Important Announcement

·      We will use Zoom for online teaching starting from Sept. 8.

      Zoom room ID is 886 852 970, password/link can be found in your email or the Blackboard announcement.

·      Please finish project topic selection before Nov 10, 19:00 PM. Link of the sign-up form can be found in Blackboard.

·      Lab 1 helping session will be held on Nov 14 (Sat) with the Zoom ID: 382 110 403. Passcode can be found in Blackboard’s announcement.

 

Login account for the restricted contents
user: student  password: eclt5740@cuhk

 

Instructor: Prof. Wing C. Lau

Office Location: SHB 818

Office Hours: Tue 4:00pm - 5:00pm or by appointment

Email: wclau at ie dot cuhk dot edu dot hk

Telephone: 3943-8356

Lecture Periods:

Tue 7:00pm to 10:00pm

Venue: Online teaching until further notice

 

Tutor: WANG Xianbo

Office Location: SHB 803

Office Hours: Fri 2:00pm – 3:00pm

Email: xianbo at ie dot cuhk dot edu dot hk 

 

Course Webpage: http://www.se.cuhk.edu.hk/~eclt5740/

 

Course Material: Available at the Course Webpage shown above

 

 

 

Course Objective

This module provides a foundation on the technical issues concerning Cryptography, Information Security and e-Commerce. It covers areas such as: protecting information using symmetric and public key cryptography; authentication and handshake protocols; key management; trust model and Public Key Infrastructure (PKI); Network, System and Application level security.

 

 

Topics to be covered (subject to change)

  1. Introduction to the problem of Web security: threats, vulnerabilities, and security policies. (3 hrs)
  2. Basic cryptography; Secret key algorithms (DES, 3DES, AES, RC4) (4 hrs)
  3. Hashes, message digests (MD5, SHA) and Message Authentication Codes (MAC)  (3 hrs)
  4. Public key algorithms (RSA, Diffie-Hellman) ; digital signatures (3 hrs)
  5. Public Key Infrastructure: Certification Authority (CA) and digital certificates  ; Trust models (3 hrs)
  6. Authentication: technologies and protocols  (3 hrs)
  7. Network security: attack types (sniffing, spoofing, hijacking, denial-of-service) ; typical attack process  and counter-measures; tools (scanning, filtering, firewalls, wrappers, DMZ, VPN, intrusion detection)  (4 hrs)
  8. System security: attacks and defenses ; Applications security: Web-applications security pitfalls (client and server) ; Mobile code security ;  (6 hrs)
  9. Secure Networking/Application Protocols (IPSec, SSL/TLS) and Applications: email (S/MIME, PGP),  (4 hrs)

 

 

 

Highly Recommended Textbooks

 

[StallingsBrown] Computer Security: Principles and Practice (3rd Edition) by William Stallings and Lawrie Brown, Publisher: Prentice Hall, 2014. http://www.amazon.com/Computer-Security-Principles-Practice-3rd/dp/0133773922/ref=sr_1_1?s=books&ie=UTF8&qid=1420531978&sr=1-1&keywords=Computer+Security+Stallings

A close substitution for the above book is: [Stallings 13] William Stallings, Cryptography and Network Security, 6th Edition, Prentice Hall, 2013. (This book provides comprehensive, academic textbook-style writings on the subject including detail technical descriptions of the algorithms and protocols. A bit too terse as an overview; better serves as a technical reference. Early editions of this book would still be useful.)

 

[Skoudis] Counter Hack Reloaded: A Step-by-step Guide to Computer Attacks and Effective Defenses (2nd Edition) by Ed Skoudis and Tom Liston. Publisher: Prentice Hall, 2005.

 

[GoodrichTamassia11] Introduction to Computer Securityby Michael Goodrich and Roberto Tamassia, Published by Pearson Higher Education, 2011.

  http://catalogue.pearsoned.co.uk/educator/product/Introduction-to-Computer-Security-International-Version/9780321702012.page;

 It offers an up-to-date, comprehensive introduction to the non-crypto aspects of computer/system security. 

