Computer and Network Security
CMSC 414, Section 0101
Spring 2003
| Instructor |
Bob Fourney (fourney@cs.umd.edu) |
| TA |
Shang Chieh Wu (meou@cs.umd.edu)
Effective 2/17: Office hours: M 11:00- 12:00 AVW 1151 (TA room) and by
appointment
|
| Class Time |
Section 0101 MW 4:00-5:15 |
|
Class Location |
CSI 2107 |
|
Office hours |
My scheduled office hours (in AVW 1430) will
be:
MW 3:30-3:45,
MW 5:15-6:00, and
Frdy 2:00-4:00
These seem to be good times for commuter students who are taking a
4:00-5:15 class. These hours
may be adjusted if they are not convenient for a majority of
the students. Additionally, I spend most of my time on campus in the Security
Lab (AV Williams 1430). If I'm in, I can usually make time to talk to
students. If you are coming from off campus, please contact me by phone or
email to make an appointment and ensure that I will be avilable.
Phone number: (301)-405-6750.
Please do not disturb me between the hours of 9:00-12:00 on Mondays
and Wednesdays
|
| Text |
Computer Security: Art and Science by
Matthew A. Bishop, published by Addison Wesley Longman, Inc.
This book is now available (albeit in limited quantities) at the bookstores.
Depending on how long it will take them to get additional copies, you might
want to look at
Amazon, the publisher (
Addison Wesley), or other off-campus
sources.
The text will also be supplemented with additional articles and papers,
most of which will soon be linked below. The remainder will be linked from
this page and/or handed out in class as they are assigned.
|
| Class news group |
csd.cmsc414
|
| Computer Accounts |
You have been issued an acouunt on
the
CSIC Linux Lab
machines.
These accounts are not on the detective cluster, and they
are not administered by the OIT.
Check out the above link for basic information. If you have further questions,
consult the Linux lab news group: csd.csiclab, the TA, or myself.
|
Breaking News:
If you are one of the students who received additional points for
problem 3 on the midterm (or any other problem), please bring your midterm
exam to the final exam in order to ensure that you receive the credit you
deserve.
0. A list of topics to concentrate
on for the final exam and a way to
estimate your project grade.
1. Here are a couple of the scenarios
you might be asked to work with in your PKI project.
2. Some of you emailed to say you lost your copy of
Homework 5. Also note that, as per class
discussion on Wednesday, I will count the best 4 of the 5 homeworks. If you're
happy with
your homework grade, you may skip this one and concentrate on your project.
As you work on the project, keep Homework 5
in mind, you may find that you've completed most of the requirements
(especially if your Homework 4 was implemented correctly) simply by working
on your project.
3. Documentation and technical info on the
CSIC Linux Lab, as
well as administrative
info (such as hours of operation).
| Prerequisites |
| A grade of C or better in CMSC 311 and CMSC 330 and permission of
the department.
The material covered in this course is not very difficult, BUT
there is a great deal of material and it covers a wide range of topics within
the area of computer science. You do not want to fall behind in this class,
and if you are unable to quickly grasp these varied concepts you will have
difficulty.
This is a Computer Science course, and the homeworks and project will involve
programming. If you are not comfortable with programming, you will have
difficulty in this class. If you fail to complete the final project you will
fail this class |
| Course Description |
| This class serves as an introduction to information systems
security and covers security issues at an undergraduate level
In the past, information systems security has been of legitimate concern only
to the military, members of various financial communities, and a very small
set of commercial systems . With the recent
explosive growth and merging of telecommunications and computing, security
has become an integral element of any reliable and robust information systems
environment. Unfortunately, most current commercial products ignore security
in favor of a user friendly environment and performance. The side-effects
of this decision are now well documented in the press. It therefore stands to
reason that future computer science graduates will require a working knowledge
of the basic security issues discussed in this class. |
| Course Work |
| There will be several homework assignments, each of which
will require both written and
programming exercises, as well as both a midterm and a final examination.
A programming term project will also be required.
Unless otherwise specified, all work that you submit in this course must be your own; unauthorized collaboration is considered academic dishonesty. Please save us both a
lot of trouble by realizing that I will pursue any such transgressions to the fullest
extent possible.
Details for the submission of each assignment will be included in the assignment or provided via this webpage. All assignments MUST be turned in prior
to the beginning of class on the date due. This may require handing in written results
in the classroom prior to the start of class, or submitting them electronically
as per the directions included with the assignment. As a rule, late assigments are not
generally accepted (e.g., attempting to hand in an assigment after the start of class
on the due date will result in a grade of 0 for that assignment).
Late assignments will only be accepted under exceptional
circumstances AND with prior arrangement. A penalty may apply.
|
| Grading Policy |
| Final grades will be determined via the following
breakdown: |
| Homework |
15% |
| Midterm |
25% |
| Project |
20% |
| Final |
30% |
| Class Participation |
10% |
|
Programming assignments and the course project will be graded on both
correctness and documentation. A project that fails on the provided test cases
(and those used in grading) will obviously not receive a favorable grade. A project
that passes all tests, but does not contain reasonable documentation will
also not receive a favorable grade. Security is a subset of reliability-
good design and documentation increases the reliability of your code and
thus the security.
Your class participation grade will be determined by your on time
attendance to class, your participation in classroom discussions, and
your scores on pop quizzes. Pop quizzes, when given, will cover material
previously covered in class, previous reading assignments, and simple questions
on the current days reading assignment.
