• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
Technical Specification of
 

Technical Specification of

on

  • 890 views

 

Statistics

Views

Total Views
890
Views on SlideShare
890
Embed Views
0

Actions

Likes
0
Downloads
5
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Microsoft Word

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    Technical Specification of Technical Specification of Document Transcript

    • Course Design Document IS302: Information Security and Trust Version 4.4 29 December 2009
    • SMU School of Information Systems (SIS) Table of Content 1 Versions History..............................................................................................................3 2 Overview of Security and Trust Course ......................................................................3 3 Output and Assessment Summary................................................................................4 Midterm quiz (15%; problem solving)........................................................................................................5 Class participation (10%)............................................................................................................................5 Project (25%) consists of part A (15%) and part B (10%)..........................................................................5 Final Exam (40%; close book) in week 15..................................................................................................7 4 Group Allocation for Assignments................................................................................7 5 Learning Outcomes, Achievement Methods, and Assessment....................................7 6 Classroom Planning......................................................................................................12 7 Course Schedule Summary .........................................................................................13 8 List of Information Resources and References .........................................................14 9 Tooling ..........................................................................................................................15 10 Weekly Plan ................................................................................................................15 Course: Security and Trust Page 2
    • SMU School of Information Systems (SIS) 1 Versions History Version Description of Author Date Changes V 1.0 Yingjiu Li 31-12-2004 V 2.0 • Based on discussions Yingjiu Li 03-12-2005 with Ravi Sandu and Ankit Fadia, revised the design documents for weeks 7 - 11 • Re-designed the project V 2.1 • Re-designed the lab Yingjiu Li 26-12-2005 session V 2.2 • Revised the pre- Yingjiu Li 07-08-2006 requisites of the course, learning outcomes, and tooling V 3.0 • Revised course Yingjiu Li 28-12-2006 content and schedule • Strengthened hands- on exercise V 4.0 • Revised course Yingjiu Li 03-12-2007 content and schedule V 4.1 • Reformat the design Yingjiu Li 15-02-2008 document V 4.2 • Revised design Yingjiu Li 24-12-2008 V 4.3 • Revised learning Yingjiu Li 02-11-2009 outcomes 2 Overview of Security and Trust Course 1.1 Synopsis Security and Trust course provides both fundamental principles and technical skills for analyzing, evaluating, and developing secure systems in practice. Students will learn essentials about security models, algorithms, protocols, and mechanisms in computer networks, programs, and database systems. Classroom instruction will be integrated with hands-on exercises on security tools in Windows and Java language. 1.2 Prerequisites Students should understand the basics of computer network, programming languages (Java, in particular), and information systems. Course: Security and Trust Page 3
    • SMU School of Information Systems (SIS) 1.3 Objectives Upon finishing the course, students are expected to: 1• Understand basic security concepts, models, algorithms and protocols. 2• Understand security requirements and constraints in some real world applications. 3• Be able to analyze the current security mechanisms. 4• Be aware of the current and future trends in security applications. 1.4 Basic Modules Background and Basic Concepts (1 week) Background and Basic Concepts (1 week) Applied Applied NW Security NW Security Access Control Access Control Cryptography Cryptography (3 weeks) (3 weeks) (1 week) (1 week) (4 weeks) (4 weeks) Quiz and project presentation (3 week) Quiz and project presentation (3 week) 1.5 Instructional Staff • Professors: Yingjiu Li, Xuhua Ding • Instructional staff: Sharon Lim Yee Pin (sharonlim@smu.edu.sg ) • Teaching assistant: Ailina Nagarawati for G3, G4, and G5 3 Output and Assessment Summary Week Date Output Weighting Group Remarks Assessments in % Weighting Course: Security and Trust Page 4
