CS558 : Computer Networks Security
CS558 : Computer Networks Security
Boston University, Computer Science
Instructor: Sharon Goldberg
Dates: Spring 2012
Office Hours: TBA
Note: Professor Sharon Goldberg, a recent addition to our faculty, is scheduled to teach the CS 558 class for the first time in the spring semester of 2012. This syllabus is modeled after the seminar in Network Security which she taught in 2011. The course she plans to teach next spring is similar in scope and content.
- Very soon, there will be a class mailing list. Registered students will be added automatically. If you are auditing the course, please send me an email with your info, and I’ll add you to the mailing list.
- The class calendar is here.
The seminar course will cover various aspects of network security, with a focus on designing secure protocols. In addition to discussing fundamental principles of security, we will look at recent research proposals and Internet standards and either develop rigorous arguments for their security, or come up with attacks that prove their insecurity. In this class you’ll get a taste for:
- The security issues at various network layers of the Internet, and the protocols proposed and deployed to deal with these security issues.
- Techniques for rigorously arguing about the security of protocols (e.g., game-based security definitions( from cryptography), mechanism design (from game theory))
- The primitives used in network security (e.g., encryption, authentication, hash functions, access control lists, etc.)
Prerequisites: CS330 and CS350 or permission of the instructor. CS455 is helpful but not required.
Other security courses at BU: If you’re interested in security, I encourage you to consider taking Leo Reyzin’s cryptography class this fall – CS538. This seminar uses cryptographic security definitions to build network protocols. CS538 goes down one level, and looks at designing the crypto primitives that fulfill the security definitions, and the reasons behind the security definitions. Even if you are not interested in becoming a cryptographer, CS538 give you more tools that you can use to develop formal security arguments. In the spring, Ari Trachtenberg and David Starobinski of ECE will be offering a systems security course. More details on their course soon.
As this is a seminar, the main point is for you to just learn the material, and get a taste for the main concepts and techniques of network security and research in this field. Thus, I’d like to you read the assigned papers before class – these will be listed in the course calendar on the website – and be ready to participate in class discussions. At the end of the class, each student will be expected to prepare a poster of a topic of their choice. The poster should present a rigorous security analysis of a recent research paper(s) in network security. (You are also welcome, but not required, to present original research in your poster.) The remainder of your grade will be based on written critical reviews of research papers, and/or a quiz that will test your knowledge of security primitives. The grading scheme is as follows, subject to change:
|Homeworks / Quiz||30 %|
For the poster, you can either (a) analyze a research paper related to network security, (b) analyze an internet standard, OR (c) analyze a software implementation of a cryptographic primitive.
- You should pick a topic early in the semester, and let me know if you will be doing (a), (b) or (c) (or presenting original research). Please send me an email with “CS558 Poster Topic” in the subject with this info. If you need help finding a topic, come talk to me during office hours.
- Posters will be presented during a 3 hour session (open to the whole department) in the last 3 weeks of class, exact time and place TBD.
There is no textbook required for this class. The following two textbooks are useful, though optional:
- White-Hat Security Arsenal, by Aviel D. Rubin. (A great, educational read.)
- Network Security Essentials, Fouth Edition by William Stallings. (A great reference.)
The Boston area is a great place to do security research. In addition to security colloquia here at BU, here are a couple of local seminars that you should consider going to:
- http://nms.csail.mit.edu/sys-security/ The systems security seminar at MIT. This is a very friendly student-run discussion group, that welcomes everyone interested in systems and network security issues.
- MIT/MSR crypto seminar. This is a very prestigious crypto seminars, that attracts its audience from the very strong crypto community in Boston, including MIT, Harvard, BU, Lincoln Labs, Brown, RSA Labs, etc.
Topics: (This is a preliminary list. More topics will be added as the semester proceeds.)
|Weeks 1-2||SSL / TLS||End-to-end secure channels at the application layer.We’ll focus on the basics of security – the difference between encryption and authentication, and the order in which they should be performed. We’ll work through the Krawcyzk paper together in class, so there is no need to read this paper ahead of time. A good summary of the results of Krawcyzk’s paper also appear in Boaz Barak’s crypto lecture notes (reading these is optional).
In this set of classes, we’ll learn about the cryptographic definitions for symmetric CPA-secure encryption, symmetric CCA-secure encryption, and secure MACs (Message Authentication Codes).
Message authentication codes (MACs).
|Weeks 3 – 4||Kerberos||Secure password-based login at the application layer, using symmetric encryption.
Please read all the handouts before class, and think about the flaws in Kerberos V4. Copies of the readings are available in the CS department office. If you can’t physically pick them up, email me and I’ll get them to you.
