ITEC 455: Applied Cryptography and Network Security
Dept. of Information Technology
Note: Students: Please use the WebCT site associated with this course for up to date information as well as to download homework and lecture notes.
Instructor: Prem Uppuluri
Class timings: 12:30 pm – 1:45 pm, Tuesday, Thursday.
Office hours: TWR: 2:00 – 3:00 pm, M: 3:00 – 4:00 pm.
1. [PrivateComm] Network Security PRIVATE Communication in a PUBLIC World, 2nd Edition, Charlie Kaufman, Radia Perlman and Mike Speciner, ISBN-13: 978-0-13-046019-6, Prentice Hall.
2. [CompleteReference] Network Security The Complete Reference, Roberta Bragg, Mark Rhodes-Ousley, Keith Strassberg, ISBN: 0-07-222697-8, McGraw Hills Osborne.
4. [HACKING] Hacking: The Art of Exploitation, Jon Erickson, ISBN: 1-59327-007-0
The course provides a deeper understanding into cryptography, its application to network security, threats/vulnerabilities to networks and countermeasures.
Attending classes is strongly encouraged, but there is no direct penalty for not attending.
Emails will be sent to the class email list: firstname.lastname@example.org . Lecture slides, assignments, solutions, syllabus and other class-related material will be posted on WebCT. ALL HOMEWORKS MUST BE SUBMITTED USING WEBCT. EMAIL submissions may not be accepted.
Lectures/Required Readings/Supplementary Readings/Homework high level description.
Introduction to Communication Security.
0.1. Review of Security Policy Development, Security Organization and Physical Security Issues.
0.2. Security Plan
0.3. Primer on Networking
0.4. Overview of Communication Security Threats (Network mapping, DOS, Transmission Security threats etc.) and countermeasures.
0.5. Roles and responsibilities of different personnel in security.
0.6. Miscellaneous threats: voice security, technical surveillance.
Lectures Based on:
#0.1 Introduction (Chapter 1, Textbook#1)
#0.2 Threats and Solutions (Chapter 1, Textbook#3).
#0.3 Technical Surveillance Countermeasures Program http://www.fas.org/irp/doddir/dod/i5240_05.pdf
#0.4 Data Link Layer Security http://www.javvin.com/networksecurity/NetworkSecurity.html
#0.5: Network Layer Security http://www.javvin.com/networksecurity/NetworkSecurityLayer3.html
#0.6: Transport Layer Security http://www.javvin.com/networksecurity/NetworkSecurityLayer4.html
Required Readings (For Homework):
#0.1 ARMY Information Security Programhttp://www.fas.org/irp/doddir/army/ar380-5/
#0.2 Network and Internet Security, Part III, Textbook#5.
#0.3 Risk Analysis and Defense Models (Chapter 2, Textbook#2)
#0.4 Security Policy Development (Chapter 3, Textbook#2).
#0.5 Security Organization (Chapter 4, Textbook#2)
#0.6 Physical Security (Chapter 5, Textbook#2)
#0.7 Network Mapping (Class lecture notes)
#0.8 Disaster Recovery and Business continuity plan (Chapter 27, Textbook #2)
#0.9 Chapter 1 – Textbook#3
#0.10CNSS policies http://www.cnss.gov/policies.html
#0.11 Radford University Security Policies and Procedures (http://cio.asp.radford.edu/policy/policy.aspx)
#0.1 Voice Security in Military Applications (Chapter 3, Textbook#3)
#0.2 Telephone Security, (Chapter 4, Textbook#3)
Homework(s): Given a network for a fictitious company, perform risk analysis and apply a defense model. Identify physical security issues and list them. Also develop security policies and identify the personnel involved as well as their roles and responsibilities. Network Mapping.
1.1. Secret Key Cryptography
1.2. Public key algorithms
1.3. Key Management (Key generation, storage, distribution, destruction, sharing), PKI
1.4. Authentication Systems and Security Handshake issues
1.5. Kerberos V5
Lectures based on:
#1.1 Introduction to Cryptography (Chapter 2, Textbook #1)
#1.2 Secret Key Cryptography (Chapter 3, Textbook #1)
#1.3 Modes of Operation (Chapter 4, Textbook #1)
#1.4 Hashes and Message Digests (Chapter 5, Textbook #1)
#1.5 Public Key Algorithms (Chapter 6, Textbook #1)
#1.6 Key Management (Chapter 2, Section 2.4 Textbook#3)
#1.7 PKI (Chapter 15, Textbook #1)
Homework(s): Key Management issues, Authentication Issues.
(~ 2 weeks)
2.1. Passwords as Cryptographic keys
2.2. Trusted Intermediaries (Multiple)
2.3. Security Handshake
2.4. Kerberos system
Lectures based on:
#2.1 Authentication Systems (Chapter 9, Textbook #1)
#2.2 Security Handshake Pitfalls (Chapter 11, Textbook #2)
#2.3 Kerberos v5 (Chapter 13, Textbook #3)
Homework (s): Kerberos, Authentication system installation.