Please read
Making the Grade by Kurt Wiesenfeld and keep his views (which I share)
in mind when deciding how much effort to invest in your coursework.
|
| Schedule of Upcoming Classes |
| No. |
Date |
Topic and Reading Assignment |
| 1 |
Jan 29 |
Introduction and Motivation
Chapter 1
|
| 2 |
Feb 3 |
Foundations: Basic Encryption and Decryption
Chapter 9 through section 9.2.2
The
example on breaking Vigenere Ciphers (via Kasiski's method)
discussed in class.
More
information on Vigenere and index of coincidence.
Vigenere encoder/decoder
|
| 3 |
Feb 5 |
Foundations: Symmetric Encryption
Sections 9.2.3 and 9.2.4
|
| 4 |
Feb 10 |
Foundations: Asymmetric Encryption and Cryptographic Hashes
Sections 9.3 and 9.4 Why
Cryptosystems Fail, Ross Anderson.
Remedial information on
modular arithmetic.
You are not responsible for ring or group theory, but should be able to add,
subtract, multiply, and raise numbers to an exponent (mod whatever), as well
as explain when and why you may not be able to find multiplicative inverses.
Homework 1 Due prior to class
Homework 2 handed out in class
Homework 2 FAQ, and
format requirements.
Homework 2 Submit Instructions
Sun's
Sockets tutorial
|
| 5 |
Feb 12 |
Foundations: Access Control
Chapter 2
|
| 6 |
Feb 17 |
Class Cancelled due to snow. Homework 2 now due 2/19 at 4:00 pm
|
| 7 |
Feb 19 |
Class Cancelled due to snow. Homework 2 is still due at 4:00 pm today
If you have your documentation in electronic form, send it along with
the source code. If not, bring it to my mailbox or my office next time you
are on campus.
|
| 8 |
Feb 24 |
Security Policies
Chapter 4
Confidentiality
Chapter 5 through 5.2.2.2
and 5.3 to 5.3.1
Homework 3 to be handed out in class
Homework 3 format requirements.
|
| 9 |
Feb 26 |
Integrity
Chapter 6 through 6.3
Key Management
Chapter 10
|
| 10 |
Mar 3 |
Authentication
Chapter 12
Look at:
Ten Windows Password Myths by Mark Burnett.
(You won't be tested on anything specific to Windows, but this reading
provides some different examples of some of the issues we discuss in
Chapter 12)
|
| 11 |
Mar 5 |
Design Principles Chapter 13
|
| 12 |
Mar 10 |
Cipher Techniques and Network Security Protocols
Chapter 11 (We will not go into great detail on Section 11.4.1 (Privacy
Enhanced Mail) but will instead concentrate on the other two examples in 11.4)
Kerberos: An Authentication Service for Computer Networks
Homework 4 to be handed out in class.
and format
|
| 13 |
Mar 12 |
Representing Identity (Chapter 14)
|
| 14 |
Mar 17 |
Some catch up and and some review.
There will be new
material discussed today, and it will be on the exam. Chapter 15 will
not be covered until after this exam, and will therefore not
be on the exam.
|
| -- |
Mar 17 |
Evening review session for Midterm Exam
5:30 pm in CSIC 2107
|
| 15 |
Mar 19 |
Midterm Exam. Closed book, no notes, etc
|
| -- |
Mar 24 |
No Class -- Spring Break
|
| -- |
Mar 26 |
No Class -- Spring Break
|
|
16
|
Mar 31
|
Access Control, chapter 15
|
|
17
|
Apr 2
|
Confinement problem
Chapter 17
|
| 18 |
Apr 7 |
Malicious Logic
Chapter 22
|
| 19 |
Apr 9 |
Mobile Code and Java Security
Chapters 2 and
3
of Securing Java
by Gary McGraw and Ed Felten,
published by John Wiley & Sons, Inc.
(you may also want to look at Chapter
1, which
mainly provides background and motivation which you should have
already soaked up by this point in the course.)
|
| 20 |
Apr 14 |
Detailed project discussion.
Last day to drop with a W
|
| 21 |
Apr 16 |
Mobile Code and Java Security, Continued: Malicious and Attack Applets
Chapter 4
and 5
through section 5.4
of Securing Java
by Gary McGraw and Ed Felten,
published by John Wiley & Sons, Inc.
|
| 22 |
Apr 21 |
Vulnerability Analysis
Chapter 23
|
| 23 |
Apr 23 |
Auditing
Chapter 24
|
| 24 |
Apr 28 |
Intrusion Detection
Chapter 25
|
| 25 |
Apr 30 |
Buffer Overflows:
Smashing the
Stack for Fun and Profit by Aleph One.
|
| 26 |
May 5 |
Catch up on previous topics, intro to wireless, and discuss
your progress on your project. In fact today's quiz will deal with YOUR
project.
Background Info on Wireless Security:
Bernard Aboba's Wireless Page
|
| 27 |
May 7 |
Wireless network insecurity
UC Berkeley Analysis of WEP
Your 802.11 Network has no clothes
|
| 28 |
May 12 |
Incident handling and forensics
Dan Farmer and
Wietse Venema's Forensic links
Project Due before class today
|
| 29 |
May 14 |
In class review
|
| --- |
May 20 |
Evening Review: 5-7 pm CSIC 2107
|
|
Final Exam
|
May 22
|
1:30-3:30 pm in CSIC 2107 (Section 0101)
|
|