Summer
2005

Security Engineering
(half-course, 4VL + 2 PR)

Computer Science Department
Systems Architecture Group

• Half-Course, Praktische Informatik, Hauptstudium.
• Offered regularly, at least once every two years, usually in spring.
• 2 lectures per week, 2h each, over one semester (4SWS VL).
• 1 lab (Praktikum) per week, 2h each, over one semester (2SWS PR).

Credits:

• There will be a few, short, unannounced, closed-book quizzes to verify your existence and to test your understanding. These will be worth 40 percent of the final grade.
• An announced final examination will be given at he end of the semester. It will cover all of the relevant readings and material presented and discussed in class. It will be worth 60 percent of the course grade.
• To qualify for the final examination, you have to complete all lab assignments to the satisfaction of the teaching assistant (70% = 38.5 points).
• Regular class attendance is expected; frequent absences are grounds for a failing grade regardless of other performance. You may be missing for up to 1 lecture per semester without prior and reasonable excuse. 'prior' means notification by email before the end of business the day before the lecture. 'reasonable' means sickness or study-related events that require your attendance.
• Lectures begin on time. Students arriving more than 10 minutes late will not be admitted to the lecture and will be counted as 'missing' that day.

Prerequisites:

• Successful completion of PI-1.
• Decent Java programming skills.
• At least one semester attendance of  'Development Tools and System Administration in Unix'.

Slides: (pdf)

Demonstrations: (please use with care and conform to CBO)

• Buffer Overrun
  • Java Applett
  • Linux (tested on SuSE 9.3)

Syllabus:

• What is Security Engineering?  How to think about security?
• Principles and problems
  • Authentication
  • Authorization
  • Access Control
  • Integrity
  • Privacy
• Solutions
  • Passwords
  • Protocols
  • Biometry
  • Cryptography

    	The DES Algorithm Illustrated (tutorial)
    	RSA

  • Secure communication channels
  • PKI / Certificates
  • Monitoring Systems
  • Physical Tamper Resistance
• Attack types (overview)
  • Man in the middle
  • Social engineering
  • ...
• Case Studies
  • Access Control in UNIX
  • Access Control in Windows 2000/XP
  • Denial of service attack in internet
  • VISA-Card / Banking Cards
  • Internet Banking
  • Secure Electronic Documents (Acrobat/PDF)
  • Secure Printing and Seals
  • Copyright and Privacy Protection, Digital Rights Management (DRM)
• Advanced problems and solutions
  • Emission Security
  • Security in Distributed Systems
  • Multilateral Security
  • Multilevel Security
  • Electronic and Information Warfare
  • Telecom System Security
• Quantum Cryptography (optional if time left)

Syllabus - Lab (Practicum, 70% = 38.5 points required):

• Lab 1: Warm-up
• Lab 2: Encrypted communication (deadline 4.5.05, 10 points)
• Lab 3: Key exchange and authentication (deadline 25.5.05, 15 points)
• Lab 4: Design Review for Encrypted Sockets (deadline 8.6.05, 10 points)
• Lab 5: Toll transponder design (deadline 29.6.05, 10 points)
• Lab 6: Design review for toll transponder (deadline 13.7.05, 10 points)

Topics - Lab (PowerStudents):

• Identity Server:
  - Installation of a Liberty Alliance conform server
  - Documentation of the installation procedure
  - Overview about standard, design and functionality
• Programming / Installation of a Client Liberty Alliance conform client
  - Goal online authorization, access control using LA
  - example: HTTP service, or login to a laptop
  - Documentation
• Offline mechanisms for authorization and access control
  - Focus: ticket based methods
  - How to prevent reuse /replay attacks?
  - Overview about assumptions, solutions, existing works and procedures.