technical specification of

Course Design Document

IS302: Information Security and Trust

Version 4.4

29 December 2009

SMU School of Information Systems (SIS)

Table of Content 1 Versions History....................................................................................................................................32 Overview of Security and Trust Course.............................................................................................3

2.1 Synopsis..........................................................................................................................................32.2 Prerequisites..................................................................................................................................32.3 Objectives.......................................................................................................................................42.4 Basic Modules................................................................................................................................42.5 Instructional Staff..........................................................................................................................4

3 Output and Assessment Summary......................................................................................................44 Group Allocation for Assignments......................................................................................................65 Learning Outcomes, Achievement Methods, and Assessment..........................................................66 Classroom Planning..............................................................................................................................87 Course Schedule Summary..................................................................................................................88 List of Information Resources and References..................................................................................99 Tooling.................................................................................................................................................1010 Weekly Plan..........................................................................................................................................10

Course: Security and Trust


1 Versions History

Version Description of Changes

Author Date

V 1.0 Yingjiu Li 31-12-2004V 2.0 Based on discussions

with Ravi Sandu and Ankit Fadia, revised the design documents for weeks 7 - 11

Re-designed the project

Yingjiu Li 03-12-2005

V 2.1 Re-designed the lab session


V 2.2 Revised the pre-requisites of the course, learning outcomes, and tooling


V 3.0 Revised course content and schedule

Strengthened hands-on exercise


V 4.0 Revised course content and schedule


V 4.1 Reformat the design document


V 4.2 Revised design Yingjiu Li 24-12-2008V 4.3 Revised learning

outcomesYingjiu Li 02-11-2009

2 Overview of Security and Trust Course

2.1 Synopsis

Security and Trust course provides both fundamental principles and technical skills for analyzing, evaluating, and developing secure systems in practice. Students will learn essentials about security models, algorithms, protocols, and mechanisms in computer networks, programs, and database systems. Classroom instruction will be integrated with hands-on exercises on security tools in Windows and Java language.

2.2 Prerequisites

Students should understand the basics of computer network, programming languages (Java, in particular), and information systems.



2.3 Objectives

Upon finishing the course, students are expected to:

• Understand basic security concepts, models, algorithms and protocols.• Understand security requirements and constraints in some real world

applications.• Be able to analyze the current security mechanisms.• Be aware of the current and future trends in security applications.

2.4 Basic Modules

2.5 Instructional Staff

Professors: Yingjiu Li, Xuhua Ding Instructional staff: Sharon Lim Yee Pin ([email protected] ) Teaching assistant: Ailina Nagarawati for G3, G4, and G5

3 Output and Assessment Summary

Week Date Output Assessments

Weighting in %

Group Weighting

Remarks

1 10 project groups Project 25% (report 15%, presentation 10%)

Overview2 Enc to DES3 Assignment 1 5 Enc to AES4 RSA, DH5 Hash,MAC,Sig6 Cert, PKI


mailto:[email protected]


Final exam40%

Assignments 10%

midterm quiz 15%

Class participation 10%

7 Quiz 15 Password8

(Recess)9 Review quiz Password II and

internet security10 Assignment 2 5 AC 11 Lab password

cracking, FW,IDS

12 Project presentation

13 Project Presentation and demo

10 A variety of topics

14 (Review)

Project report 15

15 Final exam 40

Total90 100%

Midterm quiz (15%; problem solving)

1.5 hours (close-book)

Cover the first 6 weeks.

Class participation (10%)

Evaluated by the lecturers based on students attending to classes and participating in classroom discussions

Project (25%) consists of part A (15%) and part B (10%) Teaming : 10 random teams per class. References: internet, textbook

Part A: Open-ended investigation into a security-related topic (each team chooses a different topic)

Students are given a list of security-related topics such as cell phone security, RFID system security, and EMR system security

Grading : 5% presentation + 10% project report (5% breadth, 5% depth) Deliverables : Each team will write a project report on their findings, and

deliver an oral presentation. The report will be within 10~15 pages, using 11pt font, single column and single space format. The oral presentation will be delivered in 20 minutes including Q&A.

– Requirements : In both the report and the presentation, each team should:a) Describe the background of the related topic



b) Evaluate major/certain security problem(s) in the fieldc) Present solutions to the problem(s)d) Analyze the possible impact/benefits of deploying the solutions in one

or more business sectors, and provides a simple case study where appropriate

Part B: prototype simulation and demo of a secure RFID system Background : Company SEC decides to implement RFID technology to

increase the efficiency and visibility of tracking its products. However, security is a major concern since SEC does not want any of its competitors to be able to collect its RFID information (e.g., its inventory level, where, when, and what products are processed) via the wireless communication channel from a distance. Therefore, it decides to implement a secure RFID communication protocol so that an adversary, without knowing tag secret keys, will not be able to identify or track any tags.