    • SMU School of Information Systems (SIS) 1 10 project groups Project 25% Overview 2 (report 15%, Enc to DES 3 Assignment 1 5 presentatio Enc to AES 4 n 10%) RSA, DH 5 Hash,MAC,Sig 6 Cert, PKI 7 Quiz 15 Final exam Password 8 40% (Recess) Password II and 9 Review quiz Assignment internet security 10 Assignment 2 5 s 10% AC 11 Lab password 12 Project midterm cracking, presentation quiz 15% FW,IDS 13 Project 10 Class Presentation and A variety of participatio demo topics n 10% 14 Project report 15 (Review) 15 Final exam 40 90 100% T o t a l Midterm quiz (15%; problem solving) • 1.5 hours (close-book) • Cover the first 6 weeks. Class participation (10%) • Evaluated by the lecturers based on students attending to classes and participating in classroom discussions Project (25%) consists of part A (15%) and part B (10%) • Teaming: 10 random teams per class. • References: internet, textbook Part A: Open-ended investigation into a security-related topic (each team chooses a different topic) • Students are given a list of security-related topics such as cell phone security, RFID system security, and EMR system security Course: Security and Trust Page 5
    • SMU School of Information Systems (SIS) • Grading: 5% presentation + 10% project report (5% breadth, 5% depth) • Deliverables: Each team will write a project report on their findings, and deliver an oral presentation. The report will be within 10~15 pages, using 11pt font, single column and single space format. The oral presentation will be delivered in 20 minutes including Q&A. – Requirements: In both the report and the presentation, each team should: a) Describe the background of the related topic b) Evaluate major/certain security problem(s) in the field c) Present solutions to the problem(s) d) Analyze the possible impact/benefits of deploying the solutions in one or more business sectors, and provides a simple case study where appropriate Part B: prototype simulation and demo of a secure RFID system • Background: Company SEC decides to implement RFID technology to increase the efficiency and visibility of tracking its products. However, security is a major concern since SEC does not want any of its competitors to be able to collect its RFID information (e.g., its inventory level, where, when, and what products are processed) via the wireless communication channel from a distance. Therefore, it decides to implement a secure RFID communication protocol so that an adversary, without knowing tag secret keys, will not be able to identify or track any tags. • Setting: there are 1000 RFID tags and one reader. Each of the tags is assigned with a random key of 96 bits, and equipped with a pseudorandom number generator and a hash function (e.g., MD5 or SHA1). The reader maintains a database of the keys for all 1000 tags. • Protocol: the protocol is run between the reader and any tag. To authenticate or identify the tag, the reader first generates a random number C1 of at least 80 bits, and sends it to the tag. Upon receiving C1, the tag generates another random number C2, computes R=Hash(K,C1,C2), and sends (C2, R) back to the reader, where K is the key of this tag. Upon receiving (C2, R), the reader will search in its database to find out the correct key K which will produce the same R as received from the tag. The reader will output the serial number of this key K in its database as the tag’s ID. • Requirements: the students are required to simulate the protocol in programming (e.g., Java, or OpenSSL). The input of the protocol is any tag (whose key is taken from the reader’s database). The output should be the correct serial number of the tag’s key in the reader’s database, as well as the exact time that is spent by the reader in identifying the tag in the protocol. Additional requirement (optional) is to simulate the memory of EPC tag in protocol running. • Deliverables: the students should demo their simulation of the protocol in 10 minutes in their presentations (in weeks 12 and 13). In addition, they Course: Security and Trust Page 6
