Upload
sandra4211
View
742
Download
5
Tags:
Embed Size (px)
Citation preview
Course Design Document
IS302: Information Security and Trust
Version 4.4
29 December 2009
SMU School of Information Systems (SIS)
Table of Content 1 Versions History....................................................................................................................................32 Overview of Security and Trust Course.............................................................................................3
2.1 Synopsis..........................................................................................................................................32.2 Prerequisites..................................................................................................................................32.3 Objectives.......................................................................................................................................42.4 Basic Modules................................................................................................................................42.5 Instructional Staff..........................................................................................................................4
3 Output and Assessment Summary......................................................................................................44 Group Allocation for Assignments......................................................................................................65 Learning Outcomes, Achievement Methods, and Assessment..........................................................66 Classroom Planning..............................................................................................................................87 Course Schedule Summary..................................................................................................................88 List of Information Resources and References..................................................................................99 Tooling.................................................................................................................................................1010 Weekly Plan..........................................................................................................................................10
Course: Security and Trust Page 2
SMU School of Information Systems (SIS)
1 Versions History
Version Description of Changes
Author Date
V 1.0 Yingjiu Li 31-12-2004V 2.0 Based on discussions
with Ravi Sandu and Ankit Fadia, revised the design documents for weeks 7 - 11
Re-designed the project
Yingjiu Li 03-12-2005
V 2.1 Re-designed the lab session
Yingjiu Li 26-12-2005
V 2.2 Revised the pre-requisites of the course, learning outcomes, and tooling
Yingjiu Li 07-08-2006
V 3.0 Revised course content and schedule
Strengthened hands-on exercise
Yingjiu Li 28-12-2006
V 4.0 Revised course content and schedule
Yingjiu Li 03-12-2007
V 4.1 Reformat the design document
Yingjiu Li 15-02-2008
V 4.2 Revised design Yingjiu Li 24-12-2008V 4.3 Revised learning
outcomesYingjiu Li 02-11-2009
2 Overview of Security and Trust Course
2.1 Synopsis
Security and Trust course provides both fundamental principles and technical skills for analyzing, evaluating, and developing secure systems in practice. Students will learn essentials about security models, algorithms, protocols, and mechanisms in computer networks, programs, and database systems. Classroom instruction will be integrated with hands-on exercises on security tools in Windows and Java language.
2.2 Prerequisites
Students should understand the basics of computer network, programming languages (Java, in particular), and information systems.
Course: Security and Trust Page 3
SMU School of Information Systems (SIS)
2.3 Objectives
Upon finishing the course, students are expected to:
• Understand basic security concepts, models, algorithms and protocols.• Understand security requirements and constraints in some real world
applications.• Be able to analyze the current security mechanisms.• Be aware of the current and future trends in security applications.
2.4 Basic Modules
2.5 Instructional Staff
Professors: Yingjiu Li, Xuhua Ding Instructional staff: Sharon Lim Yee Pin ([email protected] ) Teaching assistant: Ailina Nagarawati for G3, G4, and G5
3 Output and Assessment Summary
Week Date Output Assessments
Weighting in %
Group Weighting
Remarks
1 10 project groups Project 25% (report 15%, presentation 10%)
Overview2 Enc to DES3 Assignment 1 5 Enc to AES4 RSA, DH5 Hash,MAC,Sig6 Cert, PKI
Course: Security and Trust Page 4
SMU School of Information Systems (SIS)
Final exam40%
Assignments 10%
midterm quiz 15%
Class participation 10%
7 Quiz 15 Password8
(Recess)9 Review quiz Password II and
internet security10 Assignment 2 5 AC 11 Lab password
cracking, FW,IDS
12 Project presentation
13 Project Presentation and demo
10 A variety of topics
14 (Review)
Project report 15
15 Final exam 40
Total90 100%
Midterm quiz (15%; problem solving)
1.5 hours (close-book)
Cover the first 6 weeks.
