Important
Announcement ·
We
will use Zoom for online teaching starting from Sept. 8.
Zoom room ID is 886 852 970, password/link can be found in your
email or the Blackboard announcement. ·
Please
finish project topic selection before Nov 10, 19:00 PM. Link of the sign-up
form can be found in Blackboard. ·
Lab
1 helping session will be held on Nov 14 (Sat) with the Zoom ID: 382 110 403.
Passcode can be found in Blackboard’s announcement. |
Login account for the restricted
contents |
Instructor: Prof. Wing C. Lau Office Location: SHB 818 Office Hours: Tue 4:00pm - 5:00pm or by appointment Email: wclau at ie dot cuhk dot edu dot hk Telephone: 3943-8356 |
Lecture Periods: Tue 7:00pm to 10:00pm Venue: Online teaching until further notice |
Tutor: WANG Xianbo Office Location: SHB 803 Office Hours: Fri 2:00pm – 3:00pm Email: xianbo at ie dot cuhk dot edu dot hk |
Course Webpage: http://www.se.cuhk.edu.hk/~eclt5740/
Course Material: Available at the Course Webpage shown above
This module provides a foundation on the technical issues concerning Cryptography, Information Security and e-Commerce. It covers areas such as: protecting information using symmetric and public key cryptography; authentication and handshake protocols; key management; trust model and Public Key Infrastructure (PKI); Network, System and Application level security.
[StallingsBrown] Computer Security: Principles and Practice
(3rd Edition) by William Stallings and Lawrie Brown, Publisher: Prentice
Hall, 2014. http://www.amazon.com/Computer-Security-Principles-Practice-3rd/dp/0133773922/ref=sr_1_1?s=books&ie=UTF8&qid=1420531978&sr=1-1&keywords=Computer+Security+Stallings
A close substitution for the above book is: [Stallings 13] William Stallings, Cryptography and Network Security, 6th Edition, Prentice Hall, 2013. (This book provides comprehensive, academic textbook-style writings on the subject including detail technical descriptions of the algorithms and protocols. A bit too terse as an overview; better serves as a technical reference. Early editions of this book would still be useful.)
[Skoudis] Counter Hack Reloaded: A Step-by-step Guide to Computer Attacks and Effective Defenses (2nd Edition) by Ed Skoudis and Tom Liston. Publisher: Prentice Hall, 2005.
[GoodrichTamassia11] Introduction to Computer Securityby Michael Goodrich and Roberto Tamassia, Published by Pearson Higher Education, 2011.
It offers an up-to-date, comprehensive introduction to the non-crypto aspects of computer/system security.
[PaarPelzl10] Understanding Cryptography: A Textbook for Students and Practioners by Christof Paar and Jan Pelzl, Published by Springer, 2010.
Fulltext available as ebook via CUHK library;
An excellent introductory text for Cryptography; well-balanced between mathematical vigor and engineering intuition for many modern practical crypto algorithms.
[Stuttard11] The Web Application Hacker's Handbook - Discovering and Exploiting Security Flaws, 2nd Editionby Dafydd Stuttard and Marcus Pinto, Published by Wiley, 2011.
[Kaufman02] Charlie Kaufman, Radia Perlman, Mike Spenciner, Network Security, 2nd Editionby Dafydd Stuttard and Marcus Pinto, Published by Prentice Hall, 2002. (The authors are all well-known designers/architects of key security protocols/systems widely deployed in practice. The book provides excellent insights on the technical details and rationale behind the design of the protocols/algorithms. The technical depth may overwhelm casual, non-technical readers though.)
[Anderson08] Ross Anderson, "Security Engineering, 2nd Edition" Wiley, 2008.
[Mel] Cryptography Decrypted by H.X.Mel and Doris M.Baker. Publisher: Addison Wesley, 2000.
[Menezes 96] Alfred J. Menezes, Paul C. Van Oorschot, Scott A. Vanstone, "Handbook of Applied Cryptography", CRC Press, 1996. A precise, mathematical-oriented reference. The entire manuscript can be freely downloaded for personal use from http://www.cacr.math.uwaterloo.ca/hac
[Schneier 96] Bruce Schneier, Applied Cryptography, 2nd
Edition, Wiley, 1996. (A classical must-read for people who are serious in
working in the area of cryptography.)
[Northcutt 05] Stephen Northcutt et al, Inside Network Security Perimeter, 2nd Edition, New Riders, 2005. (Provides excellent intermediate/advanced treatments on technologies and network planning issues including VPNs, Firewalls, Intrusion detection; a must read for someone who wants to design/setup a secure network perimeter).
