Next: Specification and Verification I
Up: Lent Term 2002: Part
Previous: Optimising Compilers
  Contents
Lecturer: Mr M.G. Kuhn
(mgk25@cl.cam.ac.uk)
No. of lectures + examples classes: 14 + 2
Prerequisite courses: Introduction to Security, Discrete
Mathematics, Operating Systems, Digital Communication,
Information Theory and Coding
This course is a prerequisite for E-Commerce (Part II).
Aims
This course not only offers an extended treatment of the basic topics
covered in Introduction to Security but also includes more
specialised areas such as CPU-based protection mechanisms, physical
security, steganography, copyright protection techniques, anonymous
communication, vulnerabilities of network protocols, security
management.
Lectures
- What is security?
A review of security applications and policy models. Bell-LaPadula,
the lattice model, Clark-Wilson, Biba, Chinese Wall, the BMA policy.
- Access control mechanisms.
CPU supervisor modes, protection rings, object reuse, virtual
machines, access control lists, capabilities, decidability, role-based
systems, delegation and revocation of rights, reference monitors,
trusted computing base, bus encryption.
- Software and network infrastructure security.
Historic and current Unix and Internet vulnerabilities
(worms/viruses/Trojans). Vulnerabilities of common network protocols,
buffer overflows, race conditions, parameter checking, password
management, firewalls, intrusion detection. [2 lectures]
- Hardware security.
Tamper-resistant cryptographic modules, smartcards, security seals,
biometric sensors, building access control, intruder alarms,
eavesdropping technology, cross-talk on cables, compromising
emanations. [2 lectures]
- Information hiding.
Historic and modern steganography, covert and subliminal channels,
copyright watermarking schemes and their vulnerabilities, low
probability of intercept communication, anonymous communication.
- Cryptography.
Historic ciphers, unconditional security, unicity distance, Vernam
cipher, computational security, key space and key-search engines,
collision attacks and birthday paradox, shift-register based
encryption algorithms.
- Block ciphers.
Example block ciphers: DES, TEA, AES. Differential and linear
cryptanalysis, the random oracle model, splicing and
meet-in-the-middle attacks, message authentication codes and hash
functions, differential fault and power analysis.
- Symmetric cryptographic protocols.
Authentication and key exchange, Needham-Schroeder, Otway-Rees,
Kerberos. Formal verification of security protocols: the BAN logic.
- Asymmetric cryptosystems and protocols.
RSA cryptosystem, discrete logarithm algorithms, factoring algorithms,
identity based and threshold schemes, non-repudiation, zero knowledge
proofs, blind signatures and digital cash, applications (X.509, SSL,
SSH, and PGP). [2 lectures]
- Security evaluation and management
How to plan for things going wrong. Baseline protection, business
continuity planning, threat trees, information security management
(ISO 17799), security product evaluation (TCSEC, ITSEC, Common
Criteria, protection profiles, evaluation assurance levels).
- Legal and organisational aspects.
(Guest lecture.) The Data Protection Act, the Computer Misuse Act, the
Regulation of Investigatory Powers Act, Conditional Access Directive,
due diligence, protection versus insurance, legal recognition of
electronic signatures, handling of security incidents, abuse, and
general legal issues.
Objectives
At the end of the course students should be able to tackle an
information protection problem by drawing up a threat model,
formulating a security policy, and designing specific protection
mechanisms to implement the policy.
Recommended books
Anderson, R. (2001). Security Engineering: A Guide to Building
Dependable Distributed Systems. Wiley.
Gollmann, D. (1999). Computer Security. Wiley.
Stinson, D.R. (1995). Cryptography: Theory and Practice. CRC Press.
Further reading:
Menzenes, A.J. et al. (1996). Handbook of Applied Cryptography.
CRC Press.
Schneier, B. (1995). Applied Cryptography: Protocols, Algorithms,
and Source in C. Wiley (2nd ed.).
Cheswick, W.R. & Bellovin, S.M. (2001). Firewalls and Internet
Security: Repelling the Wily Hacker. Addison-Wesley (2nd ed.).
Garfinkel, S. & Spafford, G. (1996). Practical Unix and Internet
Security. O'Reilly (2nd ed.).
Koblitz, N. (1994). A Course in Number Theory and
Cryptography. Springer-Verlag (2nd ed.).
Amoroso, E. (1994). Fundamentals of Computer Security
Technology. Prentice-Hall.
Next: Specification and Verification I
Up: Lent Term 2002: Part
Previous: Optimising Compilers
  Contents
Christine Northeast
Tue Sep 4 09:34:31 BST 2001