Setting : there are 1000 RFID tags and one reader. Each of the tags is assigned with a random key of 96 bits, and equipped with a pseudorandom number generator and a hash function (e.g., MD5 or SHA1). The reader maintains a database of the keys for all 1000 tags.

Protocol : the protocol is run between the reader and any tag. To authenticate or identify the tag, the reader first generates a random number C1 of at least 80 bits, and sends it to the tag. Upon receiving C1, the tag generates another random number C2, computes R=Hash(K,C1,C2), and sends (C2, R) back to the reader, where K is the key of this tag. Upon receiving (C2, R), the reader will search in its database to find out the correct key K which will produce the same R as received from the tag. The reader will output the serial number of this key K in its database as the tag’s ID.

Requirements : the students are required to simulate the protocol in programming (e.g., Java, or OpenSSL). The input of the protocol is any tag (whose key is taken from the reader’s database). The output should be the correct serial number of the tag’s key in the reader’s database, as well as the exact time that is spent by the reader in identifying the tag in the protocol. Additional requirement (optional) is to simulate the memory of EPC tag in protocol running.

Deliverables : the students should demo their simulation of the protocol in 10 minutes in their presentations (in weeks 12 and 13). In addition, they need to write a report within 5 pages on their designs, and attach their codes. In the report, the students should analyze why this protocol is secure.

Grading : 10% based on both demo and report (4% correctness, 3% security, 3% efficiency and quality).

The project outline/draft within 5 pages on both part A and part B (hardcopy) is due before or during the class in week 9. The presentations & demos will be



delivered in weeks 12 and 13. The final report is due on Monday in week 14.

Final Exam (40%; close book) in week 15 Cover all material taught in class, including the invited talk and lab Multiple choice questions and short answer questions

4 Group Allocation for Assignments

Each class is partitioned into 10 groups. The students in each group are randomly selected.

5 Learning Outcomes, Achievement Methods, and Assessment

IS302 - Information Security and Trust

Course-specific core competencies which

address the Outcomes

Faculty Methods to Assess Outcomes

1Integration of business & technology in a sector context

1.1 Business IT value linkage skills

YY

Identify the security properties of enterprise information systems

Analyze the security tradeoffs to be made in design of enterprise information systems

List basic design principles of protecting enterprise information systems

Identify major security technologies/components that are most effective for protecting enterprise information systems

Explain the future trend of security technologies that will generate significant impact to practice

Execute and grade in-class exercise

Grade assignments 1 and 2

Grade the project

Grade the mid term and final exams

Ability to understand & analyze the linkages between:

a) Business strategy and business value creation

b) Business strategy and



information strategy

c) Information strategy and technology strategy

YY

d) Business strategy and business processes

e) Business processes or information strategy or technology strategy and IT solutions

1.2 Cost and benefits analysis skills

Y

Ability to understand and analyze:

a) Costs and benefits analysis of the project

Y

1.3 Business software solution impact analysis skills

Ability to understand and analyze:

a) How business software applications impact the enterprise within a particular industry sector.

2 IT architecture, design and development skills

2.1 System requirements specification skills

Y

Identify and perform basic security functions with major security tools

Identify the security requirements for enterprise information systems

Design effective and efficient solutions to protect enterprise information systems

Grade assignments 1 and 2

Execute and grade in-class exercise with JCE and Openssl

Ability to:

a) Elicit and understand functional requirements from customer

b) Identify non functional requirements (performance, availability, reliability, security, usability etc…)

Y

c) Analyze and document business processes

Y

2.2 Software and IT architecture analysis and design skills

Y

Analyze the vulnerability of network in a web application scenario and apply intrusion detection and firewall techniques to eliminate the vulnerability

Execute and grade lab exercise



Ability to:

a) Analyze functional and non-functional requirements to produce a system architecture that meets those requirements.

