Security

Lecturer: Dr R. Anderson (rja14@cl.cam.ac.uk)

No. of lectures: 12

Prerequisite courses: Discrete Mathematics, Operating Systems, Digital Communication I  

What is security?

Typical applications.

Cash machines, prepayment cards, book-keeping systems, multilevel secure systems, electronic warfare. Common goals and definitions.

Symmetric cryptosystems.

One-time-pads, shift register based systems, SAFER and DES. Attacks on these systems: fast correlation attacks, differential and linear cryptanalysis.

Cryptographic modes of operation.

Splicing and meet-in-the-middle attacks. Message authentication codes and hash functions.

Asymmetric cryptosystems.

ElGamal, DSA. Euler's theorem and RSA: an overview of factoring algorithms. Identity based and threshold schemes. Diffie-Hellman.

Cryptographic protocols.

Needham-Schroder, Otway-Rees, Kerberos, Denning-Sacco, TMN. Secret sharing. Subliminal channels. Digital cash. PGP and PEM. The BAN logic.

Access control.

Access matrices, access control lists, capabilities, role-based systems, granularity. Unix, VME and MVS systems. Password cracking. Intrusion detection and audit.

Security policy models.

Bell-LaPadula, Clark-Wilson, Biba. Covert channels. Polyinstantiation. Inference control. Viruses and other malicious code. Password sniffing attacks. Firewalls.

Security engineering.

What goes wrong with real systems. Examples from banking, military and other applications. Threat trees; risk models; robustness; dependability; engineering disciplines. TCSEC and ITSEC.

Legal and policy aspects of computer security.

The Data Protection Act; the Computer Misuse Act; international aspects. Export control and key escrow.

Organisational issues.

Why is security management hard? Risk reduction versus transference, due diligence and the role of insurance.

Recommended books:

Schneier, B. (1995). Applied Cryptography: Protocols, Algorithms, and Source in C. Wiley (2nd ed.).

Amoroso, E. (1994). Fundamentals of Computer Security Technology. Prentice-Hall.

Further reading:

Kahn, D. (1966). The Codebreakers: the Story of Secret Writing. Weidenfeld and Nicolson.

Cheswick, W.R. & Bellovin, S.M. (1994). Firewalls and Internet Security: Repelling the Wily Hacker. Addison-Wesley.

Biham, E. & Shamir, A. (1993). Differential Cryptanalysis of the Data Encryption Standard. Springer-Verlag.

Koblitz, N. (1994). A Course in Number Theory and Cryptography. Springer-Verlag (2nd ed.).

Neumann, P. (1994). Computer Related Risks. Addison-Wesley.

Leveson, N.G. (1995). Safeware: System Safety and Computers. Addison-Wesley.

Denning, D. (1982). Cryptography and Data Security. Addison-Wesley.

Davies, D.W. & Price, W.L. (1984). Security for Computer Networks. Wiley.

Beker, H. & Piper, F. (1982). Cipher Systems. Northwood.

Cohen, F.B. (1994). A Short Course on Computer Viruses. Wiley (2nd ed.).

Garfinkel, S. & Spafford, G. (1996). Practical Unix and Internet Security. O'Reilly and Associates (2nd ed.).