The main objective of the course is to introduce the principal methodologies and technologies for the security of distributed networks and systems. The course thus covers the basic theoretical and applied notions for the practical developments and the formals analysis of networks and systems for information security.
In particular, after a brief discussion of the fundamentals of cryptography, which provides the basic components for the creation of secure distributed systems, the course discusses various fundamental aspects of information security, including: the definition of security objectives and the corresponding threats and attacks, the security of computer networks and Internet security protocols, web security, public key infrastructures, access control and information flow, security models, privacy and data protection.
1. Introduction and basic notions of information security.
Objective: introduction to information security and basic notions of public and symmetric key cryptography.
- Development and management of public key infrastructures for network and system security.
- Key certification and trust management.
- Security properties of communication channels.
- Case studies: X.509, PGP, Kerberos.
2. Protocols for network security.
Objectives: network-oriented security, that is the use of secure components for the security of applications in open networks.
- Development and use of Internet security protocols.
- Case study 1: from Needham-Schroeder Shared-Key to Kerberos.
- Case study 2: from Diffie-Hellman Key-Exchange to IKE (Internet Key Exchange) and IPSec (IP Security).
- Protocol threat models and attacks.
- Formal methods for security protocol analysis.
3. Access control and system security.
Objective: system-oriented security, that is policies, models, and mechanisms for distributed system security.
- Access control models (DAC and MAC).
- Formalisms for system modeling:
-- Access Control Matrix Model.
-- Bell-LaPadula, Harrison-Ruzzo-Ullmann, Chinese Wall, Biba, Clark-Wilson.
-- Role-Based Access Control.
- Fundamentals of information flow.
- System mechanisms: operating systems and file-systems, basic notions of hardware security.
4. Privacy and date protection.
Objective: anonymity systems, confidentiality, and data protection.
- Privacy: policies, mechanisms, problems.
- Anonymity: basic mechanisms (pseudonyms and proxies) and case studies (Mix Networks and Crowds).
- Data protection.
5. Web security.
Objective: characteristics, problems and solutions of systems for the security of the world-wide web.
- Characteristics of web application security.
- Basic threats and vulnerabilities (SQL injection, input validation, authentication).
- Web Services security.
The examination consists of a written test, including questions about the theoretical notions considered in the course as well as small exercises on practical notions.
The written test must be taken without the help of notes, books, or other documentation. The teacher may decide to replace the written test with an oral examination, especially whenever it is not possible to make sure that the students cannot access this documentation.