ITEC 455: Applied Cryptography and Network Security

Spring 2010

Dept. of Information Technology

Radford University

 

Note: Students: Please use the WebCT site associated with this course for up to date information as well as to download homework and lecture notes.

 

 

Instructor/Class timings

Schedule/List of topics and readings

Textbooks (Primary and secondary)

Evaluation

Academic integrity policy

Disability Resources

Communication

Attendance Policy

 

 

 

Instructor: Prem Uppuluri

Class timings: 12:30 pm – 1:45 pm, Tuesday, Thursday.

Office hours: TWR: 2:00 – 3:00 pm, M: 3:00 – 4:00 pm.

 

 

Textbooks (Required)

Primary:

1.       [PrivateComm] Network Security PRIVATE Communication in a PUBLIC World, 2nd Edition, Charlie Kaufman, Radia Perlman and Mike Speciner, ISBN-13: 978-0-13-046019-6, Prentice Hall.

Secondary:

2.        [CompleteReference] Network Security The Complete Reference, Roberta Bragg, Mark Rhodes-Ousley, Keith Strassberg, ISBN: 0-07-222697-8, McGraw Hills Osborne.

  1.  [SecureComm] Secure Communication, Roger Sutton, John Wiley and Sons ISBN-13: 978-0471499046

 

Other References:

4.       [HACKING] Hacking: The Art of Exploitation, Jon Erickson, ISBN: 1-59327-007-0

  1. [PracticalUNIX] Practical UNIX and Internet Security, 3rd Edition, Simson Garfinkel, Gene Spafford and Alan Schwartz., O’Reilly publishing, ISBN-13: 978-0-596-00323-4.
  2. Securing Networks Systematically  - the SKiP method, http://www.cert.org/archive/pdf/SKiP.pdf.

 

 

Evaluation (Tentative):

 

 

Course Objectives

The course provides a deeper understanding into cryptography, its application to network security, threats/vulnerabilities to networks and countermeasures.

 

Attendance

Attending classes is strongly encouraged, but there is no direct penalty for not attending.

 

 

Communication
Emails will be sent to the class email list: ru-itec455-spring-01@radford.edu . Lecture slides, assignments, solutions, syllabus and other class-related material will be posted on WebCT. ALL HOMEWORKS MUST BE SUBMITTED USING WEBCT. EMAIL submissions may not be accepted.

 

 

 

List of topics/Schedule

Topic Number

Topics covered

Lectures/Required Readings/Supplementary Readings/Homework high level description.

0.

 

(~2 weeks)

Introduction to Communication Security.

0.1.            Review of Security Policy Development, Security Organization and Physical Security Issues.

0.2.            Security Plan

0.3.            Primer on Networking

0.4.            Overview of Communication Security Threats (Network mapping, DOS, Transmission Security threats etc.) and countermeasures.

0.5.            Roles and responsibilities of different personnel in security.

0.6.            Miscellaneous threats: voice security, technical surveillance.

 

 

 

Lectures Based on:

#0.1 Introduction (Chapter 1, Textbook#1)

#0.2 Threats and Solutions (Chapter 1, Textbook#3).

#0.3 Technical Surveillance Countermeasures Program http://www.fas.org/irp/doddir/dod/i5240_05.pdf

#0.4 Data Link Layer Security http://www.javvin.com/networksecurity/NetworkSecurity.html

#0.5: Network Layer Security http://www.javvin.com/networksecurity/NetworkSecurityLayer3.html

#0.6: Transport Layer Security http://www.javvin.com/networksecurity/NetworkSecurityLayer4.html

 

 

Required Readings (For Homework):

#0.1 ARMY Information Security Programhttp://www.fas.org/irp/doddir/army/ar380-5/

#0.2 Network and Internet Security, Part III, Textbook#5.

#0.3 Risk Analysis and Defense Models (Chapter 2, Textbook#2)

#0.4 Security Policy Development (Chapter 3, Textbook#2).

#0.5 Security Organization (Chapter 4, Textbook#2)

#0.6 Physical Security (Chapter 5, Textbook#2)

#0.7 Network Mapping (Class lecture notes)

#0.8 Disaster Recovery and Business continuity plan (Chapter 27, Textbook #2)

#0.9 Chapter 1 – Textbook#3

#0.10CNSS policies http://www.cnss.gov/policies.html

#0.11 Radford University Security Policies and Procedures (http://cio.asp.radford.edu/policy/policy.aspx)

 

Recommended Reading

#0.1 Voice Security in Military Applications (Chapter 3, Textbook#3)

#0.2 Telephone Security, (Chapter 4, Textbook#3)

 

Homework(s): Given a network for a fictitious company, perform risk analysis and apply a defense model. Identify physical security issues and list them. Also develop security policies and identify the personnel involved as well as their roles and responsibilities. Network Mapping.

 

 

 

 

1.

 

(~4 weeks)

Applied Cryptography

1.1.            Secret Key Cryptography

1.2.            Public key algorithms

1.3.            Key Management (Key generation, storage, distribution, destruction, sharing), PKI

1.4.            Authentication Systems and Security Handshake issues

1.5.            Kerberos V5

 

 

Lectures based on:

#1.1 Introduction to Cryptography (Chapter 2, Textbook #1)

#1.2 Secret Key Cryptography (Chapter 3, Textbook #1)

#1.3 Modes of Operation (Chapter 4, Textbook #1)

#1.4 Hashes and Message Digests (Chapter 5, Textbook #1)

#1.5 Public Key Algorithms (Chapter 6, Textbook #1)

#1.6 Key Management (Chapter 2, Section 2.4 Textbook#3) 

#1.7 PKI (Chapter 15, Textbook #1)

 

Homework(s): Key Management issues, Authentication Issues.

