CODE 80156 ACADEMIC YEAR 2024/2025 CREDITS 6 cfu anno 3 INFORMATICA 8759 (L-31) - GENOVA 9 cfu anno 1 COMPUTER ENGINEERING 11160 (LM-32) - GENOVA SCIENTIFIC DISCIPLINARY SECTOR ING-INF/05 LANGUAGE English TEACHING LOCATION GENOVA SEMESTER 1° Semester TEACHING MATERIALS AULAWEB OVERVIEW The course covers some of the fundamental principles of Computer Security. Topics covered include cryptographic hash functions, symmetric and asymmetric ciphers, digital signatures, digital certificates, security protocols, and access control. An introduction to network security and web security is also provided. The course also features a number of hands-on sessions and a cyber exercise (CyberEx), inspired by Capture-the-Flag competitions. For the students of Informatica (Computer Science) the CyberEx is not mandatory and the number of credits is reduced to 6. AIMS AND CONTENT LEARNING OUTCOMES Upon completion of the course, students will be able to: explain the concepts of confidentiality, availability, and integrity (CIA) as well as the concepts of threat, vulnerability, exploit and (cyber-)risk and (cyber-)risk mitigation; explain the strengths and weaknesses of cryptographic techniques as well as their role in protecting data at rest and in transit, in implementing the concept of digital signature and in supporting the design of security protocols; explain the security model of web browsers and identify the most relevant vulnerabilities of web applications; explain the causes and effects of buffer overflows in executable programs; explain the key principles of access control in information systems and most relevant access control models and mechanisms. AIMS AND LEARNING OUTCOMES Students will acquire in-depth understanding of the security issues that plague modern Computer Systems and complex ICT infrastructures as well as of the techniques used to solve or, at least, mitigate them. Students will learn how to evaluate if the confidentiality, integrity and availability of data and communications is at risk and to identify appropriate solutions to achieve these fundamental security properties. The course features a series of hands-on sessions that provide students with the ability to solve practical problems drawn from a variety of domains: cryptography, network security, host security and web security. PREREQUISITES Good programming skills Fundamentals of Computer Architectures and Operating Systems Fundamentals of communication protocols and the TCP/IP TEACHING METHODS Lecture-style instruction complemented with hands-on session on selected topics (e.g. secure mail, web security). The examination consists of a written and a practical exam (cyber exercise). SYLLABUS/CONTENT Introduction Computer Security [1h] The concepts of resource, vulnerability, threat, countermeasure, and risk Security goals: confidentiality, integrity, availability, ... Introduction to Cryptography [2h] Fundamental concepts (cryptography, cryptanalysis, general cryptographic schema) Monoalphabetic substitution ciphers (Caesar cipher) Polyalphabetic substitution ciphers (Vigenère cipher) One-time pads (Vernam cipher) Transposition ciphers Composite ciphers Symmetric Cryptography [3h] Block and stream ciphers Feistel cipher structure DES and 3DES Modes of operation (Electronic Code Book, Cipher-Block Chaining, Stream Ciphers) Link vs end-to-end encryption The key distribution problem Public-Key Cryptography [6h] Introduction to public-key cryptography Introduction to Number Theory The RSA algorithm Diffie-Hellman key exchange Message Authentication and Digital Signatures [3h] Message integrity and authentication functions (message encryption, message authentication code, cryptographic hash functions) Digital signature Public Key Infrastructure (PKI) [3h] PKI components Digital Certificates Trust models Security Protocols [6h] Basic notions (protocol execution, assumptions and goals, attacker model) Examples of protocols (NSPK, Otway-Rees, Andrew Secure RPC, Denning & Sacco) Prudent engineering of security protocols Kerberos (architecture, protocol, inter-realm communication, limitations) Secure mail [3h+3h hands on] PGP Network Security [6h] Link Layer: WiFi Security Network Layer: IP-Sec Transport Layer: SSL/TLS Introduction to Firewalls Web Security [6h + 6h hands on] Security on the client side (cookies and privacy, HTTP authentication mechanisms) Security on the server side (unvalidated input, broken authentication and session management, cross-site scripting, injection flaws, denial of service, ...) Secure Programming [6h] Buffer overflows Format string vulnerabilities Access Control [6h] Discretionary vs Mandatory Access Control Access control matrix model Role-Based Access Control (RBAC) Administrative Role-Based Access Control (ARBAC) I modelli di Bell-LaPadula, