Lecture Schedule

The syllabus below is subject to change as the semester progresses. For dates in the past, it reflects what has been covered; for dates in the future, it reflects potential topics which I might cover.

You are responsible for all the material referenced below, even if it not explicitly covered in class. (You are, of course, also responsible for material covered in class, even if it is not covered in the reading material below.) "KPS" refers to "Network Security: Private Communication in a Public World" (2nd edition), by Kaufman, Perlman, and Speciner.

I provide a copy of my slides for convenience. Looking at these slides is not a substitute for attending lectures; the slides are just a guideline to what was covered in class.

Lecture	Date	Summary and Reading
Security Basics and Course Overview
1	Jan 29	Introduction, course overview, and why security is harder than it looks Slides for lecture 1 Reflections on Trusting Trust, by Thompson We are All Security Customers, by Schneier Information Security and Externalities, by Schneier. Pages 3-8 of Security Engineering, by Anderson
Cryptography: Its Uses and Limitations
2	Jan 31	Introduction to cryptography Slides for lecture 2 Sections 1.1, 1.2, and 1.3 of Introduction to Modern Cryptography, by Katz and Lindell
3	Feb 5	JCA; Private-key encryption basics The TA's presentation on JCA JCA code example Slides for lecture 3
4	Feb 7	Private-key encryption, message authentication Slides for lecture 4
5	Feb 12	Message authentication, hashing, Diffie-Hellman key exchange Slides for lecture 5
6	Feb 14	The public-key setting; public-key encryption Slides for lecture 6
7	Feb 19	Digital signatures. Crypto pitfalls Slides for lecture 7 Why Cryptography is Harder than it Looks, by Schneier Risks of Relying on Cryptography, by Schneier Security Pitfalls in Cryptography, by Schneier The following articles are completely optional, and are intended for those who enjoy this sort of material Implementation Pitfalls, by Kohno Lessons Learned in Implementing and Deploying Crypto Software, by Gutmann
8	Feb 21	Crypto pitfalls Slides for lecture 8 Why Cryptosystems Fail, by Anderson Analysis of an Electronic Voting System, by Kohno et al. Security flaws in 802.11 Data Link Protocols, by Cam-Winget et al. Intercepting Mobile Communications: The Insecurity of 802.11 by Borisov et al. The following articles are completely optional, and are intended for those who enjoy this sort of material More on WEP (in)security: Stubblefield et al., Bittau et al., Housley and Arbaugh Security Analysis of a Cryptographically-Enabled RFID Device, by Bono et al. (Sections 3 and on are rather technical) How to Cheat at Chess: A Security Analysis of the Internet Chess Club, by Black, Cochran, and Gardner Analysis of the WinZip Encryption Method, by Kohno
System Security
9	Feb 26	General principles, access control Slides for lecture 9 The Protection of Information in Computer Systems, by Saltzer and Schroeder. This was covered in class, but is not required reading.
10	Feb 28	Access control Slides for lecture 10 The Confused Deputy (or: Why Capabilities Might Have Been Invented), by Hardy Capability Myths Demolished, by Miller, Yee, and Shapiro (pages 1-10 only)
11	Mar 4	Midterm review. Access control Slides for lecture 11
***	Mar 6	Midterm exam
12	Mar 11	Exam review. Access control, trusted computing Slides for lecture 12
Network Security
13	Mar 13	Memory protection. Network security/authentication Slides for lecture 13 KPS, Sections 9.1-9.6, 10.1-10.8, 10.10
14	Mar 25	Authentication techniques Slides for lecture 14
15	Mar 27	Authentication techniques Slides for lecture 15 KPS, Sections 12.2, 9.7.1, 9.7.4.1, 11.1-11.3
16	Apr 1	Authentication and key exchange Slides for lecture 16
17	Apr 3	Authentication and key exchange; mediated key exchange; cookie authentication Slides for lecture 17 KPS, Sections 9.7.2-9.7.4, 11.4-11.8 Dos and Don'ts of Client Authentication on the Web, by Fu et al.
18	Apr 8	PKI and certification authorities Slides for lecture 18 KPS, Sections 15.1-15.5 10 Risks of PKI: What You're not Being Told about Public Key Infrastructure, by Ellison and Schneier
19	Apr 10	Revocation. Deniability Slides for lecture 19
20	Apr 15	Zero-knowledge and deniability. Anonymity Slides for lecture 20
21	Apr 17	Anonymity Slides for lecture 21 The following are optional: Tor: The Second-Generation Onion Router, by Dingledine, Mathewson, and Syverson The onion routing page A book discussing kleptography
***	Apr 22	Midterm exam
Database Security
22	Apr 24	Database security Slides for lecture 22 Security-Control Methods for Statistical Databases: A Comparative Study, by Adam and Wortmann, Sections 1-5 (Note: this is just meant to reinforce the mechanisms discussed in class; you do not need to understand all the math) Maintaining Patient Confidentiality..., by Sweeney The following is optional Robust De-Anonymization of Large Sparse Datasets (How to Break Anonymity of the Netflix Prize Dataset), by Narayanan and Shmatikov
Programming-Language and Application-Level Security
23	Apr 29	Database security. PL security, buffer overflows Slides for lecture 23 Here are the examples I covered in class: program 1, program 2 and an explanation, and program 3 Smashing the Stack for Fun and Profit, by Aleph One Blended Attacks..., by Chien and Szor The following are optional: Additional references for buffer overflow attacks (may be helpful for the homework) Exploiting Format String Vulnerabilities, by scut/team teso Real World XSS, by Zimmer (see also here, here, and this movie)
24	May 1	Buffer overflows and XSS attacks, and defenses (guest lecture by Prof. Mike Hicks) Slides for lecture 24 Low-Level Software Security: Attacks and Defenses, by Erlingsson Cross-Site Scripting Explained, by Klein Cross-Site Scripting Vulnerabilities, by Rafail
Network Security in Practice
25	May 6	Finish up PL security. Intrusion detection and firewalls Slides for lecture 25
26	May 8	Network secuity issues. IPSec Slides for lecture 26 KPS, Chapter 16; Sections 17.1, 17.2.2, 17.3.1, 17.3.2, 17.5 For more details about network layers, see any book on computer networking; e.g., Section 1.3 of "Computer Networks, a Systems Approach (3rd edition)," by Peterson and Davie. See aso here
27	May 13	IKE, SSL Slides for lecture 27 KPS, Sections 18.4-18.6, 19.1-19.8 A high-level summary of what to know for the final
***	May 19	Final exam, 10:30-12, CSIC 1122

Lecture Schedule

Security Basics and Course Overview

Cryptography: Its Uses and Limitations

System Security

Network Security

Database Security

Programming-Language and Application-Level Security

Network Security in Practice