 

[PaarPelzl10] Understanding Cryptography: A Textbook for Students and Practioners by Christof Paar and Jan Pelzl, Published by Springer, 2010.

 Fulltext available as ebook via CUHK library;

 An excellent introductory text for Cryptography; well-balanced between mathematical vigor and engineering intuition for many modern practical crypto algorithms.  

 

[Stuttard11] The Web Application Hacker's Handbook - Discovering and Exploiting Security Flaws, 2nd Editionby Dafydd Stuttard and Marcus Pinto, Published by Wiley, 2011.

 

[Kaufman02] Charlie Kaufman, Radia Perlman, Mike Spenciner, Network Security, 2nd Editionby Dafydd Stuttard and Marcus Pinto, Published by Prentice Hall, 2002. (The authors are all well-known designers/architects of key security protocols/systems widely deployed in practice. The book provides excellent insights on the technical details and rationale behind the design of the protocols/algorithms. The technical depth may overwhelm casual, non-technical readers though.)

 

 

Additional References

[Anderson08] Ross Anderson, "Security Engineering, 2nd Edition" Wiley, 2008.

[Mel] Cryptography Decrypted by H.X.Mel and Doris M.Baker. Publisher: Addison Wesley, 2000.

[Menezes 96Alfred J. Menezes, Paul C. Van Oorschot, Scott A. Vanstone, "Handbook of Applied Cryptography", CRC Press, 1996. A precise,  mathematical-oriented reference. The entire manuscript can be freely downloaded for personal use from http://www.cacr.math.uwaterloo.ca/hac

[Schneier 96] Bruce Schneier, Applied Cryptography, 2nd Edition, Wiley, 1996. (A classical must-read for people who are serious in working in the area of cryptography.)

[Northcutt 05] Stephen Northcutt et al, Inside Network Security Perimeter, 2nd Edition, New Riders, 2005. (Provides excellent intermediate/advanced treatments on technologies and network planning issues including VPNs, Firewalls, Intrusion detection; a must read for someone who wants to design/setup a secure network perimeter).

[McClure 09] Stuart McClure, Joel Scambray and George Kurtz, Hacking Exposed, 6th Edition, McGrawHill Osborne, 2009. (One of the books in the best-selling "Hacking Exposed" series. A must-read for those who wants to understand the bolts and nuts of the latest vulnerabilities and exploits of real-world systems and networks. )

[Garfinkel 02] Simon Garfinkel, Gene Spafford, Web Security, Privacy and Commerce, 2nd Edition O'Reilly, 2002. (Easy to read, informative and up-to-date discussions on the subject captioned. One of the strength is its coverage on the security-related services, products available in the real world. ).

[Viega 02] John Viega and Gary McGraw, Building Secure Software, Addison Wesley, 2002. (A must-read for software developers/ system architects who wants to build secure software).

[Cheswick 03] William R. Cheswick, Steven M. Bellovin and Aviel D. Rubin, Firewalls and Internet Security, 2nd Edition, Addison Wesley, 2003. (Intended for intermediate/advanced level audience. Provide informative and interesting technical details.)

[Liska 03] Allan Liska, The Practice of Network Security, Prentice Hall, 2003. (A down-to-earth, good collection of practical networking/ protocol security pitfalls and configuration strategies.)

[Stein 98] Lincoln D. Stein, Web Security, Addison Wesley, 1998. (Written by the author of the WWW FAQ. A good, easy-to-read introduction to practical web security problems. Include the bolts and nuts of real-life vulnerabilities and exploits. Very informative, but a bit outdated).

[Rubin 01] Aviel D. Rubin, White-Hat Security Arsenal, Addison Wesley, 2001. (Written in a problem-solving style to discuss solutions for various security related tasks faced by an enterprise. Intermediate/advanced level).

[Stallings 11] William Stallings, Cryptography and Network Security, 5th Edition, Prentice Hall, 2011. (Provides comprehensive, academic textbook-style writings on the subject including detail technical descriptions of the algorithms and protocols. A bit too terse as an overview; better serves as a technical reference.)