[McClure 09] Stuart McClure, Joel Scambray and George Kurtz, Hacking Exposed, 6th Edition, McGrawHill Osborne, 2009. (One of the books in the best-selling "Hacking Exposed" series. A must-read for those who wants to understand the bolts and nuts of the latest vulnerabilities and exploits of real-world systems and networks. )
[Garfinkel 02] Simon Garfinkel, Gene Spafford, Web Security, Privacy and Commerce, 2nd Edition O'Reilly, 2002. (Easy to read, informative and up-to-date discussions on the subject captioned. One of the strength is its coverage on the security-related services, products available in the real world. ).
[Viega 02] John Viega and Gary McGraw, Building Secure Software, Addison Wesley, 2002. (A must-read for software developers/ system architects who wants to build secure software).
[Cheswick 03] William R. Cheswick, Steven M. Bellovin and Aviel D. Rubin, Firewalls and Internet Security, 2nd Edition, Addison Wesley, 2003. (Intended for intermediate/advanced level audience. Provide informative and interesting technical details.)
[Liska 03] Allan Liska, The Practice of Network Security, Prentice Hall, 2003. (A down-to-earth, good collection of practical networking/ protocol security pitfalls and configuration strategies.)
[Stein 98] Lincoln D. Stein, Web Security, Addison Wesley, 1998. (Written by the author of the WWW FAQ. A good, easy-to-read introduction to practical web security problems. Include the bolts and nuts of real-life vulnerabilities and exploits. Very informative, but a bit outdated).
[Rubin 01] Aviel D. Rubin, White-Hat Security Arsenal, Addison Wesley, 2001. (Written in a problem-solving style to discuss solutions for various security related tasks faced by an enterprise. Intermediate/advanced level).
[Stallings 11] William Stallings, Cryptography and Network Security, 5th Edition, Prentice Hall, 2011. (Provides comprehensive, academic textbook-style writings on the subject including detail technical descriptions of the algorithms and protocols. A bit too terse as an overview; better serves as a technical reference.)
[Burnett 01] Steve Burnett and Stephen Paine, RSA Security's Official Guide to Cryptography, RSA Press, 2001. (Provides high-level descriptions on cryptography basics without getting into the technical details/mathematics).
[Grimes01] Roger A. Grimes, Malicious Mobile Code, 2001, O'Reilly Press. (Detail Coverage of Hostile Mobile codes for Windows-based systems).
[Anonymous 03] Anonymous, Maximum Security, 4th Edition, SAMS, 2003. (A collection of chapters written by different authors, covering a wide range of practical network/system security issues)
[Pfleeger 06] Charles P. Pfleeger and Shari Lawrence Pfleeger, Security in Computing, 4th Edition, Prentice Hall, 2006. (Describing security issues from a computing perspective.)
[O'Neill 03] Mark O'Neill, et al., Web Services Security, Wiley, 2003. (Provides an overview on the issues and enabling technologies for secure Web Services.)
[Eastlake 03] Donald E. Eastlake III and Kitty Niles, Security XML, Addison Wesley, 2003 (provides details about security features in XML).
[Mitnick 02] Kevin D. Mitnick and William L. Simon, The Art of Deception, Wiley, 2002. (Kevin Mitnick was a high-profiled convicted hacker. The book provides first-hand insights on how "social engineering" is used to achieve security breaches of all types.
[Ferguson 03] Niels Ferguson and Bruce Schneier, Practical Cryptography, Wiley, 2003. (A sequel to the classic by Bruce Schneier. It provides key insights on the design and implementation of real world secured systems.)
[Schneier 04] Bruce Schneier, Secrets and Lies - Digital Security in a Networked World, Wiley, 2004. (An essay-style writing providing reflections on social, political and other not-so-technical aspects of security, privacy issues.)
[Ford 01] Warwick Ford and Michael S. Baum, Secure Electronic Commerce, 2nd Edition, Prentice Hall, 2001. (Very readable introduction to protocols and systems designed for securing electronic commerces).
[Peikari 03] Cyrus Peikari and Seth Fogie, Wireless Maximum Security, SAMS, 2003. (Focuses on practical vulnerabilities and exploits for 802.11 Wireless LAN systems.)
[Heiderich 11] Mario Heiderich et al, Web Application Obfuscation, Syngress press, 2011.
[Clarke 09] Justin Clarke, SQL Injection - Attacks and Defense, Syngress press, 2009.
[Smith 07] Sean Smith and John Marchesini, The Craft of System Security, Addison Wesley, 2007.
[Rescoria 01] Eric Rescoria, SSL and TLS, Addison Wesley, 2001. (Provides authoritative treatment on the detail technical design of the captioned protocols.)
