Computer and Network Security


CMSC 414, Section 0101


Spring 2003




Instructor Bob Fourney (fourney@cs.umd.edu)
TA Shang Chieh Wu (meou@cs.umd.edu) Effective 2/17: Office hours: M 11:00- 12:00 AVW 1151 (TA room) and by appointment
Class Time Section 0101 MW 4:00-5:15
Class Location CSI 2107
Office hours My scheduled office hours (in AVW 1430) will be:

MW 3:30-3:45,
MW 5:15-6:00, and
Frdy 2:00-4:00

These seem to be good times for commuter students who are taking a 4:00-5:15 class. These hours may be adjusted if they are not convenient for a majority of the students. Additionally, I spend most of my time on campus in the Security Lab (AV Williams 1430). If I'm in, I can usually make time to talk to students. If you are coming from off campus, please contact me by phone or email to make an appointment and ensure that I will be avilable. Phone number: (301)-405-6750.
Please do not disturb me between the hours of 9:00-12:00 on Mondays and Wednesdays

Text Computer Security: Art and Science by Matthew A. Bishop, published by Addison Wesley Longman, Inc.

This book is now available (albeit in limited quantities) at the bookstores. Depending on how long it will take them to get additional copies, you might want to look at Amazon, the publisher ( Addison Wesley), or other off-campus sources.

The text will also be supplemented with additional articles and papers, most of which will soon be linked below. The remainder will be linked from this page and/or handed out in class as they are assigned.

Class news group csd.cmsc414
Computer Accounts You have been issued an acouunt on the CSIC Linux Lab machines. These accounts are not on the detective cluster, and they are not administered by the OIT. Check out the above link for basic information. If you have further questions, consult the Linux lab news group: csd.csiclab, the TA, or myself.


Breaking News:

If you are one of the students who received additional points for problem 3 on the midterm (or any other problem), please bring your midterm exam to the final exam in order to ensure that you receive the credit you deserve.

0. A list of topics to concentrate on for the final exam and a way to estimate your project grade.

1. Here are a couple of the scenarios you might be asked to work with in your PKI project.

2. Some of you emailed to say you lost your copy of Homework 5. Also note that, as per class discussion on Wednesday, I will count the best 4 of the 5 homeworks. If you're happy with your homework grade, you may skip this one and concentrate on your project. As you work on the project, keep Homework 5 in mind, you may find that you've completed most of the requirements (especially if your Homework 4 was implemented correctly) simply by working on your project.

3. Documentation and technical info on the CSIC Linux Lab, as well as administrative info (such as hours of operation).





Prerequisites
A grade of C or better in CMSC 311 and CMSC 330 and permission of the department. 

The material covered in this course is not very difficult, BUT there is a great deal of material and it covers a wide range of topics within the area of computer science. You do not want to fall behind in this class, and if you are unable to quickly grasp these varied concepts you will have difficulty. This is a Computer Science course, and the homeworks and project will involve programming. If you are not comfortable with programming, you will have difficulty in this class. If you fail to complete the final project you will fail this class

Course Description
This class serves as an introduction to information systems security and covers security issues at an undergraduate level

In the past, information systems security has been of legitimate concern only to the military, members of various financial communities, and a very small set of commercial systems . With the recent explosive growth and merging of telecommunications and computing, security has become an integral element of any reliable and robust information systems environment. Unfortunately, most current commercial products ignore security in favor of a user friendly environment and performance. The side-effects of this decision are now well documented in the press. It therefore stands to reason that future computer science graduates will require a working knowledge of the basic security issues discussed in this class. 

Course Work
There will be several homework assignments, each of which will require both written and programming exercises, as well as both a midterm and a final examination. A programming term project will also be required.

Unless otherwise specified, all work that you submit in this course must be your own; unauthorized collaboration is considered academic dishonesty. Please save us both a lot of trouble by realizing that I will pursue any such transgressions to the fullest extent possible.

Details for the submission of each assignment will be included in the assignment or provided via this webpage. All assignments MUST be turned in prior to the beginning of class on the date due. This may require handing in written results in the classroom prior to the start of class, or submitting them electronically as per the directions included with the assignment. As a rule, late assigments are not generally accepted (e.g., attempting to hand in an assigment after the start of class on the due date will result in a grade of 0 for that assignment).

Late assignments will only be accepted under exceptional circumstances AND with prior arrangement. A penalty may apply.

Grading Policy
 Final grades will be determined via the following breakdown:

 
Homework 15%
Midterm 25%
Project 20%
Final 30%
Class Participation 10%

Programming assignments and the course project will be graded on both correctness and documentation. A project that fails on the provided test cases (and those used in grading) will obviously not receive a favorable grade. A project that passes all tests, but does not contain reasonable documentation will also not receive a favorable grade. Security is a subset of reliability- good design and documentation increases the reliability of your code and thus the security.

