Computer Laboratory

Course material 2010–11

Security II

Principal lecturer: Prof Ross Anderson
Taken by: Part II

I wrote up my lecture notes for this course into a book the first edition of which is now available online without charge. Another free book is the Handbook of Applied Cryptography which covers crypto algorithms, protocols and theory in more detail, while the information security chapter from Jerry Saltzer and Frans Kaashoek's MIT Computer System Design course is also definitely worth a look.

Lecture slides

Here are the slides for the first part of the course (security policy and mechanism), and for the second part (protocols, crypto and security economics).

Guest lecture slides

November 5 (Sergei Skorobogatov on physical security of crypto processors): the slides are here, and you can also read book chapters 16 and 17 (second edition) or 14 and 15 (first edition). You might also look at our survey of cryptographic processors.

November 12 (Robert Watson on concurrency vulnerabilities): slides and paper.

November 17 (Joe Bonneau on web authentication): slides.

November 22 (Steven Murdoch on anonymity): here are the slides; see also chapter 23 of my book's second edition.

Further reading

Lectures 1-4 (security policy): see book chapters 1, 8, 9 and 10 (second edition) or 1, 7, 8 and 9 (first edition). A US report tells the history of classifications and clearances, with a discussion of its technical shortcomings; on the policy front, an article in the Washington Post describes the hypertrophy of US intelligence agencies since 9/11. The UK government's security policy framework is here; its predecessor is here. Here's the snooping dragon paper, and a news article on the use of targeted malware in fraud (more from the FBI, and here). The statistical disclosure control documents for the 2011 census can be found here while one critique can be found here.

Lecture 6 (physical security, psychology): see book chapters 2 and 11, and a Google tech talk I gave on searching for covert communities and villains online. The most detailed security psychology tutorial is probably a set of five book chapters by Peter Gutmann. You might also find the blog of our recent security psychology workshop interesting.

Lecture 7 (telecomms security, malware and firewalls): see book chapters 20 and 21 (second edition) or 17 and 18 (first edition). Cheswick and Bellovin's Firewalls and Internet Security: Repelling the Wily Hacker is a classic, while Howard and Leblanc's Writing Secure Code is also well worth a look. In the lecture I said I wasn't aware of any cases of slamming in the UK; well, I am now. The mobile phone industry's lack of concern about security is documented here. Finally, the latest on Stuxnet is here, here, here, here and here.

Lecture 9 (cryptography revision, with basics of stream and block ciphers): see book chapter 5, and do browse other crypto books too. Stinson is maybe the best introduction to block cipher design while Menezes, van Oorschot and Vanstone is a handy reference.

Lecture 8, 10 (shared-key authentication protocols): book chapter 3 (second edition) or 2 (first edition); and there's material on API attacks at chapter 18 of my book. You might also look at the BAN logic.

Lecture 14-15 (crypto engineering and public-key protocols): again look at book chapter 5. You might also enjoy the original Diffie-Hellman and RSA papers. For the fancy protocols such as secret sharing, zero knowledge, digital cash and so on you can get a gentle introduction in Schneier; the mathematically-inclined might prefer books with more proofs such as Stinson or Koblitz. For the protocols side of things you can look at our papers on Programming Satan's Computer and Robustness principles for public key protocols.

Lecture 16 (security economics): see book chapter 7 (second edition) or our survey paper. For more, explore the Economics and Security Resource Page.