Security Systems - CSCI 530, Spring 2010

Security Systems - CSCI 530, Spring 2010

General Information

Time	:	TuTh 9:30am - 10:50am
Location	:	OHE 100D
Instructor	:	Bill Cheng (for office hours, please see instructor's web page), E-mail: <bill.cheng@usc.edu>. (Please do not* send HTML e-mails. They will not be read.)*
TA	:	Leslie Cheung, E-mail: <lccheung@usc.edu>, Office Hours: TuTh 2:30pm - 3:30pm in PHE 316
Grader	:	(none)
Lab TA	:	David Morgan, E-mail: <davidmor@cs.usc.edu>
Lab Grader	:	Ranjeet Sangle, E-mail: <sangle@usc.edu>
Midterm Exam	:	during class time, Thu, 3/4/2010 (firm)
Final Exam	:	8-10am, Tue, 5/11/2010 (firm)

Class Resources

Description	:	textbooks, topics covered, grading policies, additional resources, etc.
Papers	:	required technical papers.
Lab	:	information regarding the lab session.
Lectures	:	slides from lectures in HTML and PDF formats.
Homeworks	:	(4-5 homeworks will be assigned. Please also see important information about programming assignments below.)
Term Paper	:	one term paper to be turned in towards the end of the semester.
Participation	:	rules about rowcalls.
Newsgroup	:	Google Group for discussing course materials and programming assignments. (This group is by invitation only.)

News

(in reversed chronological order)

5/2/2010: The final exam is closed book, closed notes, and closed everything (and no "cheat sheet"). Also, no calculators, cell phones, or any electronic gadgets are allowed. a photo ID. Your ID will be collected at the beginning of the exam and will be returned to you when you turn in your exam. There will be assigned seating.
The final exam will cover everything after the midterm exam (starting at slide 1 of lecture 15 on 3/2/2010) to the last slide of the lecture on 4/29/2010.
Here is a quick summary of the topics covered (not all topics covered are listed):
- Intermediate Cryptographic Protocols
  - bit commitment
    - symmetric cipher, hash function, random number generator
  - fair coin flips
    - hash function, public-key cryptography
  - timestamping
    - naive, improved, centralized, distributed
    - subliminal channel
    - ElGamal signature
    - undeniable signature and other digital signature schemes
    - computing with encrypted data
    - one-way accumulators
    - key escrow
  - Advanced Cryptographic Protocols
    - zero knowledge proofs
    - blind signatures
    - ID-based PKC
    - oblivious transfer
    - simultaneous contract signing
  - Esoteric Cryptographic Protocols
    - secure multi-party computation
    - secure election
    - digital cash
    - anonymous message broadcast
  - Key Management
    - pairwise key management
    - conventional key management
      - KDC, Needham-Schroeder, Kerberos
    - public key management
      - certification authority
    - group key management
      - GKMP
      - LHK
      - OFT
      - Diffie-Hellman group key
      - rekeying group keys using batched digital signatures
  - Authentication: know, have, about you
    - Unix passwords
    - Kerberos and Directory Servers
    - public key
    - single sign on
    - some applications and how they do it
    - weaknesses
    - Lamport's hash chains
    - trust models for certification
    - GSS-API
    - applications (unix login, telnet, rsh/rlogin, ssh, http/https, ftp, Windows login, e-mail, NFS, Radius)
    - stopping SPAM
    - digital stamps (quota enforcement for SPAM control)
    - Microsoft Passport
    - Liberty Alliance
  - Authorization
    - Access Matrix
    - capability
    - agent-based
    - policy models
      - discretionary policy
      - mandatory policy
      - Bell LaPadula
    - distributed mechanisms
      - GAA-API
  - Intrusion Detection
    - misuse detection
    - anomaly detection
    - false positive & false negative
  - Wireless
    - the real difference
      - devices and connectivity
    - some of the benefits
      - redundancy of aommunication paths
      - autonomy
    - WEP vulnerabilities
    - Bluetooth vulnerabilities
    - need for end-to-end security
  - HW4, & HW5
- 4/4/2010: Office hour tomorrow (Monday, 4/5/2010) has been canceled. Sorry abou the inconvenience.
- 3/2/2010: The midterm exam will be closed book, closed notes, and closed everything (and no "cheat sheet"). Also, no calculators, cell phones, or any electronic gadgets are allowed. Please bring a photo ID. Your ID will be collected at the beginning of the exam and will be returned to you when you turn in your exam. There will be assigned seating.
  The midterm exam will cover everything from the beginning of the semester till slide 2 of lecture 14.
  Here is a quick summary of the topics (not all topics covered are listed):
  - Cryptography
    - basic building blocks
      - transposition/permutation
      - substitution
      - monoalphabetic substitution cipher
      - one-time pad
      - stream vs. block
    - conventional/symmetric/secret key
      - DES (and 3DES)
        
        components (Fiestel Network, S-boxes, P-boxes)
        modes of operation (ECB, CBC, CFB, OFB)
      - AES/Rijndael, others (UNIX password)
    - public key/asymmetric
      - RSA
        
        private/public key
        encryption/decryption
      - ElGamal, Elliptic curve cryptosystems
    - digital signatures
    - Diffie-Hellman key exchange
    - hash functions
      - birthday paradox
      - MD5 and SHA-1 broken
      - message authentication code
      - one-time signature (signature using only hashes)
        
        Lamport's one-time signature
        Merkle's one-time signature and tree-based scheme
  - Cryptographic Protocols
    - Basic Protocols
      - key exchange protocols
        
        interlock protocol
      - authentication using PKC (NSPK)
        
        breaking NSPK
        fixing NSPK
      - multiple-key PKC
      - secret splitting
      - secret sharing with (k,n)-threshold scheme
- 1/21/2010: Thought this may be an interesting read: Microsoft confirms 17-year-old Windows vulnerability. This is slightly related to what we talked about in the last lecture on "people doing research on security vulnerabilities".
- 1/7/2010: Registering with the class mailinglist is required for this class. If you have not done so, please visit the mailinglist page after the semester starts. (You do not have to be registered for the course to register with the class mailinglist.)
- 1/7/2010: Watch this area for important announcements.

Prerequisites

CSci 402: Operating Systems (or instructor's consent).
Qualify for a D-clearance. Please read the Placement Exam Instructions carefully. (If you are a new student, please also read New MS Student Info for an explanation of these terms.)

Important Information about Programming Assignments

Some homework assignments will require you to write some code. You must write your code in C/C++. No other programming language will be accepted and your program must compile and run with a Makefile on nunki.usc.edu. (Sorry, no Java.) You must be familiar with the UNIX development environment (vi/pico/emacs, cc/gcc or g++/CC, make, etc.)

If a student signs up late for this class or could not be present at the beginning of the semester, he/she is still required to turn in all assignments on time or he/she will receive a score of 0 for these assignments. No exceptions!