Computer Security

Here are links to the course home page and the formal TQA description.

NOTE

In the current session 04-05, Computer Security is listed as a level 10 course so that it may be taken as a CS4 course. However, it is primarily a CS3 course - no special permissions are required to take it, as would normally be needed for level 10 courses. Note that (i) in the next session 05-06 Computer Security will be a level 9 course, so will not be available to next year's CS4; and (ii) since it is a level 10 course this year, the coursework may be slightly more challenging than other CS3 courses.

Description

Computer Security is concerned with the protection of computer systems and their data from threats which may compromise integrity, availability, or confidentiality; the focus is on threats of a malicious nature rather than accidental. This course aims to give a broad understanding of computer security. Topics range from security risks, attacks, prevention and defence, through some current technology solutions, and down to formal approaches to validating security protocols and the mathematical principles underlying cryptography and cryptographic algorithms.

Syllabus

Introduction and background. Risks and attacks: to privacy (theft, surveillance); integrity (fraud); availability (vandalism, denial of service). Additional security properties: authentication, accountability.

Cryptography: basic functional foundations. Symmetric algorithms, for example: DES, Rijndael, RC4

Public key cryptography. Algorithms including RSA, ElGamal. Hash functions, including SHA-1. Digital signatures and certificates.

Authentication: mechanisms and attacks. Protocols for authentication and key exchange, including Needham-Schroeder, Otway-Rees, Kerberos, Diffie-Hellman.

Formal approaches, including Burrows-Abadi-Needham logic for authentication and its application to security protocol analysis.

Malicious code and network defences: Trojan horses, viruses and worms, attacks on faulty code. Auditing, intrusion detection, alarms and honey pots.

Security engineering: security policy models, multi-level systems. Secure kernels and trusted computing bases. Anatomy of attacks, risk assessment, attack trees.

Present internet technologies, for example: PGP, SSL, SSH, SMIME, DNSSEC, IPsec, firewalls and VPNs. The Java Security Model and security programming in Java.

Copyright protection. Secure hardware and tamper resistance. Steganography and covert communication. Anonymity.

Security futures, real-world issues. Topics chosen from: web security, e-commerce and e-cash; legalities; export control, key escrow; information warfare and cyber terrorism; human factors. Recent research areas.

Assessed Coursework

Two exercises, one involving security protocol analysis, and the other involving implementing a simple application-level security feature using Java's security APIs.

References:

* Ross Anderson, Security Engineering, John Wiley & Sons, 2001

* Dieter Gollman, Computer Security, John Wiley & Sons, 1999

* Nigel Smart, Cryptography: An Introduction, McGraw-Hill, 2003

* John Viega and Gary McGraw, Building Secure Software: How to Avoid Security Problems the Right Way, Addison-Wesley, 2003