Cryptography and Computer Security
Course Syllabus – Fall 2012
|4:00 – 6:50 PM|
|Prof. Samir Chatterjee|
|Monday 3:00 – 3:30 PM or after class and by appointment|
As the title suggests, this course is about cryptography and computer security. Perhaps a more suitable title would be “Cryptography and Information Security.” Cryptography, because it is a fascinating field of study that is also a key technology for achieving security objectives, and security because of its central importance to our emerging “information society.” Security policies will shape the kind of society we live in, and cryptography will have a major impact on the kinds of security policies that are achievable.
Information security, broadly defined, involves controlling the dissemination of information. It includes issues of privacy, data integrity, authenticity, and authority. Privacy refers to preventing information flow to unintended recipients. Data integrity properties insure that information is correct and undamaged. Authenticity identifies information with a source. Authority describes what actions are permitted by whom. Because of the ease with which information can be copied and transmitted, traditional physical means of control are of limited efficacy. Cryptography gives a way to build logical controls on the flow of information that are largely independent of the physical properties of the devices used to transmit and store information.
Cryptography lies at the center of this course, but we will be approaching the subject broadly. On the one end, we’ll look at problems of information security and see how cryptographic tools can be used to solve them. We’ll also touch on some social issues surrounding the use of cryptography. At the other end, we’ll explore the mathematical structures from which cryptographic primitives are built.
This course will spend some amount of time on the mathematical and theoretical aspects of cryptography but more time on practical security systems used in daily life and management issues. Such systems include Kerberos, X.509, PKI, Email security such as S/MIME, PGP, the emerging IPSEC, Web security including SSL/TLS and SET and intrusion detection, firewalls and trusted systems. We will also discuss how IS Security is planned and cover concepts of e-risk management as well as legal issues of computer fraud. Several hands-on computer exercises will be done in class. The course will feature external guest speakers who will talk about a range of topics such as Homeland Security, e-commerce security and Healthcare Security.
Text and Readings
- Bruce Schneier, Applied Cryptography, Second Edition: protocols, algorithms and source code in C, John Wiley & Sons, Inc., 1996, ISBN 0-471-12845-7 (hardcopy). Contains a wealth of timely information and gives broad coverage of the field. Often glosses over details in favor of readability. There are also many errors, particularly before the 5th printing. An errata sheet is available at http://www.counterpane.com/ac2errv30.html.
- William Stallings, Network Security Essentials: Applications and Standards, Prentice Hall; 4 edition (March 22, 2010) ISBN-10: 0136108059 ISBN-13: 978-0136108054. This popular textbook corresponds pretty well with the topics that will be covered in class. It doesn’t always go as deeply into a topic as is desirable, but it is a good starting point for exploring the field. This book has a web site at http://williamstallings.com/NetSec2e.html
Objectives for Student Learning (Course and Program):
|Program Learning Outcomes|
|Course Learning Outcomes:||
Graduates are prepared to be leaders in the IS field
Graduates have core IS knowledge
Graduates can integrate IS & business foundations
Graduates have perspective on business and real world
Graduates have communication, interpersonal, and team skills
Graduates are able to think analytically and creatively
Graduates have required career-specific skills
|Upon completion of IS 352, students will know:|
|Have a sophisticated awareness of the rich variety of tools, techniques and methods used in modern day cryptography.||x||X||x|
|How to describe and distinguish among the wide array of information technologies that are available for providing security to individuals, groups, and organizations.||x||X||x|
|How to become familiar with a variety of hacking techniques to better understand the weaknesses of systems.||x||x|
|How to articulate trends in network security and their business implications.||x||x||X|
|How to be capable of conducting research on recent topics in network security.||X||x||x|
|How to understand the variety of tools and software available to a manager for providing security and how to best use them||x||x||X|
E-Portfolio Requirement: In order to improve its courses, SISAT tries to assess student learning directly. As part of this, and in view of our emphasis on using information technologies, we require that every student in every course must document some aspect of their learning in the course using an e-portfolio. E-portfolios must be done with your Sakai student account.
To satisfy this requirement, an entry in the student’s e-portfolio must be created with the template page for this course, and it must address the learning objectives for the course and program. These are listed in the matrix above and in the CCO e-portfolio page template for this course.
The instructor will determine whether the entry suitably reflects course- and program-related learning. She/he may ask the student to revise and resubmit the entry. There are many possible suitable entries. Possible examples include the deliverables for a class project, a paper written as a result of the course, or a series of blog entries. Any entry is acceptable that demonstrates that the student knows more about the course content than she/he did at the beginning of the course. It is important that the entry be non-trivial, but it need not be a major new undertaking either. Entries are intended to be a representation of what was learned.
This is a special assignment. It is not used in calculation of your course grade; it is a requirement to get a grade. No final grade other than “Incomplete” (except “Unsatisfactory”) will be assigned for the course until you have posted a suitable entry to your e-portfolio. Any e-portfolio entry intended to be used to satisfy the requirement for the course must remain in the student’s CCO e-portfolio for at least one month following the course, to allow time for archival of pages to occur.
