|SCIENTIFIC DISCIPLINARY SECTOR||ING-INF/05|
The course covers some of the fundamental principles of Computer Security. Topics covered include cryptographic hash functions, symmetric and asymmetric ciphers, digital signatures, digital certificates, security protocols, and access control. An introduction to network security and web security is also provided. The course features also a number of hands-on sessions and a cyber exercise (a Capture-the-Flag competition).
1. Introduction 2. Introduction to Cryptography 3. Symmetric Cryptography 4. Public-Key Cryptography 5. Message Authentication and Digital Signatures 6. Public Key Infrastructure (PKI) 7. Authentication Protocols 8. Internet Security 9. Secure Programming 10. Network Security 11. Web Security 12. Malware 13. Access Control
Students will acquire in-depth understanding of the security issues that plague modern Computer Systems and complex ICT infrastructures as well as of the techniques used to solve or, at least, mitigate them. Students will learn how to evaluate if the confidentiality, integrity and availability of data and communications is at risk and to identify appropriate solutions to achieve these fundamental security properties. The course features a series of hands-on sessions that provide students with the ability to solve practical problems drawn from a variety of domains: cryptography, network security, host security and web security.
Lecture-style instruction complemented with hands-on session on selected topics (e.g. secure mail, web security).
The examination consists of a written and a practical exam (cyber exercise).
Introduction Computer Security [1h]
The concepts of resource, vulnerability, threat, countermeasure, and risk
Security goals: confidentiality, integrity, availability, ...
Introduction to Cryptography [2h]
Fundamental concepts (cryptography, cryptanalysis, general cryptographic schema)
Monoalphabetic substitution ciphers (Caesar cipher)
Polyalphabetic substitution ciphers (Vigenère cipher)
One-time pads (Vernam cipher)
Symmetric Cryptography [3h]
Block and stream ciphers
Feistel cipher structure
DES and 3DES
Modes of operation (Electronic Code Book, Cipher-Block Chaining, Stream Ciphers)
Link vs end-to-end encryption
The key distribution problem
Public-Key Cryptography [6h]
Introduction to public-key cryptography
Introduction to Number Theory
The RSA algorithm
Diffie-Hellman key exchange
Message Authentication and Digital Signatures [3h]
Message integrity and authentication functions (message encryption, message authentication code, cryptographic hash functions)
Public Key Infrastructure (PKI) [3h]
Security Protocols [6h]
Basic notions (protocol execution, assumptions and goals, attacker model)
Examples of protocols (NSPK, Otway-Rees, Andrew Secure RPC, Denning & Sacco)
Prudent engineering of security protocols
Kerberos (architecture, protocol, inter-realm communication, limitations)
Secure mail [3h+3h hands on]
Network Security [6h]
Link Layer: WiFi Security
Network Layer: IP-Sec
Transport Layer: SSL/TLS
Introduction to Firewalls
Web Security [6h + 6h hands on]
Security on the client side (cookies and privacy, HTTP authentication mechanisms)
Security on the server side (unvalidated input, broken authentication and session management, cross-site scripting, injection flaws, denial of service, ...)
Secure Programming [6h]
Format string vulnerabilities
Access Control [6h]
Discretionary vs Mandatory Access Control
Access control matrix model
Role-Based Access Control (RBAC)
Administrative Role-Based Access Control (ARBAC)
I modelli di Bell-LaPadula, Harrison-Ruzzo-Ullman, Chinese Wall
Cyber Exercise [12h hands on]
Teaching material (slides and exercises) are available on AulaWeb.
Charles P. Pfleeger Shari Lawrence Pfleeger. Security in Computing, 4/E. ISBN-10:0132390779, ISBN-13: 9780132390774, Prentice Hall Editor, 2007. (Available also in Italian)
William Stallings, Lawrie Brown. Computer Security: Principles and Practice (3rd Edition). Pearson Ed., 2015
Office hours: Tuesday, 2:00pm - 5:00pm
ALESSANDRO ARMANDO (President)
ALESSIO MERLO (President Substitute)
All class schedules are posted on the EasyAcademy portal.
Written + Practical
The written exam will evaluate the ability to apply and critically evaluate the techniques presented in the course.
The Cyber Exercise will assess the ability to effectively use techniques and tools against practical security problems.