    • SMU School of Information Systems (SIS) need to write a report within 5 pages on their designs, and attach their codes. In the report, the students should analyze why this protocol is secure. • Grading: 10% based on both demo and report (4% correctness, 3% security, 3% efficiency and quality). The project outline/draft within 5 pages on both part A and part B (hardcopy) is due before or during the class in week 9. The presentations & demos will be delivered in weeks 12 and 13. The final report is due on Monday in week 14. Final Exam (40%; close book) in week 15 • Cover all material taught in class, including the invited talk and lab • Multiple choice questions and short answer questions 4 Group Allocation for Assignments Each class is partitioned into 10 groups. The students in each group are randomly selected. 5 Learning Outcomes, Achievement Methods, and Assessment Course-specific core Faculty Methods IS302 - Information competencies which to Assess Security and Trust address the Outcomes Outcomes Integration of business & 1 technology in a sector context 1.1 Business IT value linkage YY Identify the security properties Execute and grade in- skills of enterprise information class exercise systems Grade assignments 1 Analyze the security tradeoffs to and 2 be made in design of enterprise information systems Grade the project List basic design principles of Grade the mid term and protecting enterprise final exams information systems Identify major security technologies/components that are most effective for protecting enterprise information systems Explain the future trend of Course: Security and Trust Page 7
    • SMU School of Information Systems (SIS) security technologies that will generate significant impact to practice Ability to understand & analyze the linkages between: a) Business strategy and business value creation b) Business strategy and information strategy c) Information strategy and YY technology strategy d) Business strategy and business processes e) Business processes or information strategy or technology strategy and IT solutions 1.2 Cost and benefits analysis Y skills Ability to understand and analyze: a) Costs and benefits analysis of the Y project 1.3 Business software solution impact analysis skills Ability to understand and analyze: a) How business software applications impact the enterprise within a particular industry sector. IT architecture, design and 2 development skills Identify and perform basic Grade assignments 1 security functions with major and 2 security tools Execute and grade in- Identify the security class exercise with JCE 2.1 System requirements Y requirements for enterprise and Openssl specification skills information systems Design effective and efficient solutions to protect enterprise information systems Ability to: a) Elicit and understand functional requirements from customer b) Identify non functional requirements (performance, Y availability, reliability, security, usability etc…) Course: Security and Trust Page 8
    • SMU School of Information Systems (SIS) c) Analyze and document business Y processes Analyze the vulnerability of Execute and grade lab network in a web application exercise 2.2 Software and IT architecture scenario and apply intrusion Y analysis and design skills detection and firewall techniques to eliminate the vulnerability Ability to: a) Analyze functional and non- functional requirements to produce a Y system architecture that meets those requirements. b) Understand and apply process and methodology in building the Y application c) Create design models using known design principles (e.g. Y layering) and from various view points (logical, physical etc…) d) Explain and justify all the design choices and tradeoffs done during Y the application's development Use openssl and JCE to design Execute and grade in- and implement security class hands-on exercise 2.3 Implementation skills Y techniques for network security and access control Ability to: a) Realize coding from design and Y vice versa b) Learn / practice one Y programming language c) Integrate different applications (developed application, cots software, legacy application etc…) d) Use tools for testing, integration Y and deployment Understand and know to use Execute and grade in- major security building blocks class exercise including hash, encryption and Grade assignments 1 decryption, signature, and 2 2.4 Technology application skills Y certificates, password Execute and grade lab authentication, firewall, session intrusion detection, and access control Ability to: Course: Security and Trust Page 9
