CS558 : Computer Networks Security

CS558 : Computer Networks Security
Boston University, Computer Science

Instructor: Sharon Goldberg
Dates: Spring 2012
Location: TBA
Office Hours: TBA

Note: Professor Sharon Goldberg, a recent addition to our faculty, is scheduled to teach the CS 558 class for the first time in the spring semester of 2012. This syllabus is modeled after the seminar in Network Security which she taught in 2011. The course she plans to teach next spring is similar in scope and content.

News:

Very soon, there will be a class mailing list. Registered students will be added automatically. If you are auditing the course, please send me an email with your info, and I’ll add you to the mailing list.
The class calendar is here.

Course Summary:

The seminar course will cover various aspects of network security, with a focus on designing secure protocols. In addition to discussing fundamental principles of security, we will look at recent research proposals and Internet standards and either develop rigorous arguments for their security, or come up with attacks that prove their insecurity. In this class you’ll get a taste for:

The security issues at various network layers of the Internet, and the protocols proposed and deployed to deal with these security issues.
Techniques for rigorously arguing about the security of protocols (e.g., game-based security definitions( from cryptography), mechanism design (from game theory))
The primitives used in network security (e.g., encryption, authentication, hash functions, access control lists, etc.)

Prerequisites: CS330 and CS350 or permission of the instructor. CS455 is helpful but not required.

Other security courses at BU: If you’re interested in security, I encourage you to consider taking Leo Reyzin’s cryptography class this fall – CS538. This seminar uses cryptographic security definitions to build network protocols. CS538 goes down one level, and looks at designing the crypto primitives that fulfill the security definitions, and the reasons behind the security definitions. Even if you are not interested in becoming a cryptographer, CS538 give you more tools that you can use to develop formal security arguments. In the spring, Ari Trachtenberg and David Starobinski of ECE will be offering a systems security course. More details on their course soon.

Requirements:

As this is a seminar, the main point is for you to just learn the material, and get a taste for the main concepts and techniques of network security and research in this field. Thus, I’d like to you read the assigned papers before class – these will be listed in the course calendar on the website – and be ready to participate in class discussions. At the end of the class, each student will be expected to prepare a poster of a topic of their choice. The poster should present a rigorous security analysis of a recent research paper(s) in network security. (You are also welcome, but not required, to present original research in your poster.) The remainder of your grade will be based on written critical reviews of research papers, and/or a quiz that will test your knowledge of security primitives. The grading scheme is as follows, subject to change:

Participation	30 %
Homeworks / Quiz	30 %
Poster	40 %

Poster

For the poster, you can either (a) analyze a research paper related to network security, (b) analyze an internet standard, OR (c) analyze a software implementation of a cryptographic primitive.

You should pick a topic early in the semester, and let me know if you will be doing (a), (b) or (c) (or presenting original research). Please send me an email with “CS558 Poster Topic” in the subject with this info. If you need help finding a topic, come talk to me during office hours.
Posters will be presented during a 3 hour session (open to the whole department) in the last 3 weeks of class, exact time and place TBD.

Textbooks:

There is no textbook required for this class. The following two textbooks are useful, though optional:

White-Hat Security Arsenal, by Aviel D. Rubin. (A great, educational read.)
Network Security Essentials, Fouth Edition by William Stallings. (A great reference.)

Local Seminars:

The Boston area is a great place to do security research. In addition to security colloquia here at BU, here are a couple of local seminars that you should consider going to:

http://nms.csail.mit.edu/sys-security/ The systems security seminar at MIT. This is a very friendly student-run discussion group, that welcomes everyone interested in systems and network security issues.
MIT/MSR crypto seminar. This is a very prestigious crypto seminars, that attracts its audience from the very strong crypto community in Boston, including MIT, Harvard, BU, Lincoln Labs, Brown, RSA Labs, etc.

Topics: (This is a preliminary list. More topics will be added as the semester proceeds.)

Week	Topic	Notes	Primative	Readings
Weeks 1-2	SSL / TLS	End-to-end secure channels at the application layer.We’ll focus on the basics of security – the difference between encryption and authentication, and the order in which they should be performed. We’ll work through the Krawcyzk paper together in class, so there is no need to read this paper ahead of time. A good summary of the results of Krawcyzk’s paper also appear in Boaz Barak’s crypto lecture notes (reading these is optional). In this set of classes, we’ll learn about the cryptographic definitions for symmetric CPA-secure encryption, symmetric CCA-secure encryption, and secure MACs (Message Authentication Codes). Readings: Have a look at the April 2008 article from the Journal of Craptology, and think about why the “theorems” and “proof sketches” in Section 3 are funny. Please read Section 4 of Krawcyzk’s paper, and especially the counterexample in Section 4.2. (To properly understand Section 4, it’s worthwhile to go through the earlier sections of the paper.) To get some practice reading Internet standards, have a look at the latest TLS standard (RFC5246). Homework is to figure out which part of the protocol handles symmetric encryption and authentication, and the order in which they are performed in current versions of TLS. We will work through the proof that (CPA-secure) Encrypt-then-Authenticate gives a CCA-secure encryption. We will follow the notes in Section 2 of Trevisan’s class notes.	Symmetric encryption. Message authentication codes (MACs).	Craptology’08 Krawczyk’01 Barak’s lecture notes rfc5246 Trevisan’s lecture notes
Weeks 3 – 4	Kerberos	Secure password-based login at the application layer, using symmetric encryption. Please read all the handouts before class, and think about the flaws in Kerberos V4. Copies of the readings are available in the CS department office. If you can’t physically pick them up, email me and I’ll get them to you. To prepare, read the handouts, that can be picked up in the CS department office. Please write down the “threat model” considered in Kerberos: namely, who is the attacker, where in the system is he located, what are his “powers” ( ie. What can he learn? What can he do to the Kerberos messages?), and finally, what is considered a “break” of the system? Optional: Backes, Cervesato, Jaggard, Scedrov, and Tsay present a formal security analysis of Kerberos. We won’t cover this in class, it’s optional reading.	Passwords. Symmetric encryption.	MIT’s intuitative discussion of how Kerberos works Wiki! Section 4.2 in Stallings Section 8.3.1 in Rubin Backes et. al’06
Week 5	Secure multicast	Securing multicast content from webservers at the application layer.Using HTTPS (HTTP over SSL/TLS) vs, “How to Sign Digital Streams?”, and how they deal with web proxies. Readings: Start by reading and understand the SSL-splitting paper. Write down a trust/threat model for the paper, the way we’ve been discussing in class, and email it to me before class. Next, read the Gennaro-Rohatgi paper, from the start until the OFFLINE protocol in Section 3. Understand how the OFFLINE protocol works, and think about how the OFFLINE protocol might be solving a similar problem to the one discussed in the SSL-splitting paper. You should also try looking through the security proof of the offline protocol in Section 5; we will work through this together in class. Homework: Here’s a sample threat model homework. Notice how the threat model focuses on the parties that participate in the protocol, and not use any protocol specific details. Also, I’m looking for crisp statements of the problem. As reader, long discussions are confusing and often obfuscate meaning; have sympathy for your readers, and make things short and clear!	Public-key signatures. Collision resistant hash functions	GenRot’97 SSL splitting
Week 6	PKI and Key Exchange	Using public keys infrastructure to set up symmetric session keys.Readings Section 7 of Rubin, for an overview of key distribution (I sent via the class email list). Section 8.4 and 8.6 of Rubin. Spend some time thinking about the Diffie-Helman key exchange protocol. This is what we’ll focus on in class. Finally, we’ll be looking at (another) paper of Krawcyzk’s, this time on the key agreement protocols use in IPSec. This is another difficult paper, but please try to read up to page 14 (of course, if you want to read more, even better). This paper gives a nice view of cryptographer’s formalization of the very hairy problem of key agreement. I especially want you to focus on Section 2.1, which articulates Krawcyzk’s security requirements for the system. Optional reading, for those who are interested in engineering issues related to the design of public key infrastructures, is the survey of Radia Perlman. While initially these issues may not seem super exciting, they are one of the reasons we’ve had so much trouble deploying protocols like DNSsec and Secure BGP in the Internet. Homework: Read through Section 2 of Krawcyzk, and write down the threat model he considered. I challenge you the parse all this technical detail, and write down a very short and simple summary of exactly two threats that Krawcyzk is thinking about (there are more than that in there).	Public Key Infrastructure (PKI). Diffie-Helman Key exchange	Section 7, 8.4, 8.6 in Rubin Krawcyzk ’03 Perelman ’99
Week 7	Side Channels	What happens when the attacker attacks you outside the security model? The Cold Boot attack. Please watch the video and read the paper before class. (This is not exactly network security, it’s too fascinating to resist.) Abstract The “cold boot” attack is a side-channel attack that allows an attacker to extract encryption keys from data that is still left in a computer’s RAM after the power has been cut. I will discuss how the attack works, some realistic models for errors that might occur during the attack, and some techniques for efficiently correcting such errors in cryptographic keys.	Encryption.	YouTube ColdBoot research paper
