|
Login
account for the restricted contents |
|
Instructor: Prof. Wing C. Lau Office Location: SHB 818 Office Hours: Tue 4:00pm - 5:00pm or by appointment Email: wclau at ie
dot cuhk dot edu dot hk Telephone: 3943-8356 |
|
Lecture Periods: Tue 7:00pm to 10:00pm Venue: William M W Mong Eng Bldg ERB 404 |
|
Tutor: SHI Shangcheng Office Location: SHB 802 Office Hours: TBD Email: ss016 at ie
dot cuhk dot edu dot hk |
Course
Webpage:
http://www.se.cuhk.edu.hk/~eclt5740/
Course
Material: Available at the Course Webpage shown above
This module
provides a foundation on the technical issues concerning Cryptography,
Information Security and e-Commerce. It covers areas such as: protecting
information using symmetric and public key cryptography; authentication and
handshake protocols; key management; trust model and Public Key Infrastructure
(PKI); Network, System and Application level security.
[StallingsBrown] Computer Security: Principles and Practice (3rd Edition) by William Stallings and Lawrie Brown, Publisher: Prentice Hall, 2014.
A close substitution for the
above book is: [Stallings 13]
William Stallings, Cryptography and Network Security, 6th Edition, Prentice Hall, 2013. (This book provides comprehensive, academic textbook-style writings on the subject including detail technical descriptions of the algorithms and protocols. A bit too terse as an overview; better serves as a technical reference. Early editions of this book would still be useful.)
[Skoudis] Counter
Hack Reloaded:
A Step-by-step Guide to Computer Attacks and Effective Defenses (2nd Edition)
by Ed Skoudis and Tom Liston.
Publisher: Prentice Hall, 2005. [GoodrichTamassia11]
Introduction to Computer Securityby Michael Goodrich and Roberto Tamassia, Published by Pearson Higher
Education, 2011. It offers an up-to-date, comprehensive introduction to the non-crypto aspects of
computer/system security. [PaarPelzl10]
Understanding Cryptography: A Textbook for Students and Practioners by Christof Paar and Jan Pelzl, Published by Springer, 2010. Fulltext available as ebook via CUHK library at
http://vladimirbozovic.net/univerzitet/wp-content/uploads/2010/02/understanding_cryptography.pdf ; An excellent introductory text for Cryptography; well-balanced
between mathematical vigor and engineering intuition for many modern practical crypto algorithms.
[Stuttard11]
The Web Application Hacker's Handbook - Discovering and Exploiting Security Flaws,
2nd Editionby Dafydd Stuttard and Marcus Pinto, Published by Wiley, 2011. [Kaufman02]
Charlie Kaufman, Radia Perlman, Mike Spenciner, Network Security,
2nd Editionby Dafydd Stuttard and Marcus
Pinto, Published by Prentice Hall, 2002. (The authors are all
well-known designers/architects of key
security protocols/systems widely deployed in practice. The book
provides
excellent insights on the technical details and rationale behind the
design of the
protocols/algorithms. The technical depth may overwhelm casual,
non-technical
readers though.) [Anderson08] Ross Anderson, "Security Engineering, 2nd Edition" Wiley, 2008. [Mel]
Cryptography Decrypted
by H.X.Mel and Doris M.Baker.
Publisher: Addison Wesley, 2000. [Menezes 96] Alfred J. Menezes, Paul C. Van Oorschot,
Scott A. Vanstone, "Handbook of Applied Cryptography", CRC Press,
1996. A
precise, mathematical-oriented reference. The entire manuscript can be freely downloaded
for personal use from http://www.cacr.math.uwaterloo.ca/hac [Schneier 96] Bruce Schneier, Applied Cryptography, 2nd Edition, Wiley, 1996.
(A classical must-read for people who are serious in working in the area of
cryptography.) [Northcutt 05] Stephen Northcutt et al, Inside Network Security Perimeter, 2nd Edition,
New Riders, 2005. (Provides excellent intermediate/advanced treatments on
technologies and network planning issues including VPNs,
Firewalls, Intrusion detection; a must read for someone who wants to
design/setup a secure network perimeter). [McClure 09] Stuart McClure, Joel Scambray and
George Kurtz, Hacking Exposed, 6th Edition, McGrawHill
Osborne, 2009. (One of the books in the best-selling "Hacking
Exposed" series. A must-read for those who wants to
understand the bolts and nuts of the latest vulnerabilities and exploits of
real-world systems and networks. ) [Garfinkel 02] Simon Garfinkel,
Gene Spafford, Web Security, Privacy and Commerce,
2nd Edition O'Reilly, 2002. (Easy to read, informative and up-to-date
discussions on the subject captioned. One of the strength is its coverage on
the security-related services, products available in the real world. ). [Viega 02] John Viega and Gary McGraw, Building Secure Software, Addison
Wesley, 2002. (A must-read for software developers/ system architects
who wants to build secure software). [Cheswick 03] William R. Cheswick, Steven M. Bellovin and Aviel D. Rubin,
Firewalls and Internet Security, 2nd Edition, Addison Wesley, 2003.
(Intended for intermediate/advanced level audience. Provide informative and
interesting technical details.) [Liska 03] Allan Liska,
The Practice of Network Security, Prentice Hall, 2003. (A down-to-earth, good
collection of practical networking/ protocol security pitfalls and
configuration strategies.) [Stein 98]
Lincoln D. Stein, Web Security, Addison Wesley, 1998.
(Written by the author of the WWW FAQ. A good, easy-to-read
introduction to practical web security problems. Include the bolts and
nuts of real-life vulnerabilities and exploits. Very
informative, but a bit outdated). [Rubin 01]
Aviel D.
Rubin, White-Hat Security Arsenal, Addison Wesley, 2001. (Written in a
problem-solving style to discuss solutions for various security related tasks
faced by an enterprise. Intermediate/advanced level). [Stallings 11] William Stallings, Cryptography and Network Security, 5th
Edition, Prentice Hall, 2011. (Provides comprehensive, academic textbook-style
writings on the subject including detail technical descriptions of the
algorithms and protocols. A bit too terse as an overview; better serves as a
technical reference.) [Burnett 01] Steve Burnett and Stephen Paine, RSA Security's Official
Guide to Cryptography, RSA Press, 2001. (Provides high-level descriptions on
cryptography basics without getting into the technical details/mathematics). [Grimes01]
Roger A. Grimes, Malicious Mobile Code, 2001, O'Reilly Press. (Detail Coverage of Hostile Mobile codes for Windows-based
systems). [Anonymous 03] Anonymous, Maximum Security, 4th Edition,
SAMS, 2003. (A collection of chapters written by different authors,
covering a wide range of practical network/system security issues) [Pfleeger 06] Charles P. Pfleeger
and Shari Lawrence Pfleeger, Security in Computing,
4th Edition, Prentice Hall, 2006. (Describing security issues from a computing
perspective.) [O'Neill 03] Mark O'Neill, et al., Web Services Security, Wiley, 2003.
(Provides an overview on the issues and enabling technologies for secure Web
Services.) [Eastlake 03] Donald E. Eastlake III and Kitty Niles,
Security XML, Addison Wesley, 2003 (provides details about security features in
XML). [Mitnick 02] Kevin D. Mitnick
and William L. Simon, The Art of Deception, Wiley, 2002. (Kevin Mitnick was a high-profiled convicted hacker. The book
provides first-hand insights on how "social engineering" is used to
achieve security breaches of all types. [Ferguson 03] Niels Ferguson and Bruce Schneier, Practical Cryptography, Wiley, 2003. (A sequel to
the classic by Bruce Schneier. It provides key
insights on the design and implementation of real world secured systems.) [Schneier 04] Bruce Schneier,
Secrets and Lies - Digital Security in a Networked World, Wiley, 2004. (An essay-style writing providing reflections on
social, political and other not-so-technical aspects of security, privacy
issues.) [Ford 01]
Warwick Ford and Michael S. Baum, Secure Electronic Commerce, 2nd Edition,
Prentice Hall, 2001. (Very readable introduction to protocols and systems
designed for securing electronic commerces). [Peikari 03] Cyrus Peikari
and Seth Fogie, Wireless Maximum Security, SAMS,
2003. (Focuses on practical vulnerabilities and exploits for 802.11 Wireless
LAN systems.) [Heiderich 11] Mario Heiderich et al, Web Application Obfuscation, Syngress press, 2011.
[Clarke 09] Justin Clarke, SQL Injection - Attacks and Defense, Syngress press, 2009.
[Smith 07] Sean Smith and John
Marchesini, The Craft of System Security, Addison Wesley, 2007.
[Rescoria 01] Eric Rescoria, SSL and TLS, Addison Wesley, 2001.
(Provides authoritative treatment on the detail technical design of the
captioned protocols.) [Barman 01] Scott Barman, Writing Information Security Policies, New
Riders, 2001. (A good introduction about writing security policies.) Basic
understanding of computer systems and networking protocols. Lectures and
Tutorial Sessions Your grade
will be based on the following components: Homeworks: 15
% Hacking
Exercises:
15
% Project:
Report + Presentation : 20 % [Suggested
Topics and Further details TBA] Final Exam:
50
% ( 2-hour final examination ) You are
expected to do your own work and acknowledge the use of anyone else’s words or
ideas. You MUST put down in your submitted work the names of people with whom
you have had discussions. Refer
to http://www.cuhk.edu.hk/policy/academichonesty for
details When
scholastic dishonesty is suspected, the matter will be turned over to the
University authority for action. You MUST
include the following signed statement in all of your submitted homeworks, project assignments and examinations. Submission
without a signed statement will not be graded. "I
declare that the assignment here submitted is original except for source
material explicitly acknowledged, and that the same or
related material has not been previously submitted for another course. I also acknowledge that I
am aware of University policy and regulations on honesty in academic work, and
of the disciplinary guidelines and procedures applicable to breaches of such
policy and regulations, as contained in the website http://www.cuhk.edu.hk/policy/academichonesty/". 本人聲明,除明確註明來源的資料外,現提交的作業是本人的原創,而本人並沒有將此作業或內容相同的資料套用於其他科目的作業內。本人並確認本人知道在網址 http://www.cuhk.edu.hk/policy/academichonesty/ 所載的大學有關學術著作誠信的政策及規則,及適用於犯規事例的紀律指引及程序。”
http://www.cse.cuhk.edu.hk/~cslui/student_teacher_expectations.pdf/ http://www.se.cuhk.edu.hk/~eclt5740/ Most of the
relevant class materials will be available on the class webpage. Please visit
the class webpage often and stay tuned for any announcement, supplementary
discussions, clarifications and changes pertaining to the content of the course
and homework assignments. For inquires
regarding the course, please feel free to contact the instructor and/or the
TA’s via email. Class-related announcements may also be distributed via email. Standard
Add/Drop policies apply to this class. Regular
attendance will be vital to your success in this class; some portion of the material presented and tested may not be contained
in the notes. Date Topics Highly Recommended Readings: these readings closely follow
our lecture/ notes and are essential for one’s understanding of the required
material of the class Supplementary In-depth Readings: these are beyond
the scope of the course but would be useful for someone who wants to learn
more about specific topics. Homework / Remarks Jan 9 (Tue), Jan 16 (Tue) Course Admin ; Security Landscape
Overview [StallingsBrown]
Ch1.1-1.3, 1.5-1.7 Jan 23 (Tue) Jan 30
(Tue) Basic Cryptography Principles ; Secret Key Crypto-Systems [StallingsBrown] Ch2.1, 2.5 , Ch19.1-19.2, 19.4,-19.6; [Schneier 04], [Mitnick 02], [Garfinkel 02],