    • SMU School of Information Systems (SIS) a) Understand, select and use appropriate technology building blocks when developing an enterprise Y solution (security, middleware, network, IDE, ERP, CRM, SCM etc…) 3 Project management skills 3.1 Scope management skills Y Ability to: a) Identify and manage trade-offs Y on scope/cost/quality/time b) Document and manage changing requirements 3.2 Risks management skills Y Ability to: a) Identify, prioritize, mitigate and Y document project’s risks b) Constantly monitor projects risks as part of project monitoring 3.3 Project integration and time management skills Ability to: a) Establish WBS, time & effort estimates, resource allocation, scheduling etc… b) Practice in planning using methods and tools (Microsoft project, Gantt chart etc…) c) Develop / execute a project plan and maintain it 3.4 Configuration management skills Ability to: a) Understand concepts of configuration mgt and change control 3.5 Quality management skills Ability to: a) Understand the concepts of Quality Assurance and Quality control (Test plan, test cases …) 4 Learning to learn skills 4.1 Search skills YY Course: Security and Trust Page 10
    • SMU School of Information Systems (SIS) Ability to: a) Search for information efficiently YY and effectively 4.2 Skills for developing a Y methodology for learning Ability to: a) Develop learning heuristics in order to acquire new knowledge Y skills (focus on HOW to learn versus WHAT to learn ). b) Abide by appropriate legal, professional and ethical practices for using and citing the intellectual property of others 5 Collaboration (or team) skills: 5.1 Skills to improve the effectiveness of group processes Y and work products Ability to develop: a) Leadership skills b) Communication skills c) Consensus and conflict resolution Y skills Change management skills for 6 enterprise systems 6.1 Skills to diagnose business Y changes Ability to: a) Understand the organizational problem or need for change (e.g. Y Analyze existing business processes or “as-is process”) 6.2 Skills to implement and sustain business changes Ability to: a) implement the change (e.g. advertise / communicate the need for change etc..) and to sustain the change over time Skills for working across 7 countries, cultures and borders Course: Security and Trust Page 11
    • SMU School of Information Systems (SIS) 7.1 Cross-national awareness skills Ability to: a) Develop cross-national understandings of culture, institutions (e.g. law), language etc… 7.2 Business across countries facilitation skills Ability to: a) Communicate across countries b) Adapt negotiation and conflict resolution techniques to a multicultural environment 8 Communication skills 8.1 Presentation skills Y Ability to: a) Provide an effective and efficient Y presentation on a specified topic. 8.2 Writing skills Y Ability to: a) Provide documentation understandable by users (Requirements specifications, risks Y management plan, assumptions, constraints, architecture choices, design choices etc…) This sub-skill is covered partially by the Y course This sub-skill is a main focus for this YY course 6 Classroom Planning Teaching session: 3 hours Note Review: 15 minutes Solution techniques: 1 hour 15 minutes Learning • Security problems and techniques • Analysis Hands-on exercises: 1 hour 15 minutes Hands-on Course: Security and Trust Page 12
    • SMU School of Information Systems (SIS) • Settings and steps • Discussions Summary: 15 minutes Learning effect 7 Course Schedule Summary Wk Topic Readings Classroom: Classroom: After- (problem) (textbook) techniques hands-on class (1.5 hours) (1.5 hours) reading and exercise 1 Background Chapter 1, Networking Form project Group 7.1 basics and teams formation security (10 concepts groups) and topic selection 2 Enc Basics 2.1-2.4 Enc basics OpenSSL and JCE 3 DES-AES 2.5-2.6, 10.2 DES, AES OpenSSL and Assignmen JCE t 1 involves coding with Assignment 1 JCE 4 RSA-DH 2.7-2.8, 10.3 RSA enc, DH Review of assignment 1, OpenSSL and JCE 5 Integrity 2.8, 10.3 Hash, MAC, Open SSL and RSA sig JCE 6 Cert, PKI 2.8, 7.6 Cert, PKI, Open SSL, email CRL security, windows cert mgt 7 Quiz, user 4.5 quiz User auth authentication I 8 Recess 9 User auth 4.5, 7.3 User Review of quiz Project authenticatio draft due n II and internet security 10 AC 4.1-4.4, DAC, MAC, Java Assignmen Course: Security and Trust Page 13
    • SMU School of Information Systems (SIS) 5.1-5.3 RBAC SecurityManager t2 Assignment 11 Internet Sec Lab on pwd 2Lab on FW, SAS-SMU cracking IDS, and AC Enterprise Review of Intelligence assignment 2 Lab 12 Proj Pres I 5 groups 13 Proj Pres II 5 groups 14 Review Project report Project due report, Q&A 15 Final exam 8 List of Information Resources and References Textbook: Security in Computing (4th edition) by Charles P. Pfleeger and Shari L. Pfleeger, Prentice Hall, 2007 Other reading material and reference websites are available in the course slides Course: Security and Trust Page 14