Week 8	BGP Security.	We’ll talk about the security of BGP, the routing protocol that runs the global Internet’s routing system. I’m assigning two papers to be read, the BGPsurvey, and my recent SIGCOMM’10 paper. Homework: Read the BGP survey, and focus especially on the following security technologies: Origin Authentication Secure Origin BGP Secure BGP Again, the survey is very long, so you don’t need to read every detail (unless you want to), but focus specifically on these protocols. Each of these protocols was designed for a different threat model. In your writeup, give a short description of the threat model each of these protocols was designed for (so I want to see 3 different sections to your writeup). It might also help to have a look at the SIGCOMM’10 paper, as there is some information about this in there.	Digital signatures.Access control lists.	BGP security survey SIGCOMM’10
Week 9	Data privacy	In this set of classes we’ll talk about privacy issues relating to network data. We’ll learn about the definition of differential privacy, and then have a guest lecture by one of the inventors of differential privacy, Frank McSherry, about an API from querying datasets in a differentially private way. Readings First, we’ll look at some practical attacks. Read the two attack papers. Each paper considers a particular threat, and shows how to carry out the threat and break the system. Homework: Write down the definition of the threat considered in each paper, and then a 2 sentence summary of how the authors perform the attack. As a follow up to the attack class, have a look at the MSNBC link about facebook privacy, the other NR’08 paper on social graph privacy, LaTanyna Sweeny’s thesis, and the AOL query log release fiasco. Next, we’ll study the definition of differential privacy, and go through the proof of how we can count records differentially-privately. It turns out that majority of database operations that we’d like to perform privately are based on the count operation. Homework: Read McSherry’09, and then write down (1) the defnition of differential privacy, and (2) describe how releasing data differentially-privately would thwart (or not thwart!) the attacks in the two attack papers we read last class.	—	Attack on Netflix data Attack on social graph data What is personally identifyable info? Another attack on social graph data Facebook ads may out gay men AOL query log fiasco McSherry’09 PINQ API Download
Week 10	Onion Routing.	This set of classes will cover anonymous routing using ToR (The Onion Router). Readings: Please read the two ToR papers (ToR, 2nd Generation Onion Router and ToR challenges). These papers give a very clear and detailed threat model for the ToR system. Wikileaks has been in the news lately; there has been some discussion about how they use ToR. Have a look at ToR’s blog to get an idea of the issues (and a link to The New Yorker article on WikiLeaks). Optional: A couple of formal treatments of onion routing have been presented. Optional (but recommended) reading is to glance through CL’05 for an idea of what cryptographers have done; CL’s proof is done in the UC (Universal Composeablity framework) of Canetti, which is an advanced framework for proving properties of crypto protocols and is too advanced for this class. So, it’s probably best to stop reading at Theorem 1. You might also want to have a look at the formal treatment in FJS’07. Homework: The readings give a fairly detailed view of the threat model and design decisions used by ToR. In your writeup “CS558 ToR Writeup” answer the following questions. I challenge you to answer them as clearly and simply as possible, despite the high level of detail in all of the readings. Give a layman’s description of the security properties of ToR. (i.e. why would you use it?). List two attacks on ToR that could compromise a user’s anonymity. Explain why the ToR designers chose not to protect against this type of attack.	Encryption.	ToR – The 2nd generation onion router ToR Challenges ToR blog on WikiLeaks CL’05 FJS’07
Week 11	Privacy-preserving peer-to-peer	Next, we move on to the related topic of `privacy preserving’ peer-to-peer networks. Please read the OneSwarm paper from SIGCOMM 2011. No writeup is required this time, but please make sure to read the paper carefully; in class we will be breaking up into small groups and trying to develop a security definition for each of the papers. The discussion will center around the different security definition developed by each group. Option reading: Also, see some references on DHTs.	Encryption	OneSwarm SIGCOMM paper Wiki DHT Kademlia DHT paper Wiki Kademlia paper on crawling DHTs
Week 12	Social Networks and Transistive Trust	Readings: We’ll continue our discussion of social networks and transistive trust, with three papers. SybilGuard, a scheme for detecting sybil attacks by leveraging social networks. RE: Reliable Email, using social networks to reduce spam. Ostra, another idea for leveraging social networks to reduce unwanted communication. Homework: For each paper, write down the threat model, as we usually do. Also, answer the following question: is there a transitive trust assumption here, and if so, what kind? (i.e. is it “binary” – If (A trust B) and (B trust C) then (A trust C), or does it “degrade” If (A trusts B with value x) and (B trusts C with value y) then (A trust C with value z) where z < x,y ?)	Trust (!)	SybilGuard RE: Reliable Email Ostra
Week 13	DNS Security	We focus on DNS security, and in particular the 2008 Kaminsky vulnerability and the DNSsec protocol. The readings are: Extremely simple overview of how DNS works from djb. An Illustrated Guide to the Kaminsky DNS Vulnerability – we’ll focus on this, so please read carefully. An academic paper with an overview of DNSsec, please read only Section 2. Homework: Answer the following questions: What does DNS do? (What is its purpose) List and briefly describe the different flaws in DNS that Kaminsky exploits in order to launch his attack. Explain how DNSsec would (or would not) thwart the Kaminsky attack. Why do you think its taken so long for DNSsec to be deployed? Answer should be max 3 sentences. (This is an open ended question, feel free to surf the Internet to read rants and opinions.) Some extra links (from Jef): Using DNS for censorship. threatpost Peer-to-peer DNS instead of single root of trus