[Barman 01] Scott Barman, Writing Information Security Policies, New Riders, 2001. (A good introduction about writing security policies.)
Basic understanding of computer systems and networking protocols.
Lectures and Tutorial Sessions
Your grade will be based on the following components:
· Homeworks:
30 %
· Hacking
Exercises:
30 %
· Project: Report + Presentation: 15 % [Suggested Topics and Further
details TBA]
· One Q&A-design assignment:
15 %
·
Class Participation: 10 %
The Q&A-design
assignment is to ask each student to design and submit a set of questions AND
model-answers/ suggested solutions for a future 2-hr-long final examination of
ECLT5740. To avoid asking trivial questions which merely test the memorization
ability of the exam takers, you should assume the exam to be an
open-book/open-note exam. Your submission will be graded according to its:
a. ORIGINALITY and thoughtfulness of
the questions, i.e., non-trivial and be able to highlight and test/promote the
most important concepts/ ideas/ techniques which have been taught in our class
so far.
b. Correctness of the suggested
solutions/ model answers.
c. Comprehensive nature (or the lack
of), i.e. your set of questions together, should cover multiple (the more, the
better) key concepts/ ideas/ techniques taught in our class so far. In other
words, setting 1-2 long essay questions on a couple specific topics to try to
take up the entire 2-hr exam period won't be a good choice.
d. Suitability of the overall set of
questions for a time-limited 2-hr exam. In other words, it should be reasonable
for a student to complete your proposed set of questions within the time limit.
Since the
originality and thoughtfulness of the proposed questions are of key
considerations, you MUST NOT copy or merely re-phrase questions found elsewhere
(i.e. from similar courses in CUHK or elsewhere or from textbooks) and submit
them as your own creation. Instead, study our course materials and reference
readings/ text, ask yourself which are the most important concepts you have
learned from this course and then try to design the related questions for the
various key concepts. The goal of your exam-paper should be to promote/
strengthen a student's understanding of such concepts. i.e. viewing your
questions as training exercises for the exam taker. To enhance the
comprehensive nature of your exam, in other words, be able to cover a large
number of important/ key concepts, you may mix different types of questions in
your exam design, e.g. i) a section of
multiple-choice or True/False questions (For T/F type of questions, you MUST
require students to provide not only T/F answer but also a couple of sentence
to justify their answers) ; additional sections for ii) Short questions with
multiple parts or other formats as you see fit. (You may refer to the past
examination papers of the CUHK course: IERG4130 on the possible formats BUT DO
NOT COPY questions from those past papers for your submission).
You are expected to do your own work and acknowledge the use of anyone else’s words or ideas. You MUST put down in your submitted work the names of people with whom you have had discussions.
Refer to http://www.cuhk.edu.hk/policy/academichonesty for details
When scholastic dishonesty is suspected, the matter will be turned over to the University authority for action.
You MUST include the following signed statement in all of your submitted homeworks, project assignments and examinations. Submission without a signed statement will not be graded.
"I declare that the assignment here submitted is original except for source material explicitly acknowledged, and that the same or related material has not been previously submitted for another course. I also acknowledge that I am aware of University policy and regulations on honesty in academic work, and of the disciplinary guidelines and procedures applicable to breaches of such policy and regulations, as contained in the website http://www.cuhk.edu.hk/policy/academichonesty/".
本人聲明,除明確註明來源的資料外,現提交的作業是本人的原創,而本人並沒有將此作業或內容相同的資料套用於其他科目的作業內。本人並確認本人知道在網址 http://www.cuhk.edu.hk/policy/academichonesty/ 所載的大學有關學術著作誠信的政策及規則,及適用於犯規事例的紀律指引及程序。”
http://www.cse.cuhk.edu.hk/~cslui/student_teacher_expectations.pdf/
http://www.se.cuhk.edu.hk/~eclt5740/
Most of the relevant class materials will be available on the class webpage. Please visit the class webpage often and stay tuned for any announcement, supplementary discussions, clarifications and changes pertaining to the content of the course and homework assignments.
For inquiries regarding the course, please feel free to contact the instructor and/or the TA’s via email. Class-related announcements may also be distributed via email.
Standard Add/Drop policies apply to this class.
Regular attendance will be vital to your success in this class; some portion of the material presented and tested may not be contained in the notes.
