2nd CCS 1994 PREFACE Welcome to the 2nd ACM Conference on Computer and Communications Security! Building on our highly successful inaugural conference in 1993, we are proud to be able to again present a program consisting of high quality papers on many aspects of security research and practice. Those of us putting together the inaugural conference were concerned about the level of quality we would be able to attain, and after the hugely successful debut, we wondered if we could establish a trend. The depth and breadth of this year's program allows us to now be certain that this conference has quickly established itself as one of the highest quality security conferences. Our conference has also established its own unique identity in at least two major ways. First, this is a conference that is inclusive of the best in all security disciplines- from cryptographers to MLS theorists to firewall designers to those creating policy for an organization's security to those dreaming of secure electronic commerce to just about any aspect of security. This has the tremendous benefit of bringing together security researchers from different sub-specialties. The resulting exposure might well produce the kind of cross-fertilization that we feel has been lacking in the past. Sec- ond, our conference clearly sends the message that: If you have a practical paper reflecting security practice or experience with insights that would be valuable to the community-we will publish it (even if it does not have any theorems!). We are firmly convinced that it is unwise to segregate good theory,papers and good practice papers into different conferences, and hence create distinct theory and practice communities. The perils of our new distributed systems with the massive interconnectivity of the information superhighway, and the rapid transition from paper to electronic media for functions such as commerce mean that: a) Security theorists need to have a much better understanding of real world problems and threat environments than in the past, and b) Security practitioners need to quickly implement brand new security technologies. Our conference is an attempt to help catalyze the security community's energies in these directions. So what was the process by which this program came into being? We received 70 papers, each of which were sent to 3 or 4 members of the program committee, without revealing the identity of the authors. The committee members reviewed the papers (or had the papers reviewed by referees knowledgeable in the particular area) and then sent the reviews with quantitative and qualitative comments to the program chairs. The program chairs ranked the papers based on the quantitative scores and then the entire committee met for a day long meeting. Every paper which had at least one ACCEPT from a committee member was tabled for discussion, and several others with multiple MAYBE's were discussed. The committee deliberated over each paper and arrived at the final list of papers that appear in the program. Given that we were limited to a three day conference the process soon became highly selective. The process of selection was not always easy - e.g. how do you choose between a 'good paper' describing a company's experience with security problems and a 'good paper' proving theoretical bounds on the message complexity of a security protocol? Several of the decisions were hard, and a few (judging by the sometimes heated discussions in the committee) clearly debatable, but all were based on an honest attempt by the committee members present to be fair to the authors. Our committee members (except the General and Program Chairs) were allowed to submit papers, and some of the papers in the prograxn are authored by members of the committee. In addition to the strictly anonymous initial reviews, during the meeting, committee members left the room when their papers were being discussed. Our conference was put together with the support of several people. To begin with we are extremely grateful to ACM SIGSAC for sponsoring this effort. Daniel Faigin, Chairman of SIGSAC and Lois Blankstein at ACM have repeatedly proved to be valuable resources. Our conference was hosted by Bell Atlantic and George Mason University, and we thank these organizations for their financial support and encouragement. We would especially like to thank Wilson Parran and Ralph Szygenda at Bell Atlantic for their support. Special thanks also to Srinivas Ganta, Savith Kandala and Roshan Thomas of GMU for their assistance. Susan Quirk and Diane Waters at GMU, as always, did a superb job in taking care of registration and local arrangements. The success of the conference depends on the quality of the program selection. A huge debt of appreciation is owed to our Program Committee, and the external referees they contacted, for the difficult job they successfully executed. The organization of a conference is a complex, time consuming and demanding project. Li Gong our Publicity Chair, Rich Graveman our Treasurer and Jacques Stern our Publications Chair and European Contact have each made absolutely invaluable contributions and we are grateful to them. Finally we would like to thank those whose efforts are instrumental in making this conference a success-the authors who submitted papers and the participants who have chosen to honor us with their presence. Hope you enjoy the conference and see you again at the 3rd ACM Conference on Computer and Communications Security! Dorothy Denning & Raymond Pyle General Chairs Ravi Ganesan & Ravi Sandhu Program Chairs