From: Ron van der Meyden To: Bill Wilson Date: Thu, 25 May 2000 15:07:38 +1000 (EST) Subject: Computer Security course Proposal for COMP4011 subject pilot Subject name: Seminar on cryptographic approaches to distributed systems security 1.Subject objective To introduce cryptography, cryptographic protocols and their applications in securing distributed systems, with a focus towards emerging issues in the internet and electronic commerce. The emphasis will be on applications of cryptographic mechanisms rather than the mathematics underlying ciphers. 2.Subject description for Handbook Cryptography and cryptanalysis, authentication, authorization, cryptographic protocols, digital signatures, public key infrastructures, trust management, social and legal issues, WWW security and security for mobile code, digital cash, payment protocols, digital rights management. The course will be taught in a seminar format, with students expected to give presentations based on readings of primary and secondary sources. 3.Contact hours Three hours per week, plus individual consultations to advise students on readings and presentations 4.Credit value Standard honours course. 5.Assessment methods 1. Seminar presentation 2. Written report 3. Exam 6. Session Session 2 2000 7. Enrollment Numbers to be kept low to allow seminar format: maximum of 20 8. Prerequisites Discrete Mathematics, 9.Assignment and laboratory work Students will be assigned a topic, associated with core readings that are compulsory for the whole class. They will be required to prepare a presentation in which they explain the core material and demonstrate that they have conducted additional reading on the topic. They will also be required to submit a report that provides a critical discussion on their assigned topic. 10.Syllabus * historical overview of ciphers: one-time pads, shared key cryptography, DES, Diffie-Hellman, RSA, elliptic curve, hashes, one way functions * cryptanalysis, sociological and technical attacks * zero knowledge protocols * sociological issues: key escrow, key length, export restrictions role of government security/law enforcement organisations privacy debate * Public Key Infrastructures: x.509, PKIX, SDSI/SPKI, PGP certification authorities and PKI management, revocation * authentication protocols, Kerberos, single-signon, SSL, SSH * Authentication protocol analysis, BAN Logic and its successors Dolev Yao algebraic model and the Model Checking approach * Certificates in Distributed operating systems, TAOS and its authorization theory * Java security model & WWW security * mobile code: code modification and proof bearing code * Digital Signatures, Non-repudiation, Timestamping * trust management: Keynote and related systems * Payment protocols, SET * Digital Cash * Digital (Copy)rights management, watermarking 11 Outcomes At the end of the subject, students should: -- have a basic understanding of the nature of cryptography, and the ways it can be applied -- be aware of the limitations of cryptographic methods and potential weaknesses in systems using cryptography -- understand the key sociological issues relating to cryptography and its applications -- be aware of some emerging trends in e-commerce security -- have developed an in depth understanding of one area of computer security 12 Text books The following secondary sources to be used as references: Dieter Gollman, Computer Security, Wiley 1999 R.C Summers, Secure Computing, Threats and Safeguards B. Schneier, Applied Cryptography, 2nd ed. Wiley 1996 W. Ford, M.S. Baum, Secure Electronic Commerce, building the infrastucture for digital signatures and encryption + extensive readings from primary sources. 13 Excluded topics Computer Security is a larger area than can be meaningfully covered in a single course. The following are issues that might also be covered in a course of this nature, but are probably covered to some extent in other courses. ** Security models and military security requirements Bell-La Padula, Lattice models, Blue book, Chinese Wall policy ** Clark-Wilson commercial security models Role based access control ** object oriented security models ** security models of particular operating systems and their limitations, e.g Unix, NT, capability models, ** common security loopholes and implementation flaws, e.g buffer overflow ** security in middleware products ** Security in databases: Secure SQL, Views, statistical inference, multilevel security ** viruses & worms ** security hardware: smartcards, biometric sensors, chip level security