Date |
Topics |
Highly Recommended Readings: these readings closely follow our lecture/ notes and are essential for one’s understanding of the required material of the class |
Supplementary In-depth Readings: these are beyond the scope of the course but would be useful for someone who wants to learn more about specific topics. |
Sep 8 , Sep 15 |
Course Admin ; Security Landscape Overview |
[StallingsBrown] Ch1.1-1.3, 1.5-1.7 |
|
Sep 22 |
Basic Cryptography Principles ; Secret Key Crypto-Systems |
[StallingsBrown] Ch2.1, 2.5 , Ch19.1-19.2, 19.4,-19.6; |
[Schneier 04], [Mitnick 02], [Garfinkel 02], [Barman 01], [Mel] Ch. 1,2,3 , [Kaufman 02] Ch3-4, [Schneier 96], [Mel] Ch. 5, [Ferguson 10]
|
Homework 1 is released on Sep 29 and due on Oct 16 |
|||
Sep 29, Oct 6 |
Hashes, Message Digest and Message Authentication Code (MAC) ; |
[StallingsBrown] Ch2.2, 20.1-20.2 |
[Kaufman 02] Ch5, [Burnett 01], [Mel] Ch. 7, 13, 14
|
Oct 13 |
Public Key Systems ; Digital signatures ; Digital Certs, PKI, Trust models,Key Management ; |
[StallingsBrown] 2.3-2.4, 20.3-20.4, 22.2-22.3, Ch 19.7 |
[Mel] Ch. 9, 12, 15, [Kaufman 02] Ch6, [Burnett 01], [Ford 01]
|
Homework 2 is released on Oct 20 and due on Nov 8 |
|||
Oct 20, Oct 27 |
Authentication technologies, protocols and systems ; |
[StallingsBrown] Ch3.1-3.8, Ch22.1 |
[Mel] Ch. 8, 10, 16, 17, [Kaufman 02] Ch9,10,11
|
Nov 3, Nov 10 |
Network Security |
[Skoudis], [StallingsBrown] Ch6, 7, 8, 9, 11.1-11.2 |
[Northcutt 05], [Liska 03], [McClure 09]
|
Release on Nov 3 |
Take-home Lab1 (Due on Nov 22, 23:59) |
||
Nov 17 |
Buffer Overflow, Perimeter-based Defense for Network Security |
[Skoudis] [StallingsBrown] Ch4.1-4.4, Ch12. |
[Stuttard11], [Skoudis] Ch. 3, 4, [Gimes 01] Ch 9--11, [McClure 09], [Stein 98], [Vega 02], [Heiderich 11], [Clarke 09]
|
Nov 24 |
Web Applications Security |
[Skoudis] Ch4.1-4.4,Ch12 |
[Mel 01]Ch.19,20,21,[Rubin01],[Kaufman02],[Smith07], [OWASP2017], [OWASPMobile2016],[OWASP2013]
|
Release on Nov 24 |
Take-home Lab2 (Due on Dec 8, 23:59) |
||
Dec 1 |
System Security |
[StallingsBrown] Ch21.1-21.3 |
[Rescoria 01], [Kaufman02] Ch17-19 |
Dec 8 (Tue) |
Make-up lecture: Secure Protocols/Course Review |
|
|
Dec 29 (Tue) |
Deadline: submission of final project & Q&A assignment (Time: 23:59) |
The Lecture notes used in this course have incorporated materials and/or adapted from the following sources:
The contribution and copyrights of the original authors are hereby acknowledged and recognized.
Kurose and Ross, “Computer Networking – a top down approach featuring the Internet 2 nd Edition, Chapter 7”
William Stallings, “Cryptography and Network Security, 3rd Edition”
Simon Garfinkel, Gene Spafford, “Web Security, Privacy and Commerce, 2nd Edition”
Charlie Kaufman, Radia Perlman, Mike Spenciner, “Network Security, 2nd Edition”
Lincoln D. Stein, “Web Security”
Ed Skoudis,“CounterHack"
Stever Burnett, Stephen Paine,“RSA Security’s Official Guide to Cryptography”
Prof. Kris Gaj, George Mason University
Prof. Vincent Costa, Hofstra University
Pro f. Henric Johnson Blekinge, Institute of Technology
Prof. Henning Schurzinne of Columbia University
Prof.Wenke Lee of Georgia Tech
Prof. Felix Wu, UC Davis
Prof. Yehuda Afek, Tel Aviv University
CERT/CC CMU
Jochen Schiller, "Mobile Communications," 2nd Edition, Addison Wesley
Jesse Walker, Intel corp.
James Kempf, DoCoMo Labs U.S.A.
Prof. Wayne Dyksen, Dept of CSE, Michigan State University
Drs. Lucas Hui, K.P. Chow, Dept of CS, The University of Hong Kong
Hon Ching Lo, Dept of CS, Clarkson University
Nancy Cam-Winget, Russ Housley, David Wagner and Jesse Walker, "Security Flaws in 802.11 Data Link Protocols," Communications of the ACM, May 2003, Vol. 46, No. 5.