COMP 3704 Computer Security, Spring 2009

General Information

Prerequisites

The prerequisites for this class are a good understanding of imperative programming and discrete mathematics. You should be able to write non-trivial programs in C, C++ or some other language. You must have a good understanding of basic data structures such as arrays. This is a class on applied cryptography with focus on cryptographic primitives and protocols. There will be programming assignments designed to make you use, implement and evaluate key security constructs. You are free to do the programming assignments in any language; however, using C, C++ or Java is recommended.

Lecture Hours and Location

The lectures will be held Mondays and Wednesdays from 10am to noon in John Greene Hall 216.
In order to get a door code for the Computer Lab in John Greene Hall 216 please visit the labcode webpage. The code is updated on weekly basis.

Office Hours

Christian Grothoff - JGH 108
Mondays and Wednesdays, 1-3pm and by appointment.

Textbook and Syllabus

"Applied Cryptography", by Bruce Schneier, John Wiley & Sons. This will be the main textbook for the class covering most of the material.
"Version Control with Subversion", on-line book (no need to buy a copy). You must know how to use subversion as a developer (not as an administrator) in order to submit your assignments. Use this book as a reference if you encounter problems. Basic knowledge of chapters 1-3 should be sufficient.

Specific topics that will be covered:

Assignments and Grading

There will be individual assignments where you will need to answer some specific questions in prose or with small fragments of code as well as larger individual programming assignments that must be turned in for grading by a certain deadline. There will also be on larger team project. Both midterm and final exam will be open book, open notes and open notebook exams. There will be no quizzes.
Students are encouraged to discuss the materials, homework, and projects together. However, all written assignments and programs must be done individually. Academic dishonesty includes, but is not limited to: plagiarism, cheating in exams, unauthorized collaboration and falsifying academic records. Violation of any of these may result in a grade penalty on assignments, an "F" in the course, dismissal from an academic unit, revocation of admission, suspension from the University as well as being roasted over a slow fire.
Generally, all assignments are due before class on the date specified with the assignment. Exceptions to this rule (allowing later submission) may be announced in class.

The different kinds of assignments are weighted as follows:

Assignments70 Pts
Midterm10 Pts
Final20 Pts
Class Participation10 Pts

There are theoretically a total of 110 Pts possible Grades will be given as follows:

GradePoints
A> 95 Pts
A-> 90 Pts
B+> 85 Pts
B> 80 Pts
B-> 75 Pts
C+> 70 Pts
C> 65 Pts
C-> 60 Pts
D≥ 45 Pts
F< 45 Pts

Software

You will need various applications for the class, all of which are freely available for various operating systems. Personally, I'm using Debian GNU/Linux unstable. If you have any problems installing the software, you can always use the department's GNU/Linux lab which has all of the necessary software installed. Here is a list of the software programs that you will need (possibly incomplete):

libgmp
The GNU multiple precision library
OpenSSL
Crypto library
Apache
Web server
Subversion
Version control system
Compilers and tools for C, C++, Java, ML, etc.
I recommend installing at least gcc 4.x from GNU.

Submission of Assignments

Each student will get access to a subversion repository. Assignments must be committed to that repository by the respective deadline. Students are encouraged to use the repository for version control while still working on the assignment. Only the last version commited before the deadline will be used for grading.
In order to access your subversion repository, you must first request an account from Andrei for the course. Stop by his office or send him an e-mail. Once your account has been created, you should do an initial check out:

    $ svn checkout https://svn.cs.du.edu/courses/comp3704/s2009/$USER
    $ cd $USER
    
You should then proceed to create a directory for the first project and commit it:
    $ mkdir p1
    $ svn add p1
    $ svn commit -m "comment"
    
Afterwards, you can add the files to submit just like you added the directory. Make sure to commit the final version with all files (hint: svn status) before the deadline. It is also a good idea to do a seperate checkout and verify that the result works.

Schedule

This is the current plan, significant changes will be announced in class. Feedback is welcome.

