Computer and Network Security

Spring 2003

Professor Bill Arbaugh (
TA Seong-Wook Joo :  Office hours: TBD
Time MW: 2:00 - 3:15
Place CSI 2107
Office hours MW: 1:00 - 2:00 and by appointment (AVW 4137)
Text Computer Security: Art and Science by Matt Bishop (ISBN: 0-201-44099-7)

The text will also be supplemented with additional papers from links on this page.

Additional Information
It is highly recommended that you use CVS for version control. Information about CVS can be found here.

We will be using J2ME for ALL programming assignments. J2ME is a restricted version of Java designed to run on PDA's and cell phones. The course project will require you to program using J2ME so the homework assignments will give you experience using this development environment. A good text on J2ME is Java2 Micro Edition by James P. White and David A. Hemphill.

Student accounts are available for the Linux Cluster located in the CSI building. More on the lab can be found here. These machines will have the J2ME development environment loaded. You can, of course, download the development environment to your own machine should you desire to do so.

A grade of C or better in CMSC 311 and CMSC 330. 

NOTE: This course will cover a wide range of topics within computer science. If you are unable to quickly grasp these issues, you will have difficulty in the class. Review the course material here to ensure you're comfortable with the level. Also, all of the homework will include programming projects in java. If you are not comfortable programming, you will have great difficulty in this class.

Course Description
Until recently, information systems security has only been a focus of the military, and the financial communities. With the recent explosive growth and merging of telecommunications and computing, security has become an integral element of any reliable and robust information systems environment. Unfortunately, most current commercial products ignore security in favor of a user friendly environment and performance. The side-effects of this decision are now well documented in the press.

This class will cover information systems security at the under graduate level. 

Course Work
There will be several homework assignments (written and programming) as well as mid-term, and final examinations. A systems oriented term project will also be required.

NOTE: All work that you submit in this course must be your own; unauthorized group efforts are considered academic dishonesty. See the Undergraduate Catalog for definitions and sanctions.

NOTE: Failing to submit two or more homework assignments is cause for failure of the course.

Details for the submission of each assignment will be included in the assignment.

Late assignments will only be accepted under exceptional circumstances AND with prior arrangement. A penalty may apply.

Grading Policy
 Final grades will be determined using the following distribution:


Homework 15%
Midterm 25%
Project 20%
Final 30%
Class Participation 10%

Programming assignments and the course project will be graded on correctness as well as documentation. A project that fails on the provided test cases (and those used in grading) will not receive a favorable grade. A project that passes all tests, but does not contain reasonable documentation will also not receive a favorable grade. Security is a subset of reliability- good design and documentation increases the reliability of your code and thus the security.

Your class participation grade will be determined by your on time attendance to class, your participation in classroom discussions, and your scores on pop quizzes. Pop quizzes, when given, will cover material previously covered in class, previous reading assignments, and simple questions on the days reading assignment.

Please read Making the Grade by Kurt Wiesenfeld and keep his views (which I share) in mind when deciding how much effort to invest in your coursework.  The only reason why I have (or will) raise a grade is when I or the TA make an error in grading.
Schedule of Classes
No. Date Topic and Reading Assignment
1 Jan 29

Introduction and Motivation

Chapter 1 

2 Feb 3
Foundations: Basic Encryption and Decryption

Chapter 9 up to section 9.3

More information on Vigenere and index of coincidence.

A nice Vigenere web application.

A write up by Bob Fourney on the Vigenere cipher.

3 Feb 5

Foundations: Symmetric Encryption

Sections 9.2.3 and 9.2.4

Handout on AES

Homework #1 due.

4 Feb 10

Foundations: Asymmetric Encryption and Cryptographic Hashes

          Sections 9.3 - 9.8

Why Cryptosystems Fail, Ross Anderson.

Remedial information on modular arithmetic . You are not responsible for ring or group theory, but should be able to add,  subtract, multiply, and raise numbers to an exponent (mod whatever), as well  as explain when and why you may not be able to find multiplicative inverses.

5 Feb 12
Foundations: Access Control

Chapter 2


Feb 17

Campus closed due to snow


Feb 19

Campus closed due to snow

8 Feb 24

Security Policies

Chapter 4

Homework #2 due.

Confidentiality Policies

Chapter 5 (up to section 5.3)


Feb 26

Integrity Policies

Chapter 6

Key Management

10 Mar 3

Cipher Techniques and Network Security

Chapter 11 (Focus on SSL and IPsec)
Kerberos: An Authentication Service for Computer Networks

11 Mar 5 Identity

Chapter 14

12 Mar 10 Authentication

Chapter 12

Look at: Ten Windows Password Myths by Mark Burnett.  (You won't be tested on anything specific to Windows, but this reading provides some different examples of some of the issues we discuss in  Chapter 12)

Homework #3 due.

13 Mar 12 Design Principles

Chapter 13

14 Mar 17
Access Control

Chapter 15

15 Mar 19
16 Mar 31
Java Security

Chapter 2 and Chapter 3 of Securing Java, Gary McGraw and Ed Felton.

Project handout

17 Apr 2
Java Security

Chapter 4 of Securing Java, Gary McGraw and Ed Felton.

18 Apr 7
Confinement Problem

Chapter 17

Example source code for file existence channel

19 Apr 9

Project description

20 Apr 14

Wireless network insecurity
21 Apr 16 Wireless network security
Bernard Aboba's Wireless Page (NOTE: You are not responsible for everything on Bernard's page. It is for informational purposes only.)
22 Apr 21
Vulnerability Analysis

Chapter 23

Attack Trees, Bruce Schneier

23 Apr 23
Intrusion Detection

Chapter 25
24 Apr 28

Chapter 24
25 Apr 30

Incident handling and forensics: What to do when things go bad!

Dan Farmer and Wietse Venema's Forensic links

26 May 5
OS Security

Internet Voting

27 May 7
Malicious Logic

Chapter 22
28 May 12
Buffer Overflows

Smashing the Stack for Fun and Profit, Aleph One

29 May 14
Course Review

Projects due.

FINAL May 20
4:00 - 6:00