Class participation (10%)
Evaluated by the lecturers based on students attending to classes and participating in classroom discussions
Project (25%) consists of part A (15%) and part B (10%) Teaming : 10 random teams per class. References: internet, textbook
Part A: Open-ended investigation into a security-related topic (each team chooses a different topic)
Students are given a list of security-related topics such as cell phone security, RFID system security, and EMR system security
Grading : 5% presentation + 10% project report (5% breadth, 5% depth) Deliverables : Each team will write a project report on their findings, and
deliver an oral presentation. The report will be within 10~15 pages, using 11pt font, single column and single space format. The oral presentation will be delivered in 20 minutes including Q&A.
– Requirements : In both the report and the presentation, each team should:a) Describe the background of the related topic
Course: Security and Trust Page 5
SMU School of Information Systems (SIS)
b) Evaluate major/certain security problem(s) in the fieldc) Present solutions to the problem(s)d) Analyze the possible impact/benefits of deploying the solutions in one
or more business sectors, and provides a simple case study where appropriate
Part B: prototype simulation and demo of a secure RFID system Background : Company SEC decides to implement RFID technology to
increase the efficiency and visibility of tracking its products. However, security is a major concern since SEC does not want any of its competitors to be able to collect its RFID information (e.g., its inventory level, where, when, and what products are processed) via the wireless communication channel from a distance. Therefore, it decides to implement a secure RFID communication protocol so that an adversary, without knowing tag secret keys, will not be able to identify or track any tags.
Setting : there are 1000 RFID tags and one reader. Each of the tags is assigned with a random key of 96 bits, and equipped with a pseudorandom number generator and a hash function (e.g., MD5 or SHA1). The reader maintains a database of the keys for all 1000 tags.
Protocol : the protocol is run between the reader and any tag. To authenticate or identify the tag, the reader first generates a random number C1 of at least 80 bits, and sends it to the tag. Upon receiving C1, the tag generates another random number C2, computes R=Hash(K,C1,C2), and sends (C2, R) back to the reader, where K is the key of this tag. Upon receiving (C2, R), the reader will search in its database to find out the correct key K which will produce the same R as received from the tag. The reader will output the serial number of this key K in its database as the tag’s ID.
Requirements : the students are required to simulate the protocol in programming (e.g., Java, or OpenSSL). The input of the protocol is any tag (whose key is taken from the reader’s database). The output should be the correct serial number of the tag’s key in the reader’s database, as well as the exact time that is spent by the reader in identifying the tag in the protocol. Additional requirement (optional) is to simulate the memory of EPC tag in protocol running.
Deliverables : the students should demo their simulation of the protocol in 10 minutes in their presentations (in weeks 12 and 13). In addition, they need to write a report within 5 pages on their designs, and attach their codes. In the report, the students should analyze why this protocol is secure.
Grading : 10% based on both demo and report (4% correctness, 3% security, 3% efficiency and quality).
The project outline/draft within 5 pages on both part A and part B (hardcopy) is due before or during the class in week 9. The presentations & demos will be
Course: Security and Trust Page 6
SMU School of Information Systems (SIS)
delivered in weeks 12 and 13. The final report is due on Monday in week 14.
Final Exam (40%; close book) in week 15 Cover all material taught in class, including the invited talk and lab Multiple choice questions and short answer questions
4 Group Allocation for Assignments
Each class is partitioned into 10 groups. The students in each group are randomly selected.
5 Learning Outcomes, Achievement Methods, and Assessment
IS302 - Information Security and Trust
Course-specific core competencies which
address the Outcomes
Faculty Methods to Assess Outcomes
1Integration of business & technology in a sector context
1.1 Business IT value linkage skills
YY
Identify the security properties of enterprise information systems
Analyze the security tradeoffs to be made in design of enterprise information systems
List basic design principles of protecting enterprise information systems
Identify major security technologies/components that are most effective for protecting enterprise information systems
Explain the future trend of security technologies that will generate significant impact to practice
Execute and grade in-class exercise
Grade assignments 1 and 2
Grade the project
Grade the mid term and final exams
Ability to understand & analyze the linkages between:
a) Business strategy and business value creation
b) Business strategy and
Course: Security and Trust Page 7
SMU School of Information Systems (SIS)
information strategy
c) Information strategy and technology strategy
YY
d) Business strategy and business processes
e) Business processes or information strategy or technology strategy and IT solutions
1.2 Cost and benefits analysis skills
Y
Ability to understand and analyze:
a) Costs and benefits analysis of the project
Y
1.3 Business software solution impact analysis skills
Ability to understand and analyze:
a) How business software applications impact the enterprise within a particular industry sector.