[Burnett 01] Steve Burnett and Stephen Paine, RSA Security's Official Guide to Cryptography, RSA Press, 2001. (Provides high-level descriptions on cryptography basics without getting into the technical details/mathematics).

[Grimes01] Roger A. Grimes, Malicious Mobile Code, 2001, O'Reilly Press. (Detail Coverage of Hostile Mobile codes for Windows-based systems).

[Anonymous 03] Anonymous, Maximum Security, 4th Edition, SAMS, 2003. (A collection of chapters written by different authors, covering a wide range of practical network/system security issues)

[Pfleeger 06] Charles P. Pfleeger and Shari Lawrence Pfleeger, Security in Computing, 4th Edition, Prentice Hall, 2006. (Describing security issues from a computing perspective.)

[O'Neill 03] Mark O'Neill, et al., Web Services Security, Wiley, 2003. (Provides an overview on the issues and enabling technologies for secure Web Services.)

[Eastlake 03] Donald E. Eastlake III and Kitty Niles, Security XML, Addison Wesley, 2003 (provides details about security features in XML).

[Mitnick 02] Kevin D. Mitnick and William L. Simon, The Art of Deception, Wiley, 2002. (Kevin Mitnick was a high-profiled convicted hacker. The book provides first-hand insights on how "social engineering" is used to achieve security breaches of all types.

[Ferguson 03] Niels Ferguson and Bruce Schneier, Practical Cryptography, Wiley, 2003. (A sequel to the classic by Bruce Schneier. It provides key insights on the design and implementation of real world secured systems.)

[Schneier 04] Bruce Schneier, Secrets and Lies - Digital Security in a Networked World, Wiley, 2004. (An essay-style writing providing reflections on social, political and other not-so-technical aspects of security, privacy issues.)

[Ford 01] Warwick Ford and Michael S. Baum, Secure Electronic Commerce, 2nd Edition, Prentice Hall, 2001. (Very readable introduction to protocols and systems designed for securing electronic commerces).

[Peikari 03] Cyrus Peikari and Seth Fogie, Wireless Maximum Security, SAMS, 2003. (Focuses on practical vulnerabilities and exploits for 802.11 Wireless LAN systems.)

[Heiderich 11] Mario Heiderich et al, Web Application Obfuscation, Syngress press, 2011.

[Clarke 09] Justin Clarke, SQL Injection - Attacks and Defense, Syngress press, 2009.

[Smith 07] Sean Smith and John Marchesini, The Craft of System Security, Addison Wesley, 2007.

[Rescoria 01] Eric Rescoria, SSL and TLS, Addison Wesley, 2001. (Provides authoritative treatment on the detail technical design of the captioned protocols.)

[Barman 01] Scott Barman, Writing Information Security Policies, New Riders, 2001. (A good introduction about writing security policies.)

 

 

 

 

Pre-requisite

Basic understanding of computer systems and networking protocols.

 

 

Teaching format

Lectures and Tutorial Sessions

 

 

Course Assessment

Your grade will be based on the following components:

 

·      Homeworks:                                       30 %

·      Hacking Exercises:                             30 %

·      Project: Report + Presentation:          15 % [Suggested Topics and Further details TBA]

·      One Q&A-design assignment:      15 %

·      Class Participation:                             10 %

 

The Q&A-design assignment is to ask each student to design and submit a set of questions AND model-answers/ suggested solutions for a future 2-hr-long final examination of ECLT5740. To avoid asking trivial questions which merely test the memorization ability of the exam takers, you should assume the exam to be an open-book/open-note exam. Your submission will be graded according to its:

 

a.     ORIGINALITY and thoughtfulness of the questions, i.e., non-trivial and be able to highlight and test/promote the most important concepts/ ideas/ techniques which have been taught in our class so far.

 

b.     Correctness of the suggested solutions/ model answers.

 

c.     Comprehensive nature (or the lack of), i.e. your set of questions together, should cover multiple (the more, the better) key concepts/ ideas/ techniques taught in our class so far. In other words, setting 1-2 long essay questions on a couple specific topics to try to take up the entire 2-hr exam period won't be a good choice.