Class 1: No Class! (03/23/2009)

Useful links
Subversion
Assignments
  1. Implement "Hello World!" and submit to subversion (due: Class 3, 1 Pt), P1/driver_p1.sh
  2. Read up on zzuf and socat.
  3. Read the Coverity quick start guide (available in the GNU/Linux lab under /usr/local/prevent-linux-4.3.0/doc/)

Class 2: Introduction & Protocol building blocks (03/25/2009)

Material from the textbook
Chapters 1 and 2
Slides
Slides
Lecture
A Model for Information Assurance: An Integrated Approach

Class 3: Application security (03/30/2009)

Lecture
Slides
Useful links
CERT, National Vulnerability Database, A Taxonomy of Coding Errors that Affect Security, The Unexpected SQL Injection
Assignments
Attack! (due: Class 19, 15 Pts)
Useful links
Coverity Prevent, zzuf, socat

Class 4: Operating system security (04/01/2009)

Lecture
Slides
Useful links
Orange Book Summary, Security-Enhanced Linux, grsecurity, Securing Debian Manual, Linux File System Quotas

Class 5: Network security (04/06/2009)

Lecture
Slides
Material from the textbook
Chapter 24
Useful links
DefCon

Class 6: Randomness and Entropy (04/08/2009)

Material from the textbook
Chapter 16
Lecture
Slides
Useful links
GNU Scientific Library, NIST PRNG tests, NIST Special Publication 800-22, Critical Values of the Chi-Square Distribution
Assignments
  1. PRNGs (due: Class 9, 9 Pts)

Class 7: Randomness and Computers (04/13/2009)

Lecture
Slides
Material from the textbook
Chapter 17.14
Useful links
Analysis of the Linux Random Number Generator, Linux /dev/random entropy estimates
Assignments
  1. Entropy Gathering (due: Class 11, 10 Pts)

Class 8: Protocols (04/15/2009)

Material from the textbook
Chapters 3, 4 and 23.2
Lecture
Slides

Class 9: Midterm (04/20/2009)

Class 10: Advanced Protocols (04/22/2009)

Material from the textbook
Chapter 5
Assignments
  1. Protocol Design and Analysis (due: Class 14, 10 Pts)
Useful links
Lecture
Slides

Class 11: Privacy Enhancing Protocols (04/27/2009)

Material from the textbook
Chapter 6
Lecture
Slides

Class 12: Cipher Modes and Choosing Algorithms (04/29/2009)

Material from the textbook
Chapters 9 and 10
Lecture
Slides

Class 13: Cryptography Tools, Key Length and Key Management (05/04/2009)

Material from the textbook
Chapter 7 and 8
Lecture
Slides
Useful links
OpenSSL, GNU PG, Apache SSL/TLS mini-HOWTO
Assignments
  1. Key Generation (due: Class 16, 5 Pts)

Class 14: Mathematical Background (05/06/2009)

Material from the textbook
Chapter 11
Lecture
Slides

Class 15: Symmetric Ciphers (05/11/2009)

Material from the textbook
Chapters 12, 13, 14, 15 and 16
Lecture
Slides

Class 16: One-way Hash Functions (05/13/2009)

Material from the textbook
Chapter 18
Lecture
Slides
Exercise
  1. Write a program that creates a rainbow table (in memory) for SHA-1 that can invert passwords of up to 5 chararacters (A-Za-z). (due: Class 18, 10 Pts)

Class 17: Public-key Algorithms (05/18/2009)

Material from the textbook
Chapter 19
Lecture
Slides
Assignments
  1. RSA (due: Class 20, 10 Pts)

Class 18: Applications of Public-key Algorithms (05/20/2009)

Lecture
Slides
Material from the textbook
Chapters 20-22

Class 19: Review (05/27/2009)

Class 20: Final Exam (06/01/2009)

Grades

Grades will be e-mailed to the e-mail address given with the request for creating the subversion account. For how to interpret the e-mailed grades please ask in class or during office hours.


Christian Grothoff
Last modified: Sat Sep 29 21:58:42 MDT 2009