The University of Western Ontario
London, Canada

Department of Computer Science

CS 413 / 634 -- Cryptography and Security

Executive Summary -- Fall 2007

• Email: webber@csd.uwo.ca (include course number 413 in subject line to get past spam filter)
• Course Description: This is an introductory survey course that addresses the current state of the security of computer systems (and particularly the problems associated with networked computers). Within the context of computer security, particular focus is given to cryptography, both to better understand how it works and to also understand the limitations of its usage. Around this core material, students will develop projects/papers where they investigate, in depth, a particular aspect of computer security that they are most interested in.
• Required textbooks: Readings for CS413, edited by Robert E. Webber, Fall 2007 (available in University Bookstore)
• Course Website http://www.csd.uwo.ca/courses/CS413a/index.html and/or http://www.csd.uwo.ca/courses/CS413b/index.html
• Lecture Topics privacy, technical security issues, formal security issues, informal security issues, risk and threat analysis, attack trees, access control matrix, Bell-LaPudula model, Biba's model, covert channel, inference control, CAPTCHA, firewalls, intrusion detection, human factor issues, user security awareness, password security, software security errors, security code review, data lifetime, trust, incident handling, the Internet Worm, ssh, substitution ciphers, Vigenere cipher, Kasiski Attack, index of coincidence, entropy of English, Zipf's Law, Enigma cipher, diffusion, confusion, Shannon's five criteria, known plaintext attack, stream cipher systems, testing randomness, linear feedback shift registers, RC4, public key cryptosystems (RSA), block ciphers, Feistel cipher, DES, AES, designing encryption algorthms
• Class Schedule: Tuesday 12:30 - 2:30 pm [MC 320], Friday 12:30 - 1:30 pm [MC 320])
• Marking:
  • There will be one open book, open notes, (no electronics) in-class exam counting 20% of the mark.
  • There will be 4 homeworks during the semester, each counting 5% for a total of 20% of the computed mark. Most of the homeworks will involve cryptanalysis of a sample piece of encoded text (illustrating weaknesses in various cryptographic schemes).
  • There will be an individual project counting 60% of the course mark. In this context, a project could be primarily based on reading relevant portions of the security literatures or could involve programming. The ideas surrounding the development of a project will be discussed in class and supplementary material appears in the course readings. The project mark will be broken down into the following parts:
    • 7% -- proposal
    • 3% -- an in-class 10 minute presentation of the proposal
    • 10% -- first step: An introduction to your topic and summary/discussion in one of your major references on the topic (size roughly 1/5th of the ultimate paper).
    • 5% -- an in-class 10 minute presentation of the contents of the first step.
    • 30% -- final report (3000 -- 4000 words)
    • 5% -- an in-class 20 minute presentation of the contents of the final report.
• DATES OF IMPORTANCE:
  • [W01, Th] 6 Sept 2007: First day of classes
  • [W01, F] 7 Sept 2007: First meeting of class
  • [W02, Tu] 11 Sept 2007
  • [W02, F] 14 Sept 2007: Last day to add class
  • [W03, Tu] 18 Sept 2007: Homework 1 due
  • [W04, Tu] 25 Sept 2007: project proposal due
  • [W05, Tu] 2 Oct 2007: final presentations will be scheduled by drawing lots.
  • [W05, Tu] 2 Oct 2007: Homework 2 due
  • [W06, M] 8 Oct 2007: Giving thanks that we get this Monday off (won't be counted in any late penalty calculations)
  • [W06, Tu] 9 Oct 2007:
  • [W07, Tu] 16 Oct 2007: project step one due
  • [W08, Tu] 23 Oct 2007: Homework 3 due
  • [W09, Tu] 30 Oct 2007
  • [W10, Tu] 6 Nov 2007: In class exam.
  • [W11, Tu] 13 Nov 2007: Homework 4 due
  • [W12, Tu] 20 Nov 2007
  • [W13, Tu] 27 Nov 2007: Final writeup due.
  • [W14, Tu] 4 Dec 2007
  • [W14, W] 5 Dec 2007: Last day of classes
  • NOTE: No final exam in this course.
• READINGS:
  • SECURITY RELATED:
    • The Privacy Payoff: How Successful Businesses Build Customer Trust, Ann Cavoukian and Tyler J. Hamilton, 2002, pages 37 -- 55.