 

d.     Suitability of the overall set of questions for a time-limited 2-hr exam. In other words, it should be reasonable for a student to complete your proposed set of questions within the time limit.

 

Since the originality and thoughtfulness of the proposed questions are of key considerations, you MUST NOT copy or merely re-phrase questions found elsewhere (i.e. from similar courses in CUHK or elsewhere or from textbooks) and submit them as your own creation. Instead, study our course materials and reference readings/ text, ask yourself which are the most important concepts you have learned from this course and then try to design the related questions for the various key concepts. The goal of your exam-paper should be to promote/ strengthen a student's understanding of such concepts. i.e. viewing your questions as training exercises for the exam taker. To enhance the comprehensive nature of your exam, in other words, be able to cover a large number of important/ key concepts, you may mix different types of questions in your exam design,  e.g. i) a section of multiple-choice or True/False questions (For T/F type of questions, you MUST require students to provide not only T/F answer but also a couple of sentence to justify their answers) ; additional sections for ii) Short questions with multiple parts or other formats as you see fit. (You may refer to the past examination papers of the CUHK course: IERG4130 on the possible formats BUT DO NOT COPY questions from those past papers for your submission). 

 

Academic Honesty

You are expected to do your own work and acknowledge the use of anyone else’s words or ideas. You MUST put down in your submitted work the names of people with whom you have had discussions.

Refer to http://www.cuhk.edu.hk/policy/academichonesty for details

When scholastic dishonesty is suspected, the matter will be turned over to the University authority for action.

 

You MUST include the following signed statement in all of your submitted homeworks, project assignments and examinations. Submission without a signed statement will not be graded.

"I declare that the assignment here submitted is original except for source material explicitly acknowledged, and that the same or related material has not been previously submitted for another course.  I also acknowledge that I am aware of University policy and regulations on honesty in academic work, and of the disciplinary guidelines and procedures applicable to breaches of such policy and regulations, as contained in the website http://www.cuhk.edu.hk/policy/academichonesty/". 

本人聲明除明確註明來源的資料外現提交的作業是本人的原創本人並沒有將此作業或容相同的資料套用於其他科目的作業本人並確認本人知道在網址 http://www.cuhk.edu.hk/policy/academichonesty/ 所載的大學有關學術著作誠信的政策及規則及適用於犯規事例的紀律指引及程序。

 

 

Student/Faculty Expectations on Teaching and Learning

http://www.cse.cuhk.edu.hk/~cslui/student_teacher_expectations.pdf/

 

 

Class Webpage

http://www.se.cuhk.edu.hk/~eclt5740/

Most of the relevant class materials will be available on the class webpage. Please visit the class webpage often and stay tuned for any announcement, supplementary discussions, clarifications and changes pertaining to the content of the course and homework assignments.

 

 

Email Communications

For inquiries regarding the course, please feel free to contact the instructor and/or the TA’s via email. Class-related announcements may also be distributed via email.

 

 

Add/Drop Policy

Standard Add/Drop policies apply to this class.

 

 

Attendance

Regular attendance will be vital to your success in this class; some portion of the material presented and tested may not be contained in the notes.

 

 

Tentative Lecture Schedule (Subject to change)

Date

Topics

Highly Recommended Readings: these readings closely follow our lecture/ notes and are essential for one’s understanding of the required material of the class

Supplementary In-depth Readings:  these are beyond the scope of the course but would be useful for someone who wants to learn more about specific topics.

Sep 8 , Sep 15

Course Admin ; Security Landscape Overview

 [StallingsBrown] Ch1.1-1.3, 1.5-1.7

 

 

Sep 22

Basic Cryptography Principles ;

Secret Key Crypto-Systems

 [StallingsBrown] Ch2.1, 2.5 , Ch19.1-19.2, 19.4,-19.6;

 [Schneier 04], [Mitnick 02], [Garfinkel 02], [Barman 01], [Mel] Ch. 1,2,3 , [Kaufman 02] Ch3-4, [Schneier 96], [Mel] Ch. 5, [Ferguson 10]

 