To prepare, read the handouts, that can be picked up in the CS department office. Please write down the “threat model” considered in Kerberos: namely, who is the attacker, where in the system is he located, what are his “powers” ( ie. What can he learn? What can he do to the Kerberos messages?), and finally, what is considered a “break” of the system?
Optional: Backes, Cervesato, Jaggard, Scedrov, and Tsay present a formal security analysis of Kerberos. We won’t cover this in class, it’s optional reading.
|MIT’s intuitative discussion of how Kerberos works
Section 4.2 in Stallings
Section 8.3.1 in Rubin
|Week 5||Secure multicast||Securing multicast content from webservers at the application layer.Using HTTPS (HTTP over SSL/TLS) vs, “How to Sign Digital Streams?”, and how they deal with web proxies.
Homework: Here’s a sample threat model homework. Notice how the threat model focuses on the parties that participate in the protocol, and not use any protocol specific details. Also, I’m looking for crisp statements of the problem. As reader, long discussions are confusing and often obfuscate meaning; have sympathy for your readers, and make things short and clear!
Collision resistant hash functions
|Week 6||PKI and Key Exchange||Using public keys infrastructure to set up symmetric session keys.Readings
Homework: Read through Section 2 of Krawcyzk, and write down the threat model he considered. I challenge you the parse all this technical detail, and write down a *very short* and simple summary of exactly two threats that Krawcyzk is thinking about (there are more than that in there).
|Public Key Infrastructure (PKI).
Diffie-Helman Key exchange
|Section 7, 8.4, 8.6 in Rubin|
|Week 7||Side Channels||What happens when the attacker attacks you outside the security model? The Cold Boot attack. Please watch the video and read the paper before class. (This is not exactly network security, it’s too fascinating to resist.)
Abstract The “cold boot” attack is a side-channel attack that allows an attacker to extract encryption keys from data that is still left in a computer’s RAM after the power has been cut. I will discuss how the attack works, some realistic models for errors that might occur during the attack, and some techniques for efficiently correcting such errors in cryptographic keys.
|Week 8||BGP Security.||We’ll talk about the security of BGP, the routing protocol that runs the global Internet’s routing system. I’m assigning two papers to be read, the BGPsurvey, and my recent SIGCOMM’10 paper. Homework: Read the BGP survey, and focus especially on the following security technologies:
Again, the survey is very long, so you don’t need to read every detail (unless you want to), but focus specifically on these protocols. Each of these protocols was designed for a different threat model. In your writeup, give a short description of the threat model each of these protocols was designed for (so I want to see 3 different sections to your writeup). It might also help to have a look at the SIGCOMM’10 paper, as there is some information about this in there.
|Digital signatures.Access control lists.||BGP security survey|
|Week 9||Data privacy||In this set of classes we’ll talk about privacy issues relating to network data. We’ll learn about the definition of differential privacy, and then have a guest lecture by one of the inventors of differential privacy, Frank McSherry, about an API from querying datasets in a differentially private way.
|–||Attack on Netflix dataAttack on social graph data|
|Week 10||Onion Routing.||This set of classes will cover anonymous routing using ToR (The Onion Router).
Homework: The readings give a fairly detailed view of the threat model and design decisions used by ToR. In your writeup “CS558 ToR Writeup” answer the following questions. I challenge you to answer them as clearly and simply as possible, despite the high level of detail in all of the readings.
|Encryption.||ToR – The 2nd generation onion router|
|Week 11||Privacy-preserving peer-to-peer||Next, we move on to the related topic of `privacy preserving’ peer-to-peer networks. Please read the OneSwarm paper from SIGCOMM 2011. No writeup is required this time, but please make sure to read the paper carefully; in class we will be breaking up into small groups and trying to develop a security definition for each of the papers. The discussion will center around the different security definition developed by each group.
Option reading: Also, see some references on DHTs.
|Encryption||OneSwarm SIGCOMM paper|
|Week 12||Social Networks and Transistive Trust||Readings: We’ll continue our discussion of social networks and transistive trust, with three papers.
Homework: For each paper, write down the threat model, as we usually do. Also, answer the following question: is there a transitive trust assumption here, and if so, what kind? (i.e. is it “binary” – If (A trust B) and (B trust C) then (A trust C), or does it “degrade” If (A trusts B with value x) and (B trusts C with value y) then (A trust C with value z) where z < x,y ?)
|Week 13||DNS Security||We focus on DNS security, and in particular the 2008 Kaminsky vulnerability and the DNSsec protocol. The readings are:
Homework: Answer the following questions:
Some extra links (from Jef):