[Barman 01], [Mel] Ch. 1,2,3 , [Kaufman 02] Ch3-4, [Schneier 96], [Mel] Ch. 5, [Ferguson 10] Feb 6 (Tue), Feb 13 (Tue) Hashes, Message Digest and Message Authentication Code
(MAC) ; [StallingsBrown] Ch2.2,
20.1-20.2 [Kaufman 02]
Ch5, [Burnett 01], [Mel] Ch. 7, 13, 14 Feb 27 (Tue) Public Key Systems ; Digital
signatures ; Digital Certs, PKI, Trust models,Key
Management ; [StallingsBrown] 2.3-2.4, 20.3-20.4,
22.2-22.3, Ch 19.7 [Mel] Ch. 9, 12, 15, [Kaufman 02] Ch6, [Burnett 01],
[Ford 01] Mar 6 (Tue) Authentication technologies, protocols and systems ; [StallingsBrown] Ch3.1-3.8,
Ch22.1 [Mel] Ch. 8, 10, 16, 17, [Kaufman 02] Ch9,10,11 Mar 13 (Tue), Mar 20 (Tue) Network Security [Skoudis], [StallingsBrown] Ch6, 7, 8, 9,
11.1-11.2 [Northcutt 05], [Liska
03], [McClure 09] Mar 24 (Sat), Mar 25 (Sun) 14:00-18:00 Rm612 William M. W. Mong Engineering Building, TA will be available there to assist
Mar 27 (Tue) Buffer Overflow, Perimeter-based Defense for Network Security [Skoudis] [StallingsBrown] Ch4.1-4.4,
Ch12. [Stuttard11], [Skoudis]
Ch. 3, 4, [Gimes 01] Ch 9--11, [McClure 09],
[Stein 98], [Vega 02], [Heiderich 11], [Clarke 09] Apr 3 (Tue) Web Applications Security [Skoudis]
Ch4.1-4.4,Ch12 [Mel 01]Ch.19,20,21,[Rubin01],[Kaufman02],[Smith07], [OWASP2017], [OWASPMobile2016],[OWASP2013] Apr 3 (TA will provide office hours for consultation) Apr 10 (Tue) System Security [StallingsBrown]
Ch21.1-21.3 [Rescoria 01], [Kaufman02] Ch17-19 Apr 14(Sat),Apr 15(Sun) 14:00 - 18:00
(Rm612 William M.W.Mong Engineering Bldg), TA will be there for the last resort Apr 17 (Tue) Make-up lecture: Secure Protocols/Course Review Apr 24 (Tue) May 5 (Sat) 6:00 to 10:00 pm (ERB 612) The Lecture notes used in this course have incorporated
materials and/or adapted from the following sources: The contribution and copyrights of the original authors are
hereby acknowledged and recognized. Kurose and
Ross, “Computer Networking – a top down approach featuring the Internet 2 nd Edition, Chapter 7” William
Stallings, “Cryptography and Network Security, 3rd Edition” Simon Garfinkel, Gene Spafford, “Web
Security, Privacy and Commerce, 2nd Edition” Charlie
Kaufman, Radia Perlman, Mike Spenciner,
“Network Security, 2nd Edition” Lincoln D.
Stein, “Web Security” Ed Skoudis,“CounterHack" Stever Burnett, Stephen Paine,“RSA Security’s Official Guide to Cryptography” Prof. Kris Gaj, George Mason University Prof. Vincent
Costa, Hofstra University Pro f. Henric Johnson Blekinge,
Institute of Technology Prof. Henning Schurzinne of Columbia University Prof.Wenke Lee of Georgia Tech Prof. Felix
Wu, UC Davis Prof. Yehuda Afek, Tel Aviv University CERT/CC CMU Jochen Schiller, "Mobile
Communications," 2nd Edition, Addison Wesley Jesse Walker,
Intel corp. James Kempf, DoCoMo Labs U.S.A. Prof. Wayne Dyksen, Dept of CSE, Michigan State University Drs. Lucas Hui, K.P. Chow, Dept of CS, The University of Hong Kong Hon Ching Lo, Dept of CS, Clarkson University Nancy
Cam-Winget, Russ Housley,
David Wagner and Jesse Walker, "Security Flaws in 802.11 Data Link
Protocols," Communications of the ACM, May 2003, Vol. 46, No. 5. Additional References
Pre-requisite
Teaching format
Course Assessment
Academic Honesty
Student/Faculty Expectations on Teaching and Learning
Class Webpage
Email Communications
Add/Drop Policy
Attendance
Tentative Lecture Schedule
(Subject
to change)
Lecture Notes (in PDF format)