2 IT architecture, design and development skills
2.1 System requirements specification skills
Y
Identify and perform basic security functions with major security tools
Identify the security requirements for enterprise information systems
Design effective and efficient solutions to protect enterprise information systems
Grade assignments 1 and 2
Execute and grade in-class exercise with JCE and Openssl
Ability to:
a) Elicit and understand functional requirements from customer
b) Identify non functional requirements (performance, availability, reliability, security, usability etc…)
Y
c) Analyze and document business processes
Y
2.2 Software and IT architecture analysis and design skills
Y
Analyze the vulnerability of network in a web application scenario and apply intrusion detection and firewall techniques to eliminate the vulnerability
Execute and grade lab exercise
Course: Security and Trust Page 8
SMU School of Information Systems (SIS)
Ability to:
a) Analyze functional and non-functional requirements to produce a system architecture that meets those requirements.
Y
b) Understand and apply process and methodology in building the application
Y
c) Create design models using known design principles (e.g. layering) and from various view points (logical, physical etc…)
Y
d) Explain and justify all the design choices and tradeoffs done during the application's development
Y
2.3 Implementation skills Y
Use openssl and JCE to design and implement security techniques for network security and access control
Execute and grade in-class hands-on exercise
Ability to:
a) Realize coding from design and vice versa
Y
b) Learn / practice one programming language
Y
c) Integrate different applications (developed application, cots software, legacy application etc…)
d) Use tools for testing, integration and deployment
Y
2.4 Technology application skills Y
Understand and know to use major security building blocks including hash, encryption and decryption, signature, certificates, password authentication, firewall, intrusion detection, and access control
Execute and grade in-class exerciseGrade assignments 1 and 2Execute and grade lab session
Ability to:
a) Understand, select and use appropriate technology building blocks when developing an enterprise solution (security, middleware, network, IDE, ERP, CRM, SCM etc…)
Y
3 Project management skills
3.1 Scope management skills Y
Ability to:
Course: Security and Trust Page 9
SMU School of Information Systems (SIS)
a) Identify and manage trade-offs on scope/cost/quality/time
Y
b) Document and manage changing requirements
3.2 Risks management skills Y
Ability to:
a) Identify, prioritize, mitigate and document project’s risks
Y
b) Constantly monitor projects risks as part of project monitoring
3.3 Project integration and time management skills
Ability to:
a) Establish WBS, time & effort estimates, resource allocation, scheduling etc…
b) Practice in planning using methods and tools (Microsoft project, Gantt chart etc…)
c) Develop / execute a project plan and maintain it
3.4 Configuration management skills
Ability to:
a) Understand concepts of configuration mgt and change control
3.5 Quality management skills
Ability to:
a) Understand the concepts of Quality Assurance and Quality control (Test plan, test cases …)
4 Learning to learn skills
4.1 Search skills YY
Ability to:
a) Search for information efficiently and effectively
YY
4.2 Skills for developing a methodology for learning
Y
Ability to:
a) Develop learning heuristics in order to acquire new knowledge skills (focus on HOW to learn versus
Y
Course: Security and Trust Page 10
SMU School of Information Systems (SIS)
WHAT to learn ).
