Spring 2006
CS4803-CNS- Computer and Network Security

Time: Tu,Th: 3:05 pm - 4:25 pm.
Place: College of Computing (CoC) 101.
Instructor: Alexandra (Sasha) Boldyreva
Email: aboldyre@cc.gate.... Please include "4803" in the subject.
Office hours: Tu 4:30-5:30,W 2-3pm, in CoC 254.

Announcements.
Exam II is on Tuesday April 25th.
Project presentations are on Thursday April 27th.

Course description. This is a 3-credit undergraduate-level introduction to information security course. We will study the common threats and attacks and the fundumental concepts and techniques used to ensure secure computing and communication. We will focus on several important sub-areas of the broad area of security such as

cryptography (protocols for ensuring data privacy, authenticity and integrity, such as symmetric and public-key encryption schemes, message authentication codes and digital signatures; and methods to analyze their security),
computer and system security (security policies, access control, viruses, etc.),
network security (IP and Web transactions security, etc).

In addition to studying the general concepts we will learn how the main cryptographic schemes (e.g. AES in CBC mode, RSA-OAEP, ElGamal, etc.) and network security protocols (e.g. Kerberos, IPSec, SSL) work. We will gain some practical experience in attacking and defending various security goals.

Textbooks and other materials. There are two textbooks essential for the course.

(required) "Security in Computing" by Charles P. Pfleeger and Shari Lawrence Pfleeger, Prentice Hall, 3rd edition, ISBN# 0-13-035548-8. (P&P in the syllabus below)
(highly recommended) "Network Security - Private Communication in a Public World" by Charlie Kaufman, Radia Perlman and Mike Speciner, Prentice Hall, 2nd edition, ISBN#: 0-13-046019-2. (KPS in the syllabus below)

There is no good textbook on cryptography for this course, but there are very good lecture notes by M. Bellare and P. Rogaway available online (the links will be provided below and referred to as B&R).

Below I will also post the slides that I will use in the lectures and the papers we will discuss.

Prerequisits. Discrete mathematics, Operating Systems, Computer Networks. C/C++ and/or Java.

Requirements. Homeworks including paper-and-pencil questions and programming assignments (35%), Exam I (20%), Exam II (20%), final project (25%).

Rules. Georgia Tech and College of Computing academic Honor Code applies. Homeworks are announced in class and are posted on the class web page. Each homework will specify whether you should work on it individually or in pairs (meaning you can work on some homeworks with at most one other person), but in any case you have to write and turn in your own pen-and-pencil solutions and indicate the name of your collaborator, if any. For the programming assignments you can turn in the same code, but you have to write your own comments. You can consult external sources while doing the homeworks and the project, as long as you properly reference the sources. But you cannot copy neither other source codes nor solutions, you have to write your own. Homework solutions should be turned in in class, before the lecture starts, on a due day (TBA). Programming assignments to be submitted by the same time. If you are unable to attend a lecture when a homework is due, you can email the TA a postscript or a PDF file with your written solutions before the time of the class. No late homeworks will be accepted. You can (and it is recommended) to work on the final project in pairs (with at most one other person). Even though I may provide some ideas, ou will have to find a topic for your project yourself and confirm it with me. You are advised to start thinking about you project early.

Syllabus (to be updated during the course)

Summary, slides, and reading materials	Slides	Assignments
Course overview. Administrative stuff. Introduction. P&P Ch.1	set1
Introduction to cryptography. Main goals. Symmetric and public-key settings. B&R Ch.1	set2
Symmetric encryption schemes and their security. The one-time-pad scheme. B&R Ch.2
Block ciphers (DES, AES). B&R Ch.3	set3
Encryption modes (ECB, CBC, CTR). B&R Ch.4	set4
Message authentication codes and their security. Authenticated encryption. B&R Ch.7	set5	HW1
Hash functions and their security. B&R Ch.6	set6
Some basic number theory. B&R Ch.9	set7
Discrete-log-based hard problems. B&R Ch.10	set8
Asymmetric encryption schemes and their securiy. ElGamal encryption. B&R Ch.11	set9
Plain RSA encryption and it's (in)security. RSA-OAEP. Hybrid encryption. B&R Ch.10	set10
Digital signature schemes and their security. Full-domain-hash RSA and ElGamal signature schemes. B&R Ch.12	set11	HW2
Public-key infrastructure (PKI). Secret key sharing. Implementational pitfalls. T. Kohno, "Implementation pitfalls" (B&R Ch.8) C. Ellison and B. Schnier, "Ten risks of PKI", T. Kohno, A. Stubblefield, A. D. Rubin, and D. S. Wallach, "Analysis of an electronic voting system"	set12
Exam I
Introduction to system security and access control. P&P Ch. 4.1, 4.2	set13
General design principles. Capabilities. P&P Ch. 4.3, 4.4	set14
Trusted OS. Access control policies. P&P Ch. 5 Saltzer and Schroeder, "The Protection of Information in Computer Systems"	set15
Introduction to network security. Authentication protocols. KPS Ch. 9	set16	HW3
Password-based authentication and authenticated key exchange. KPS Ch. 10-12	set17
Mediated authentication. Kerberos. KPS Ch. 13-14	set18
IPSec. KPS Ch. 17	set19
SSL. Firewalls. KPS Ch. 19, 23	set20	HW4 emailed
Web security. Cookies. K. Fu, et al., Dos and Don'ts of Client Authentication on the Web, KPS Ch. 25	set21
Buffer overflows and other things that can go wrong. Viruses and worms. P&P Ch. 3	set22
Exam II
Final project presentations

Acknowlegements. Some of the slides (mostly for the computer and network security sections) are based on the slides created by Jonathan Katz from the University of Maryland and Vitaly Shmatikov from the University of Texas.