Computer Laboratory

Course pages 2013–14

Security II

Principal lecturers: Dr Frank Stajano, Dr Markus Kuhn
Taken by: Part II
Past exam questions: Security II, Security
Information for supervisors (contact lecturer for access permission)

No. of lectures: 16
Suggested hours of supervisions: 4
Prerequisite courses: Security I, Probability, Economics and Law, Operating Systems, Computer Networking, Principles of Communications, Complexity Theory
This course is a prerequisite for E-Commerce.


This course aims to give students a thorough understanding of security engineering as a systems discipline, from security policies (modelling what ought to be protected) to mechanisms (how to implement the protection goals). It also covers the interaction of security with psychology and usability; anonymity; security economics; cryptography and its underlying mathematics; electrical engineering issues such as tamper resistance; and a wide variety of attacks ranging from cryptanalysis to physical security.


  • Security, human factors and psychology. Usability failures. Incompatibility between security requests and work practices. Thinking like an attacker/victim. Social engineering. Phishing. Why do scams work? Social psychology. Decision under risk. Prospect theory as a critique of Expected Utility theory. Framing.
    [Refs: “Why Johnny can’t encrypt”, “Users are not the enemy”, The art of deception, “Understanding scam victims”, Influence: science and practice, “The compliance budget”, “Maps of bounded rationality”] [2.5 lectures]

  • Passwords. Usability and security problems of passwords. Taxonomy of replacement schemes and their salient features. Why passwords continue to dominate. [Refs: “The quest to replace passwords”, “Pico: no more passwords”, “The password thicket”]. [0.5 lectures]

  • Security policies. Terminology: policy, profile, target. Vaporware policies. Influential security policies: Bell-LaPadula (multi-level security, lattices, covert channels, downgrading), Biba, Clark-Wilson (double-entry bookkeeping, separation of duties), Resurrecting Duckling (ubiquitous computing, bootstrapping a security association). [1.5 lectures]

  • Physical security. Relevance in systems security context. Pin tumbler locks. Lockpicking. Bumping. “Cryptology and physical security: rights amplification in master-keyed mechanical locks”. Burglar alarms. Sensor defeats; feature interactions; attacks on communications; attacks on trust. [0.5 lectures]

  • Security economics. Why is security management hard? Misaligned incentives. Asymmetric information. Externalities. Adverse selection. Case studies: security seals, markets for vulnerabilities, phishing website takedown, cost of cybercrime.

  • Anonymity and censorship resistance. Censorship on the web: goals, technology (DNS tampering, IP blocking etc). Blocking through laws or intimidation. Why privacy and anonymity? Remailers, mix networks, attacks. Censorship resistance tools and their architecture: Tor, Freenet, Psiphon.

  • Tamper resistance and hardware security. Who needs secure chips? Taxonomy of attacks. Taxomony of tamper protection levels. Non invasive attacks: timing attacks, power analysis, emission analysis, data remanence, fault injection. Invasive attacks: imaging, microprobing, FIB-based modification. Semi-invasive attacks: imaging, fault injection, side channel. Defensive technologies.

  • Concurrency and security. Consistency models, ACID properties, race conditions, multi-threading side channels, system-call wrapper vulnerabilities, practical attacks, security principles.

  • Private-key encryption. Perfect secrecy, indistinguishability experiments, stream ciphers, pseudo-random generators, security for multiple encryptions.

  • Chosen-plaintext attack security. Pseudo-random functions and permutations, oracle queries, birthday problem, random mappings, cycles, modes of operation, CBC, OFB, CNT, malleability.

  • Message authentication codes. Existential unforgeability, replay attacks and security protocols, CBC-MAC, ECBC-MAC, CMAC, birthday attacks.

  • Authenticated encryption. Chosen-ciphertext attack security, ciphertext integrity, encrypt-and-authenticate, authenticate-then-encrypt, encrypt-then-authenticate, padding oracle example.

  • Key distribution problem. Needham-Schroeder protocol, Kerberos, hardware-security modules, public-key cryptography, CPA and CCA security for public-key encryption schemes.

  • Number theory. Modular arithmetic, greatest common divisor, Euclid’s algorithm, modular inversion, groups, rings, fields, finite groups, cyclic groups, generators, Euler’s theorem, Chinese remainder theorem, modular roots, subgroup of quadratic residues, modular exponentiation, easy and difficult problems.

  • Trapdoor permutations. Security definition, turning one into a public-key encryption scheme, RSA, attacks on “textbook” RSA, RSA as a trapdoor permutation, optimal asymmetric encryption padding, common factor attacks.


At the end of the course students should be able to tackle an information protection problem by drawing up a threat model, formulating a security policy, and designing specific protection mechanisms to implement the policy.

Recommended reading

* Anderson, R. (2008). Security engineering. Wiley (2nd ed.). Freely downloadable in PDF from
Katz, J., Lindell, Y. Introduction to modern cryptography. Chapman & Hall/CRC, 2008.

Further reading:

Gollmann, D. (2010). Computer security. Wiley (3rd ed.).
Cialdini, R. (2008). Influence: science and practice. Pearson (5th ed.)
Stajano, F. (2002). Security for ubiquitous computing. Wiley.
Kahneman, D. (2012). Thinking fast and slow. Penguin.