b) Abide by appropriate legal, professional and ethical practices for using and citing the intellectual property of others
5 Collaboration (or team) skills:
5.1 Skills to improve the effectiveness of group processes and work products
Y
Ability to develop:
a) Leadership skills
b) Communication skills
c) Consensus and conflict resolution skills
Y
6Change management skills for enterprise systems
6.1 Skills to diagnose business changes
Y
Ability to:
a) Understand the organizational problem or need for change (e.g. Analyze existing business processes or “as-is process”)
Y
6.2 Skills to implement and sustain business changes
Ability to:
a) implement the change (e.g. advertise / communicate the need for change etc..) and to sustain the change over time
7Skills for working across countries, cultures and borders
7.1 Cross-national awareness skills
Ability to:
a) Develop cross-national understandings of culture, institutions (e.g. law), language etc…
7.2 Business across countries facilitation skills
Course: Security and Trust Page 11
SMU School of Information Systems (SIS)
Ability to:
a) Communicate across countries
b) Adapt negotiation and conflict resolution techniques to a multicultural environment
8 Communication skills
8.1 Presentation skills Y
Ability to:
a) Provide an effective and efficient presentation on a specified topic.
Y
8.2 Writing skills Y
Ability to:
a) Provide documentation understandable by users (Requirements specifications, risks management plan, assumptions, constraints, architecture choices, design choices etc…)
Y
Y This sub-skill is covered partially by the course
YYThis sub-skill is a main focus for this course
6 Classroom Planning
Teaching session: 3 hours NoteReview: 15 minutes Solution techniques: 1 hour 15 minutes
Security problems and techniques Analysis
Learning
Hands-on exercises: 1 hour 15 minutes Settings and steps Discussions
Hands-on
Summary: 15 minutes Learning effect
7 Course Schedule Summary
Course: Security and Trust Page 12
SMU School of Information Systems (SIS)
Wk Topic(problem)
Readings (textbook)
Classroom: techniques (1.5 hours)
Classroom: hands-on
(1.5 hours)
After-class
reading and
exercise1 Background Chapter 1,
7.1Networking basics and security concepts
Form project teams
Group formation (10 groups) and topic selection
2 Enc Basics 2.1-2.4 Enc basics OpenSSL and JCE
3 DES-AES 2.5-2.6, 10.2 DES, AES OpenSSL and JCE
Assignment 1
Assignment 1 involves coding with JCE
4 RSA-DH 2.7-2.8, 10.3 RSA enc, DH Review of assignment 1, OpenSSL and JCE
5 Integrity 2.8, 10.3 Hash, MAC, RSA sig
Open SSL and JCE
6 Cert, PKI 2.8, 7.6 Cert, PKI, CRL
Open SSL, email security, windows cert mgt
7 Quiz, user auth
4.5 quiz User authentication I
8 Recess 9 User auth 4.5, 7.3 User
authentication II and internet security
Review of quiz Project draft due
10 AC 4.1-4.4, 5.1-5.3
DAC, MAC, RBAC
Java SecurityManager
Assignment
Assignment 2
11 Internet Sec Lab on pwd cracking
2Lab on FW, IDS, and ACReview of assignment 2
SAS-SMU Enterprise Intelligence Lab
12 Proj Pres I 5 groups
Course: Security and Trust Page 13
SMU School of Information Systems (SIS)
13 Proj Pres II 5 groups14 Review Project report
dueProject report, Q&A
15 Final exam
8 List of Information Resources and References
Textbook: Security in Computing (4th edition) by Charles P. Pfleeger and Shari L. Pfleeger, Prentice Hall, 2007
Other reading material and reference websites are available in the course slides
Course: Security and Trust Page 14
SMU School of Information Systems (SIS)
9 Tooling
10 Weekly Plan
Week: 1 Session 1:
Introduction to the course Basic security concepts
Session 2: Networking basics Project team formation
Reference: Chapter 1 and 7.1
Things to ensure: Course material is available for download from the course web site Students must be assigned into groups for project
Week: 2 Session 1:
Ancient ciphers: Caesar, Vigenere, Zimmermann, columnar transposition Security analysis of ancient ciphers