3.1. SKIP method (CERT)
3.2. Defense in Depth.
3.3. Network Device Security
3.4. Perimeter Security (Firewalls, VPN, IDS)
3.5. Backups etc.
3.6. Role based security (DNS, Proxy servers, Web Servers, IP Telephony, Credit Card, Printers, Faxes
3.7. Modems/dialup security
3.8. IPSec, SSL/TLS
3.9. Transmission/Emission Security Controls.
3.10. End to end access control
3.11. Wireless and portable device security
3.12. Electronic Mail Security
3.13: Web Issues
Lectures based on:
#3.1 Network Architecture (Part III, Textbook #2)
#3.2 Electronic Protection Measures (Chapter 7, Textbook #2)
#3.3 IPSec (Chapter 18, Textbook #1)
#3.4 SSL/TLS (Chapter 19, Textbook #1)
#3.5 Securing Networks Systematically - the SKiP method, http://www.cert.org/archive/pdf/SKiP.pdf.
#3.6 Modems and Dialup Security (Chapter 10, Textbook#3).
#3.7 Access control – Security Management Architecture (Chapter 8, Textbook#2).
#3.8: Virtual Private network Security (Chapter 12, Textbook#2)
#3.9: Email security (Chapter 20, Textbook#1).
#3.10: Wireless network security (Chapter 13, Textbook#2).
#3.12: Role based security (Chapter 16, Textbook#2).
#3.13: Chapter 25, Web Issues Textbook#1.
Supplementary Reading (to enhance an understanding of topics listed above):
#3.1 Firewalls (Chapter 23, Textbook #1)
#3.2 Application layer security protocols: Secure Electronic Transactions http://www.informit.com/articles/article.aspx?p=26857. Secure RPC
#3.3 DoDD 8500.1 (https://acc.dau.mil/CommunityBrowser.aspx?id=37475)
Homework (s): Perimeter hardening.
(~ 1 week)
4.1. COMSEC procedures/accounting
4.2. Incident Response and Forensic Analysis
4.3. Legals Issues (Laws)
4.4. Other issues: TRANSEC/EMSEC/TEMPEST.
4.5: IT Asset Management: Hardware and software
4.6: Recommended reading: Security Compliance Tool: Case study: Tripwire Enterprise.
Required Readings (Lectures cover the material briefly):
#4.1 National COMSEC procedures
#4.2 Safeguarding and control of COMSEC Materials (http://www.cnss.gov/Assets/pdf/cnssp_1.pdf)
#4.3 COMSEC Briefing (http://www.easc.noaa.gov/Security/webfile/erso.doc.gov/briefings/COMSEC_BRIEFING.pdf
#4.4 Incident Response and Forensic Analysis (Chapter 29, Textbook#2)
#4.5 The Laws Affecting Information Security Professionals (Chapter 30, Textbook#2)
#4.6 PDS http://www.cnss.gov/Assets/pdf/nstissi_7003.pdf
#4.6 Smart Card Requirements, TRANSEC/EMSEC/TEMPEST, presentation at isis.poly.edu/courses/cs996-management-s2005/Lectures/EMSEC-TEMPEST.ppt
#4.7 Reporting Fraud, Waste and Abuse http://www.radford.edu/auditor/reporting.htm
#4.8 An (Unofficial) TEMPEST reference: http://www.eskimo.com/~joelm/tempestintro.html
#4.9 EMSEC countermeasures: http://cryptome.org/afssm-7011.htm
#4.10: Internal controls and security.
I will accommodate students with disabilities as per the policies and procedures of the Disability Resource Office (DRO). Please contact the DRO at: https://php.radford.edu/~dro/about_us.php for more information.
The Radford University honor code (http://www.radford.edu/~ruadmiss/honor.html), provides clear guidelines on what constitutes honesty. However, often times it is hard to distinguish between collaboration and cheating. The following guidelines will help clarify what type of collaboration is allowed or prohibited in t his course.
Discussion related to understanding a problem is allowed. Any discussion of the solution is however prohibited. Though problems may have similar solutions, there are different ways to formulate the solutions. In fact, in a classroom if students do the assignments individually, the solutions have differences. Any suspiciously similar assignments will be considered as copied.
Copying from the Internet sources (including Wikipedia) is prohibited.
Permitting any other student to copy your work either willingly or due to improper protection of your files is prohibited. In case your files are copied without your permission you must demonstrate that you have taken adequate security measures to prevent others from viewing or copying them. If you are not sure what permissions to associate with your files, please contact me – I will be happy to help. Examples of unacceptable security measures are:
(i) Printing out your assignments on a lab printer without taking adequate precautions to reach the printer before some one else does.
(ii) Not making your files unreadable to anyone except yourself.
Finally, the library has a good tutorial on the academic dishonesty policy at the following URL: http://lib.radford.edu/tutorial/X/index.asp Please take the time to read this tutorial.