2.

 

(~ 2 weeks)

Authentication Issues

2.1.            Passwords as Cryptographic keys

2.2.            Trusted Intermediaries (Multiple)

2.3.            Security Handshake

2.4.            Kerberos system

 

 

    

 Lectures based on:

 #2.1 Authentication Systems (Chapter 9, Textbook #1)

 #2.2 Security Handshake Pitfalls (Chapter 11, Textbook #2)

 #2.3 Kerberos v5 (Chapter 13, Textbook #3)

 

 

Homework (s): Kerberos, Authentication system installation.

3.

 

(~5-7 weeks)

Securing Networks

3.1.            SKIP method (CERT)

3.2.            Defense in Depth.

3.3.            Network Device Security

3.4.            Perimeter Security (Firewalls, VPN, IDS)

3.5.            Backups etc.

3.6.            Role based security (DNS,  Proxy servers, Web Servers, IP Telephony, Credit Card, Printers, Faxes

3.7.            Modems/dialup security

3.8.            IPSec, SSL/TLS

3.9.            Transmission/Emission Security Controls.

3.10.        End to end access control

3.11. Wireless and portable device security

3.12. Electronic Mail Security

3.13: Web Issues

 

Lectures based on:

#3.1 Network Architecture (Part III, Textbook #2)

#3.2 Electronic Protection Measures (Chapter 7, Textbook #2)

#3.3 IPSec (Chapter 18, Textbook #1)

#3.4 SSL/TLS (Chapter 19, Textbook #1)

#3.5 Securing Networks Systematically  - the SKiP method, http://www.cert.org/archive/pdf/SKiP.pdf.

#3.6 Modems and Dialup Security (Chapter 10, Textbook#3).

#3.7 Access control – Security Management Architecture (Chapter 8, Textbook#2).

#3.8: Virtual Private network Security (Chapter 12, Textbook#2)

#3.9: Email security (Chapter 20, Textbook#1).

#3.10: Wireless network security (Chapter 13, Textbook#2).

#3.12: Role based security (Chapter 16, Textbook#2).

#3.13: Chapter 25, Web Issues Textbook#1.

Supplementary Reading (to enhance an understanding of topics listed above):

#3.1 Firewalls (Chapter 23, Textbook #1)

#3.2 Application layer security protocols: Secure Electronic Transactions http://www.informit.com/articles/article.aspx?p=26857. Secure RPC

#3.3 DoDD 8500.1 (https://acc.dau.mil/CommunityBrowser.aspx?id=37475)

 

Homework (s): Perimeter hardening.

4.

 

(~ 1 week)

Miscellaneous topics:

4.1.            COMSEC procedures/accounting

4.2.            Incident Response and Forensic Analysis

4.3.            Legals Issues (Laws)

4.4.            Other issues: TRANSEC/EMSEC/TEMPEST.

4.5:  IT Asset Management: Hardware and software

4.6: Recommended reading: Security Compliance Tool: Case study: Tripwire Enterprise.

Required Readings (Lectures cover the material briefly):

#4.1 National COMSEC procedures

#4.2 Safeguarding and control of COMSEC Materials (http://www.cnss.gov/Assets/pdf/cnssp_1.pdf)

#4.3 COMSEC Briefing (http://www.easc.noaa.gov/Security/webfile/erso.doc.gov/briefings/COMSEC_BRIEFING.pdf

#4.4 Incident Response and Forensic Analysis (Chapter 29, Textbook#2)

#4.5 The Laws Affecting Information Security Professionals (Chapter 30, Textbook#2)

#4.6 PDS http://www.cnss.gov/Assets/pdf/nstissi_7003.pdf

 

Recommended Readings:

#4.6 Smart Card Requirements, TRANSEC/EMSEC/TEMPEST, presentation at isis.poly.edu/courses/cs996-management-s2005/Lectures/EMSEC-TEMPEST.ppt

#4.7 Reporting Fraud, Waste and Abuse http://www.radford.edu/auditor/reporting.htm

#4.8 An (Unofficial) TEMPEST reference:  http://www.eskimo.com/~joelm/tempestintro.html

#4.9 EMSEC countermeasures: http://cryptome.org/afssm-7011.htm

#4.10: Internal controls and security.

 

 

 

 

 

Disability resources

 

I will accommodate students with disabilities as per the policies and procedures of the Disability Resource Office (DRO). Please contact the DRO at: https://php.radford.edu/~dro/about_us.php for more information.

 

Important: Academic Integrity Policy

 

The Radford University honor code (http://www.radford.edu/~ruadmiss/honor.html), provides clear guidelines on what constitutes honesty. However, often times it is hard to distinguish between collaboration and cheating.  The following guidelines will help clarify what type of collaboration is allowed or prohibited in t his course.

      Discussion related to understanding a problem is allowed. Any discussion of the solution is however prohibited. Though problems may have similar solutions, there are different ways to formulate the solutions. In fact, in a classroom if students do the assignments individually, the solutions have differences. Any suspiciously similar assignments will be considered as copied.

      Copying from the Internet sources (including Wikipedia) is prohibited.

      Permitting any other student to copy your work either willingly or due to improper protection of your files is prohibited. In case your files are copied without your permission you must demonstrate that you have taken adequate security measures to prevent others from viewing or copying them. If you are not sure what permissions to associate with your files, please contact me – I will be happy to help. Examples of unacceptable security measures are:

(i)                   Printing out your assignments on a lab printer without taking adequate precautions to reach the printer before some one else does.

(ii)                 Not making your files unreadable to anyone except yourself.

 

Finally, the library has a good tutorial on the academic dishonesty policy at the following URL: http://lib.radford.edu/tutorial/X/index.asp Please take the time to read this tutorial.