    • SMU School of Information Systems (SIS) 9 Tooling Tool Description Remarks Open SSL, JCE, Security tools in Hands-on exercises and CrypTool Windows and Java demo PPA, IPtable, snort Password cracking, Lab exercises firewall, and IDS 10 Weekly Plan Week: 1 Session 1: • Introduction to the course • Basic security concepts Session 2: • Networking basics • Project team formation Reference: • Chapter 1 and 7.1 Things to ensure: • Course material is available for download from the course web site • Students must be assigned into groups for project Week: 2 Session 1: • Ancient ciphers: Caesar, Vigenere, Zimmermann, columnar transposition • Security analysis of ancient ciphers Session 2: • Installation of JCE and Openssl • Test for JCE and Openssl Reference: • Chapter 2.1-2.4 Things to ensure: • Students understand two basic encryption techniques: substitution and transposition • JCE and openssl are correctly installed for hands-on exercise in the following weeks Week: 3 Session 1: • DES: history and details • AES: history and details Session 2: • Use both Openssl and JCE for DES and AES encryption and decryption Reference: • Chapter 2.5-2.6, 10.2 Course: Security and Trust Page 15
    • SMU School of Information Systems (SIS) Things to ensure: • Students know the security status of DES and AES • Students know how to use DES and AES in Openssl and JCE Week: 4 Session 1: • Asymmetric encryption with RSA • DH key agreement Session 2: • Use Openssl and JCE for generating RSA keys and for RSA encryption Reference: • Chapter 2.7-2.8, 10.3 Things to ensure: • Students understand the security of RSA encryption • Students know how to generate RSA keys and use RSA keys in Openssl and JCE • Assignment 1 due and review Week: 5 Session 1: • Hash functions (MD5 and SHA1) • MAC (HMAC and DES-MAC) • RSA signature • Compare MAC with RSA signature for message integrity check Session 2: • Use JCE for message integrity check with HMAC and RSA signature Reference: • Chapter 2.8, 10.3 Things to ensure: • Students understand the security status of hash functions • Students understand the differences between MAC and RSA signature • Students know how to use JCE for integrity check with MAC and RSA signature Week: 6 Session 1: • Impersonation problem and the need of using certificates • X. 509 certificate format • CRL Session 2: • Email security (S/MIME and PGP) • Signed and/or encrypted email with COMODO certificates in Outlook Reference: • Chapter 2.8, 7.6 Things to ensure: • Understand why and how to use certificates and CRLs • Know how to use Outlook to send signed and/or encrypted emails Week: 7 Session 1: • quiz Course: Security and Trust Page 16
    • SMU School of Information Systems (SIS) Session 2: • weak authentication with passwords • Unix passwords • Windows LM hash and NTLM hash • Password attacks Reference: • Chapter 4.5 Things to ensure: • Understand how passwords are stored in computers Week: 8 (Recess week: no class) Session 1: • Session 2: • Reference: • Things to ensure: • Week: 9 Session 1: • Strong authentication (Lamport, challenge response, time synchronization) • NTLMv1 and NTLMv2 Session 2: • Internet security (SSL, firewall, IDS) Reference: • Chapter 4.5, 7.3 Things to ensure: • Understand why strong authentication is securer than weak authentication • Understand how passwords are verified in Windows • Understand the fundamentals of SSL, firewall and IDS • Project draft is due Week: 10 Session 1: • Access control models: DAC, MAC, RBAC Session 2: • Java SecurityManager Reference: • Chapter 4.1-4.4, 5.1-5.3 Things to ensure: • Know how to use java SecurityManager to enforce access control • Assignment 2 covers weeks 9 and 10 Week: 11 Session 1: • Lab exercise for password cracking Session 2: • Lab exercise for using firewall, IDS, and AC Course: Security and Trust Page 17
    • SMU School of Information Systems (SIS) Reference: • Lab instruction manual Things to ensure: • Know how to use SAS-SMU Enterprise Intelligence Lab for password cracking, firewall configuration, and intrusion detection • Assignment 2 due and review Week: 12 (project presentation: teams 1-8, part A) Session 1: • Session 2: • Reference: • Things to ensure: • Week: 13 (project presentation and demo: teams 1-8, part B, teams 9,10, part A & B) Session 1: • Session 2: • Reference: • Things to ensure: • Week: 14 (review week: no class) Session 1: • Session 2: • Reference: • Things to ensure: • Project report is due Week: 15 (exam week: no class) Session 1: • Session 2: • Reference: • Things to ensure: • Final exam Course: Security and Trust Page 18