    • Principles of Information Systems Security: Text and Cases, Gurpreet Dhillon, 2007, pages 1 -- 11. Information Security: Principles and Practice, Mark Stamp, 2006, pages 177 -- 205.
    • Secrets & Lies, Bruce Schneier, 2000, pages: 255 -- 269.
    • The cost of convenience: a faustian deal , M. A. Caloyannides, IEEE Security & Privacy Magazine, 2004 pages 84 -- 87.
    • Phishing for user security awareness, Ronald Dodge, Curtisa Carver, and Aaron Ferguson, Computers & Security, 2007, pages 73 -- 80.
    • Pretty good persuasion: a first step towards effective password security in the real world, Dirk Weirich and Martina Angela Sasse, Proceedings of the 2001 workshop on New security paradigms, 137 -- 143.
    • Seven pernicious kingdoms: a taxonomy of software security errors, K. Tsipenyuk, B. Chess, and G. McGraw, IEEE Security and Privacy Magazine, pages 81 -- 84.
    • A process for performing security code reviews, M. A. Howard, IEEE Security & Privacy Magazine, 2006, pages 74 -- 79.
    • Data lifetime is a systems problem, Tal Garfinkel, Ben Pfaff, Jim Chow, and Mendel Rosenblum, Proceedings of the 11th workshop on ACM SIGOPS European workshop: beyond the PC, 2004.
    • Reflections on trusting trust, Ken Thompson, Communications of the ACM, 1984, Pages: 761 - 763.
    • Reflections on trusting trust revisited, Diomidis Spinellis, Communications of the ACM, 2003, page 112.
    • Computer security in the real world, B. W. Lampson, Computer, 2004, pages: 37 -- 46.
    • The base-rate fallacy and its implications for the difficulty of intrusion detection, Stefan Axelsson, Proceedings of the 6th ACM conference on Computer and communications security, 1999, pages: 1 -- 7
    • Incident handling: an orderly response to unexpected events, Richard L. Rollason-Reese, Proceedings of the 31st annual ACM SIGUCCS conference on User services, 2003, pages: 97 -- 102
    • Crisis and aftermath, E. H. Spafford, Communications of the ACM, 1989, pages 678 -- 687.
    • Why cryptosystems fail, Ross Anderson, Proceedings of the 1st ACM conference on Computer and communications security, 1993, pages 215 -- 227.
    • Using ssh: Do security risks outweigh the benefits?, Gene Schultz, Network Security, 2004, pages 7 -- 10.
  • CRYPTOGRAPHY and CRYPTANALYSIS:
    • Cryptanalysis: A Study of Ciphers and Their Solution, Helen Fouche Gaines, 1939, pages 69 -- 87.
    • Making, Breaking Codes: An Introduction to Cryptology, Paul Garrett, 2001, pages 58 - 87.
    • Codes and Cryptography, Dominic Welsh, 1988, pages 92 -- 104.
    • Data Privacy and Security, David Salomon, 2003, pages 107 -- 129.
    • Cipher Systems: The Protection of Communications, Henry Beker and Fred Piper, 1982, pages 159 -- 174.
    • Classical and Contemporary Cryptology, Richard J. Spillman, 2005, pages 104 -- 121.
    • A method for obtaining digital signatures and public-key cryptosystems, R. L. Rivest, A. Shamir, and L. Adleman, Communications of the ACM, 1978, Pages: 120 - 126.
    • Cryptography and Network Security: Principles and Practices (4th Edition), William Stallings, 2006, pages 62 -- 90.
    • Selecting the Advanced Encryption Standard, W. E. Burr, IEEE Security & Privacy Magazine, 2003, pages: 43 -- 52.
    • The Rijndael block cipher (AES proposal) : a comparison with DES, Sanchez-Avila, C. and Sanchez-Reillol, R., 2001 IEEE 35th International Carnahan Conference on Security Technology, pages: 229 -- 234.
    • An introduction to block cipher cryptanalysis, C. de Canniere, A. Biryukov, and B. Preneel, Proceedings of the IEEE, 2006, pages: 346 - 356.
    • Designing encryption algorithms for real people, Bruce Schneier, Proceedings of the 1994 workshop on New security paradigms, pages: 98 -- 101.
  • INFRASTRUCTURE:
    • Writing Research Papers: A Guide to the Process (Second Edition), Stephen Weidenborner and Domenick Caruso, 1986, pages 1 -- 24
    • The Essence of Computing Projects: A Student's Guide, Christian W. Dawson, 2000, pages 21--36.
    • Technical Communication: Second Canadian Edition, John M. Lannon and Don Klepp, 2003, pages 126 -- 147.
    • Writing for Computer Science (second edition), Justin Zobel, 2004, pages 225 -- 248.