Because entries to an e-portfolio provide you with an opportunity to reflect on your learning, we encourage you to create more than the one required entry, to share your entries with your classmates, and to collect entries across your classes—in effect, creating a online collection of postings about what you have been learning. Such collections have value in expressing to yourself and others what you have learned in your degree program.
1. Regular attendance and active participation in class.
2. Preparation of reading and questions assigned to class.
3. Prepare and present the Research Paper
4. Prepare and submit the assigned scribe to class
5. Take mid-term and submitting final projects.
|Practical hands-on projects||
|Final Research Paper initial proposal
Final research paper
Schedule (This is suggested only. Deviations maybe necessary)
|1.||9/10/2012||Introductions & Foundations||BS: Ch. 1; WS: Ch 1|
|2.||9/17/2012||Ciphers, Symmetric Cryptography, Hash Functions, Public-Key Cryptography||BS: Ch. 2, 3.|
|3.||9/24/2012||Identity & Authentication Systems; Kerberos||BS: Ch 3; WS: Ch 4.|
|4.||10/1/2012||Feistel Structures, DES, AES, stream and block ciphers||WS: Ch 2; BS: Ch 9.|
|5. Dr. Chatterjee Traveling||10/8/2012||Key Length & Key Management Issues||BS: Ch 7, 8.|
|6.||10/15/2012||Mathematics of RSA||WS: Ch 3; HandoutInitial research paper proposal due|
|7.||10/22/2012||MID TERM EXAMINATION|
|8.||10/29/2012||Application Layer Security: PGP and S/MIME||WS: Ch 5.|
|9||11/5/2012||Hands-on day Class lab experiments||Handouts would be given|
|10.Dr. Chatterjee hosting Healthcare Symposium||11/12/2012Class rescheduled to Sat 11/17||Transport Layer Security – TLS, SSL||WS: Ch 7.|
|11.||11/19/2012||Network Layer Security – IP Security||WS: Ch 6.|
|12.||11/26/2012||Security Management, Corporate Governance, Computer Fraud||Handouts|
|13.||12/3/2012||Intrusion Detection, , Malicious Software, Firewalls||WS: Ch. 9, 11Quiz|
|14.||12/10/2012||Student Research Presentations|
|15.||12/17/2012||Student Research Presentations||Final quiz|
Note: BS refers to Bruce Schneier’s book and WS refers to William Stallings book.
Practical Projects & Assignments:
These will be mainly design and problem solving type of questions directly related to the course topics being discussed. Occasional case studies may also be assigned. You will have one week time to turn them in from the time they are handed.
Some practical hands-on type of assignments will be given out. Students will be required to run the tools on Windows or Linux machines and test several experiments. A class lab will be created for running these experiments.
There may be one programming assignment. You can use C, C++ or Java.
Final Research Paper & Presentation:
Student groups will turn in a research paper on a particular topic of interest related to the class. You can choose any relevant topic or you can also seek the help of the instructor. Your job would be to research that topic, collect several good papers from conferences and journals and critique them. Then you will write a report in your own words about that topic. The research paper can be any one of the following types:
- A Case Study
- Comparison of new security technology and trends
- Detailed analysis of new software
- A new cryptography algorithm that you will implement and test
- Improve upon a security protocol
- Descriptive study of emerging security applications and systems
- A new solution to an existing security problem
Each group will be asked to submit their research problem, and other associated details by the sixth week of class for approval. As soon as it is approved, you must start your research.
The format and other details about the report would be provided in due course. You will also prepare a PowerPoint slide on your topic. Students will be asked to present their report to class.
Late work will be accepted at the discretion of the instructor and/or TA and will generally be subject to a penalty unless accompanied by a Dean’s excuse. Work will not be accepted after graded papers have been returned or solutions released. However, alternative means for making up missed work may be arranged on an individual basis with a Dean’s excuse.
Policy on Working Together
Please do your own work yourself. Plagiarism is unethical and will not be tolerated. You must give credit wherever it is due. You may neither copy from others nor permit your own work to be copied.
You may of course discuss the lectures and readings with your classmates in order to improve your understanding of the subject. However, all written work must be your own. You are also always free (and encouraged) to come in and ask the TA or instructor for help about anything concerning the course. Please talk to me if you have any questions about this policy.
Supplementary reference books:
The following are some of the extremely useful reference books which might come handy in case you decide to pursue a career in the fields of cryptography and security:
- Ed Skoudis, Counter Hack, 2002, Prentice Hall Inc.
- B. A. Forouzan, Cryptography and Network Security, McGraw Hill, 2008.
- Ross Anderson, Security Engineering, 2001, J. Wiley & Sons.
- H. X. Mel, Doris Baker, Cryptography Decrypted, 2001, Addison-Wesley.
- John Chirillo, Hack Attacks Revealed, Second Edition, 2002, J. Wiley & Sons.
- Charles P. Pfleeger, S. L. Pfleeger, Security in Computing, Third Edition, 2003, Prentice Hall Inc.
- Niels Ferguson, Bruce Schneier, Practical Cryptography, 2003, J. Wiley & Sons.
- William Stallings, Cryptography & Network Security: Principles and Practices, Third Edition, 2003, Prentice Hall Inc.
- Douglas R. Stinson, Cryptography: Theory and Practice, Second Edition, CRC Press, Boca Raton, 2002.