Y

b) Understand and apply process and methodology in building the application

Y

c) Create design models using known design principles (e.g. layering) and from various view points (logical, physical etc…)

Y

d) Explain and justify all the design choices and tradeoffs done during the application's development

Y

2.3 Implementation skills Y

Use openssl and JCE to design and implement security techniques for network security and access control

Execute and grade in-class hands-on exercise

Ability to:

a) Realize coding from design and vice versa

Y

b) Learn / practice one programming language

Y

c) Integrate different applications (developed application, cots software, legacy application etc…)

d) Use tools for testing, integration and deployment

Y

2.4 Technology application skills Y

Understand and know to use major security building blocks including hash, encryption and decryption, signature, certificates, password authentication, firewall, intrusion detection, and access control

Execute and grade in-class exerciseGrade assignments 1 and 2Execute and grade lab session

Ability to:

a) Understand, select and use appropriate technology building blocks when developing an enterprise solution (security, middleware, network, IDE, ERP, CRM, SCM etc…)

Y

3 Project management skills

3.1 Scope management skills Y

Ability to:



a) Identify and manage trade-offs on scope/cost/quality/time

Y

b) Document and manage changing requirements

3.2 Risks management skills Y

Ability to:

a) Identify, prioritize, mitigate and document project’s risks

Y

b) Constantly monitor projects risks as part of project monitoring

3.3 Project integration and time management skills

Ability to:

a) Establish WBS, time & effort estimates, resource allocation, scheduling etc…

b) Practice in planning using methods and tools (Microsoft project, Gantt chart etc…)

c) Develop / execute a project plan and maintain it

3.4 Configuration management skills

Ability to:

a) Understand concepts of configuration mgt and change control

3.5 Quality management skills

Ability to:

a) Understand the concepts of Quality Assurance and Quality control (Test plan, test cases …)

4 Learning to learn skills

4.1 Search skills YY

Ability to:

a) Search for information efficiently and effectively

YY

4.2 Skills for developing a methodology for learning

Y

Ability to:

a) Develop learning heuristics in order to acquire new knowledge skills (focus on HOW to learn versus

Y



WHAT to learn ).

b) Abide by appropriate legal, professional and ethical practices for using and citing the intellectual property of others

5 Collaboration (or team) skills:

5.1 Skills to improve the effectiveness of group processes and work products

Y

Ability to develop:

a) Leadership skills

b) Communication skills

c) Consensus and conflict resolution skills

Y

6Change management skills for enterprise systems

6.1 Skills to diagnose business changes

Y

Ability to:

a) Understand the organizational problem or need for change (e.g. Analyze existing business processes or “as-is process”)

Y

6.2 Skills to implement and sustain business changes

Ability to:

a) implement the change (e.g. advertise / communicate the need for change etc..) and to sustain the change over time

7Skills for working across countries, cultures and borders

7.1 Cross-national awareness skills

Ability to:

a) Develop cross-national understandings of culture, institutions (e.g. law), language etc…

7.2 Business across countries facilitation skills



Ability to:

a) Communicate across countries

b) Adapt negotiation and conflict resolution techniques to a multicultural environment

8 Communication skills

8.1 Presentation skills Y

Ability to:

a) Provide an effective and efficient presentation on a specified topic.

Y

8.2 Writing skills Y

Ability to:

a) Provide documentation understandable by users (Requirements specifications, risks management plan, assumptions, constraints, architecture choices, design choices etc…)

Y

Y This sub-skill is covered partially by the course

YYThis sub-skill is a main focus for this course

6 Classroom Planning

Teaching session: 3 hours NoteReview: 15 minutes Solution techniques: 1 hour 15 minutes

Security problems and techniques Analysis

Learning

Hands-on exercises: 1 hour 15 minutes Settings and steps Discussions

Hands-on

Summary: 15 minutes Learning effect

7 Course Schedule Summary



Wk Topic(problem)

Readings (textbook)

Classroom: techniques (1.5 hours)

Classroom: hands-on

(1.5 hours)

After-class

reading and

exercise1 Background Chapter 1,

7.1Networking basics and security concepts

Form project teams

Group formation (10 groups) and topic selection

2 Enc Basics 2.1-2.4 Enc basics OpenSSL and JCE

3 DES-AES 2.5-2.6, 10.2 DES, AES OpenSSL and JCE

Assignment 1

Assignment 1 involves coding with JCE

4 RSA-DH 2.7-2.8, 10.3 RSA enc, DH Review of assignment 1, OpenSSL and JCE

5 Integrity 2.8, 10.3 Hash, MAC, RSA sig

Open SSL and JCE

6 Cert, PKI 2.8, 7.6 Cert, PKI, CRL

Open SSL, email security, windows cert mgt

7 Quiz, user auth

4.5 quiz User authentication I

8 Recess 9 User auth 4.5, 7.3 User

authentication II and internet security

Review of quiz Project draft due

10 AC 4.1-4.4, 5.1-5.3

DAC, MAC, RBAC

Java SecurityManager

Assignment

Assignment 2

11 Internet Sec Lab on pwd cracking

2Lab on FW, IDS, and ACReview of assignment 2

SAS-SMU Enterprise Intelligence Lab

12 Proj Pres I 5 groups



13 Proj Pres II 5 groups14 Review Project report

dueProject report, Q&A

15 Final exam

8 List of Information Resources and References

Textbook: Security in Computing (4th edition) by Charles P. Pfleeger and Shari L. Pfleeger, Prentice Hall, 2007

