacker that can desynchronize the server
 and client's clocks predictably can block the client's authentication
 and use it as his own.  (Assuming the server's clock is monotonically

I don't see where the client's time is used. What am I missing?

Nicolas

PS:
Why is this list blocking my mail if the envelope-from is not
subscribed?

[Moderator's note: there is this little known phenomenon called spam
we like to avoid... it is much harder to moderate a list if you have
to wade through 400 garbage messages a day... --Perry]
-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


[fc-announce] CFP FC'06: Financial Cryptography and Data Security

2005-08-02 Thread R.A. Hettinga

--- begin forwarded text


 To: [EMAIL PROTECTED]
 From: Avi Rubin [EMAIL PROTECTED]
 Subject: [fc-announce] CFP FC'06: Financial Cryptography and Data Security
 Sender: [EMAIL PROTECTED]
 Date: Tue, 2 Aug 2005 13:58:29 -0400

 x-flowed
 Call for Papers

  FC'06: Financial Cryptography and Data Security
   http://fc06.ifca.ai/

  Tenth International Conference
   February 27 to March 2, 2006
   Anguilla, British West Indies

  Submissions Due Date: October 17, 2005

 Program Chairs: Giovanni Di Crescenzo (Telcordia)
  Avi Rubin (Johns Hopkins University)

 General Chair: Patrick McDaniel (Penn State University)

 Local Arrangements Chair: Rafael Hirschfeld (Unipay Technologies)

 At its 10th year edition, Financial Cryptography and Data Security
 (FC'06) is a well established and major international forum for
 research, advanced development, education, exploration, and debate
 regarding security in the context of finance and commerce. We will
 continue last year's augmentation of the conference title and expansion
 of our scope to cover all aspects of securing transactions and systems.
 These aspects include a range of technical areas such as: cryptography,
 payment systems, secure transaction architectures, software systems and
 tools, user and operator interfaces, fraud prevention, secure IT
 infrastructure, and analysis methodologies. Our focus will also
 encompass financial, legal, business and policy aspects. Material both
 on theoretical (fundamental) aspects of securing systems, on secure
 applications and real-world deployments will be considered.

 The conference goal is to bring together top cryptographers,
 data-security specialists, and scientists with economists, bankers,
 implementers, and policy makers. Intimate and colorful by tradition,
 the FC'06 program will feature invited talks, academic presentations,
 technical demonstrations, and panel discussions. In addition, we will
 celebrate this 10th year edition with a number of initiatives, such as:
 especially focused session, technical and historical state-of-the-art
 panels, and one session of surveys.

 This conference is organized annually by the International Financial
 Cryptography Association (IFCA).

 Original papers, surveys and presentations on all aspects of financial
 and commerce security are invited. Submissions must have a visible
 bearing on financial and commerce security issues, but can be
 interdisciplinary in nature and need not be exclusively concerned with
 cryptography or security. Possible topics for submission to the various
 sessions include, but are not limited to:

 Anonymity and Privacy   Microfinance and
 AuctionsMicropayments
 Audit and Auditability  Monitoring, Management and
 Authentication and  Operations
 Identification, including   Reputation Systems
 Biometrics  RFID-Based and Contactless
 Certification and   Payment Systems
 Authorization   Risk Assessment and
 Commercial CryptographicManagement
 ApplicationsSecure Banking and Financial
 Commercial Transactions and Web Services
 Contracts   Securing Emerging
 Digital Cash and PaymentComputational Paradigms
 Systems Security and Risk
 Digital Incentive and   Perceptions and Judgments
 Loyalty Systems Security Economics
 Digital Rights Management   Smart Cards and Secure
 Financial Regulation andTokens
 Reporting   Trust Management
 Fraud Detection Trustability and
 Game Theoretic Approaches toTrustworthiness
 SecurityUnderground-Market Economics
 Identity Theft, Physhing andUsability and Acceptance of
 Social Engineering  Security Systems
 Infrastructure Design   User and Operator Interfaces
 Legal and Regulatory Issues Voting system security

   Submission Instructions

 Submission Categories

 FC'06 is inviting submissions in four categories: (1) research papers,
 (2) systems and applications presentations, (3) panel sessions, (4)
 surveys. For all accepted submissions, at least one author must attend
 the conference and present the work.

 Research Papers

 Research papers should describe novel scientific contributions to the
 field, and they will be subject to rigorous peer review. Papers can be
 a maximum of 15 pages in length (including references and appendices),
 and accepted submissions will be published in full in the conference
 proceedings.

 Systems and Application Presentations

 Submissions in this category should describe novel or successful
 systems with an emphasis on secure digital commerce applications.
 Presentations may concern commercial systems,