Your class participation grade will be determined by your on time attendance to class, your participation in classroom discussions, and your scores on pop quizzes. Pop quizzes, when given, will cover material previously covered in class, previous reading assignments, and simple questions on the current days reading assignment.
 

Please read Making the Grade by Kurt Wiesenfeld and keep his views (which I share) in mind when deciding how much effort to invest in your coursework.

Schedule of Upcoming Classes
No. Date Topic and Reading Assignment
1 Jan 29
Introduction and Motivation 

Chapter 1

Reflections on trusting trust, Thompson. 
Risk Management is Where the Money Is, Daniel Geer. 

Homework 1 handed out in class and the point breakdown.

2 Feb 3 Foundations: Basic Encryption and Decryption

Chapter 9 through section 9.2.2

The example on breaking Vigenere Ciphers (via Kasiski's method) discussed in class.

More information on Vigenere and index of coincidence.

Vigenere encoder/decoder

3 Feb 5

Foundations: Symmetric Encryption

Sections 9.2.3 and 9.2.4
 

4 Feb 10

Foundations: Asymmetric Encryption and Cryptographic Hashes

Sections 9.3 and 9.4

Why Cryptosystems Fail, Ross Anderson. 

Remedial information on modular arithmetic. You are not responsible for ring or group theory, but should be able to add, subtract, multiply, and raise numbers to an exponent (mod whatever), as well as explain when and why you may not be able to find multiplicative inverses.

Homework 1 Due prior to class

Homework 2 handed out in class

Homework 2 FAQ, and format requirements.

Homework 2 Submit Instructions

Sun's Sockets tutorial

5 Feb 12 Foundations: Access Control

Chapter 2

6 Feb 17 Class Cancelled due to snow. Homework 2 now due 2/19 at 4:00 pm
7 Feb 19 Class Cancelled due to snow. Homework 2 is still due at 4:00 pm today
If you have your documentation in electronic form, send it along with the source code. If not, bring it to my mailbox or my office next time you are on campus.
8 Feb 24 Security Policies

Chapter 4
Confidentiality

Chapter 5 through 5.2.2.2
and 5.3 to 5.3.1 Homework 3 to be handed out in class

Homework 3 format requirements.

9 Feb 26 Integrity

Chapter 6 through 6.3
Key Management

Chapter 10

10 Mar 3 Authentication

Chapter 12

Look at: Ten Windows Password Myths by Mark Burnett. (You won't be tested on anything specific to Windows, but this reading provides some different examples of some of the issues we discuss in Chapter 12)

11 Mar 5 Design Principles

Chapter 13

12 Mar 10 Cipher Techniques and Network Security Protocols

Chapter 11 (We will not go into great detail on Section 11.4.1 (Privacy Enhanced Mail) but will instead concentrate on the other two examples in 11.4)

Kerberos: An Authentication Service for Computer Networks

Homework 4 to be handed out in class.

and format

13 Mar 12 Representing Identity (Chapter 14)
14 Mar 17 Some catch up and and some review. There will be new material discussed today, and it will be on the exam. Chapter 15 will not be covered until after this exam, and will therefore not be on the exam.
-- Mar 17 Evening review session for Midterm Exam

5:30 pm in CSIC 2107

15 Mar 19 Midterm Exam. Closed book, no notes, etc
-- Mar 24 No Class -- Spring Break
-- Mar 26 No Class -- Spring Break
16 Mar 31 Access Control, chapter 15
17 Apr 2 Confinement problem

Chapter 17
18 Apr 7 Malicious Logic

Chapter 22

19 Apr 9 Mobile Code and Java Security
Chapters 2 and 3 of Securing Java
by Gary McGraw and Ed Felten,
published by John Wiley & Sons, Inc.

(you may also want to look at Chapter 1, which mainly provides background and motivation which you should have already soaked up by this point in the course.)

20 Apr 14 Detailed project discussion.

Last day to drop with a W

21 Apr 16 Mobile Code and Java Security, Continued: Malicious and Attack Applets
Chapter 4 and 5 through section 5.4 of Securing Java
by Gary McGraw and Ed Felten,
published by John Wiley & Sons, Inc.
22 Apr 21 Vulnerability Analysis

Chapter 23

23 Apr 23 Auditing

Chapter 24

24 Apr 28 Intrusion Detection

Chapter 25

25 Apr 30

Buffer Overflows:

Smashing the Stack for Fun and Profit by Aleph One.

26 May 5 Catch up on previous topics, intro to wireless, and discuss your progress on your project. In fact today's quiz will deal with YOUR project.

Background Info on Wireless Security:

Bernard Aboba's Wireless Page

27 May 7 Wireless network insecurity

UC Berkeley Analysis of WEP
Your 802.11 Network has no clothes

28 May 12

Incident handling and forensics

Dan Farmer and Wietse Venema's Forensic links


Project Due before class today

29 May 14 In class review
--- May 20 Evening Review: 5-7 pm CSIC 2107
Final Exam May 22 1:30-3:30 pm in CSIC 2107 (Section 0101)