Homework 1 is released on Sep 29 and due on Oct 16

Sep 29, Oct 6

Hashes, Message Digest and Message Authentication Code (MAC) ;

 [StallingsBrown] Ch2.2, 20.1-20.2

 [Kaufman 02] Ch5, [Burnett 01], [Mel] Ch. 7, 13, 14

 

Oct 13

Public Key Systems ; Digital signatures ; Digital Certs,  PKI, Trust models,Key Management ;

 [StallingsBrown] 2.3-2.4, 20.3-20.4, 22.2-22.3, Ch 19.7

 [Mel] Ch. 9, 12, 15, [Kaufman 02] Ch6, [Burnett 01], [Ford 01]

 

Homework 2 is released on Oct 20 and due on Nov 8

Oct 20, Oct 27

Authentication technologies, protocols and systems ;  

[StallingsBrown] Ch3.1-3.8, Ch22.1

[Mel] Ch. 8, 10, 16, 17, [Kaufman 02] Ch9,10,11

 

Nov 3, Nov 10

Network Security

[Skoudis],

[StallingsBrown] Ch6, 7, 8, 9, 11.1-11.2

 [Northcutt 05], [Liska 03], [McClure 09]

 

Release on Nov 3

Take-home Lab1 (Due on Nov 22, 23:59)

Nov 17

Buffer Overflow, Perimeter-based Defense for Network Security

[Skoudis]

[StallingsBrown] Ch4.1-4.4, Ch12.

 [Stuttard11], [Skoudis] Ch. 3, 4, [Gimes 01] Ch 9--11,  [McClure 09], [Stein 98],  [Vega 02], [Heiderich 11], [Clarke 09]

 

Nov 24

Web Applications Security

 [Skoudis] Ch4.1-4.4,Ch12

[Mel 01]Ch.19,20,21,[Rubin01],[Kaufman02],[Smith07], [OWASP2017], [OWASPMobile2016],[OWASP2013]

 

Release on Nov 24

Take-home Lab2 (Due on Dec 8, 23:59)

Dec 1

System Security

 [StallingsBrown] Ch21.1-21.3

[Rescoria 01], [Kaufman02] Ch17-19

Dec 8 (Tue)

Make-up lecture: Secure Protocols/Course Review

 

 

 

Dec 29 (Tue)

Deadline: submission of final project & Q&A assignment (Time: 23:59)

 

 

 

 

Lecture Notes (in PDF format)

The Lecture notes used in this course have incorporated materials and/or adapted from the following sources:

The contribution and copyrights of the original authors are hereby acknowledged and recognized.

 

Kurose and Ross, “Computer Networking – a top down approach featuring the Internet 2 nd Edition, Chapter 7”

William Stallings, “Cryptography and Network Security, 3rd Edition”

Simon Garfinkel, Gene Spafford, “Web Security, Privacy and Commerce, 2nd Edition”

Charlie Kaufman, Radia Perlman, Mike Spenciner, “Network Security, 2nd Edition”

Lincoln D. Stein, “Web Security”

Ed Skoudis,“CounterHack"

Stever Burnett, Stephen Paine,“RSA Security’s Official Guide to Cryptography” 

Prof. Kris Gaj, George Mason University

Prof. Vincent Costa, Hofstra University

Pro f. Henric Johnson Blekinge, Institute of Technology

Prof. Henning Schurzinne of Columbia University

Prof.Wenke Lee of Georgia Tech

Prof. Felix Wu, UC Davis

Prof. Yehuda Afek, Tel Aviv University

CERT/CC CMU

Jochen Schiller, "Mobile Communications," 2nd Edition, Addison Wesley

Jesse Walker, Intel corp.

James Kempf, DoCoMo Labs U.S.A.

Prof. Wayne Dyksen, Dept of CSE, Michigan State University

Drs. Lucas Hui, K.P. Chow, Dept of CS, The University of Hong Kong

Hon Ching Lo, Dept of CS, Clarkson University

Nancy Cam-Winget, Russ Housley, David Wagner and Jesse Walker, "Security Flaws in 802.11 Data Link Protocols," Communications of the ACM, May 2003, Vol. 46, No. 5.