Session 2: Installation of JCE and Openssl Test for JCE and Openssl
Reference: Chapter 2.1-2.4
Things to ensure: Students understand two basic encryption techniques: substitution and transposition JCE and openssl are correctly installed for hands-on exercise in the following weeks
Week: 3 Session 1:
DES: history and details AES: history and details
Session 2: Use both Openssl and JCE for DES and AES encryption and decryption
Reference: Chapter 2.5-2.6, 10.2
Things to ensure:
Course: Security and Trust Page 15
Tool Description RemarksOpen SSL, JCE, CrypTool
Security tools in Windows and Java
Hands-on exercises and demo
PPA, IPtable, snort Password cracking, firewall, and IDS
Lab exercises
SMU School of Information Systems (SIS)
Students know the security status of DES and AES Students know how to use DES and AES in Openssl and JCE
Week: 4 Session 1:
Asymmetric encryption with RSA DH key agreement
Session 2: Use Openssl and JCE for generating RSA keys and for RSA encryption
Reference: Chapter 2.7-2.8, 10.3
Things to ensure: Students understand the security of RSA encryption Students know how to generate RSA keys and use RSA keys in Openssl and JCE Assignment 1 due and review
Week: 5 Session 1:
Hash functions (MD5 and SHA1) MAC (HMAC and DES-MAC) RSA signature Compare MAC with RSA signature for message integrity check
Session 2: Use JCE for message integrity check with HMAC and RSA signature
Reference: Chapter 2.8, 10.3
Things to ensure: Students understand the security status of hash functions Students understand the differences between MAC and RSA signature Students know how to use JCE for integrity check with MAC and RSA signature
Week: 6 Session 1:
Impersonation problem and the need of using certificates X. 509 certificate format CRL
Session 2: Email security (S/MIME and PGP) Signed and/or encrypted email with COMODO certificates in Outlook
Reference: Chapter 2.8, 7.6
Things to ensure: Understand why and how to use certificates and CRLs Know how to use Outlook to send signed and/or encrypted emails
Week: 7 Session 1:
quizSession 2:
Course: Security and Trust Page 16
SMU School of Information Systems (SIS)
weak authentication with passwords Unix passwords Windows LM hash and NTLM hash Password attacks
Reference: Chapter 4.5
Things to ensure: Understand how passwords are stored in computers
Week: 8 (Recess week: no class)Session 1:
Session 2:
Reference:
Things to ensure:
Week: 9 Session 1:
Strong authentication (Lamport, challenge response, time synchronization) NTLMv1 and NTLMv2
Session 2: Internet security (SSL, firewall, IDS)
Reference: Chapter 4.5, 7.3
Things to ensure: Understand why strong authentication is securer than weak authentication Understand how passwords are verified in Windows Understand the fundamentals of SSL, firewall and IDS Project draft is due
Week: 10 Session 1:
Access control models: DAC, MAC, RBACSession 2:
Java SecurityManagerReference:
Chapter 4.1-4.4, 5.1-5.3Things to ensure:
Know how to use java SecurityManager to enforce access control Assignment 2 covers weeks 9 and 10
Week: 11 Session 1:
Lab exercise for password crackingSession 2:
Lab exercise for using firewall, IDS, and ACReference:
Course: Security and Trust Page 17
SMU School of Information Systems (SIS)
Lab instruction manualThings to ensure:
Know how to use SAS-SMU Enterprise Intelligence Lab for password cracking, firewall configuration, and intrusion detection
Assignment 2 due and review
Week: 12 (project presentation: teams 1-8, part A) Session 1:
Session 2:
Reference:
Things to ensure:
Week: 13 (project presentation and demo: teams 1-8, part B, teams 9,10, part A & B) Session 1:
Session 2:
Reference:
Things to ensure:
Week: 14 (review week: no class) Session 1:
Session 2:
Reference:
Things to ensure:
Project report is due
Week: 15 (exam week: no class) Session 1:
Session 2:
Reference:
Things to ensure:
Final exam
Course: Security and Trust Page 18