Other reading material and reference websites are available in the course slides



9 Tooling

10 Weekly Plan

Week: 1 Session 1:

Introduction to the course Basic security concepts

Session 2: Networking basics Project team formation

Reference: Chapter 1 and 7.1

Things to ensure: Course material is available for download from the course web site Students must be assigned into groups for project

Week: 2 Session 1:

Ancient ciphers: Caesar, Vigenere, Zimmermann, columnar transposition Security analysis of ancient ciphers

Session 2: Installation of JCE and Openssl Test for JCE and Openssl

Reference: Chapter 2.1-2.4

Things to ensure: Students understand two basic encryption techniques: substitution and transposition JCE and openssl are correctly installed for hands-on exercise in the following weeks

Week: 3 Session 1:

DES: history and details AES: history and details

Session 2: Use both Openssl and JCE for DES and AES encryption and decryption

Reference: Chapter 2.5-2.6, 10.2

Things to ensure:


Tool Description RemarksOpen SSL, JCE, CrypTool

Security tools in Windows and Java

Hands-on exercises and demo

PPA, IPtable, snort Password cracking, firewall, and IDS

Lab exercises


Students know the security status of DES and AES Students know how to use DES and AES in Openssl and JCE

Week: 4 Session 1:

Asymmetric encryption with RSA DH key agreement

Session 2: Use Openssl and JCE for generating RSA keys and for RSA encryption

Reference: Chapter 2.7-2.8, 10.3

Things to ensure: Students understand the security of RSA encryption Students know how to generate RSA keys and use RSA keys in Openssl and JCE Assignment 1 due and review

Week: 5 Session 1:

Hash functions (MD5 and SHA1) MAC (HMAC and DES-MAC) RSA signature Compare MAC with RSA signature for message integrity check

Session 2: Use JCE for message integrity check with HMAC and RSA signature

Reference: Chapter 2.8, 10.3

Things to ensure: Students understand the security status of hash functions Students understand the differences between MAC and RSA signature Students know how to use JCE for integrity check with MAC and RSA signature

Week: 6 Session 1:

Impersonation problem and the need of using certificates X. 509 certificate format CRL

Session 2: Email security (S/MIME and PGP) Signed and/or encrypted email with COMODO certificates in Outlook


Things to ensure: Understand why and how to use certificates and CRLs Know how to use Outlook to send signed and/or encrypted emails

Week: 7 Session 1:

quizSession 2:



weak authentication with passwords Unix passwords Windows LM hash and NTLM hash Password attacks

Reference: Chapter 4.5

Things to ensure: Understand how passwords are stored in computers

Week: 8 (Recess week: no class)Session 1:

Session 2:

Reference:

Things to ensure:

Week: 9 Session 1:

Strong authentication (Lamport, challenge response, time synchronization) NTLMv1 and NTLMv2

Session 2: Internet security (SSL, firewall, IDS)


Things to ensure: Understand why strong authentication is securer than weak authentication Understand how passwords are verified in Windows Understand the fundamentals of SSL, firewall and IDS Project draft is due

Week: 10 Session 1:

Access control models: DAC, MAC, RBACSession 2:

Java SecurityManagerReference:

Chapter 4.1-4.4, 5.1-5.3Things to ensure:

Know how to use java SecurityManager to enforce access control Assignment 2 covers weeks 9 and 10

Week: 11 Session 1:

Lab exercise for password crackingSession 2:

Lab exercise for using firewall, IDS, and ACReference:



Lab instruction manualThings to ensure:

Know how to use SAS-SMU Enterprise Intelligence Lab for password cracking, firewall configuration, and intrusion detection

Assignment 2 due and review

Week: 12 (project presentation: teams 1-8, part A) Session 1:

Session 2:

Reference:

Things to ensure:

Week: 13 (project presentation and demo: teams 1-8, part B, teams 9,10, part A & B) Session 1:

Session 2:

Reference:

Things to ensure:

Week: 14 (review week: no class) Session 1:

Session 2:

Reference:

Things to ensure:

Project report is due

Week: 15 (exam week: no class) Session 1:

Session 2:

Reference:

Things to ensure:

Final exam


technical specification of

Documents

information security

revised course yingjiu

overview of security

security models

security applications

security tools

security requirements

basic security concepts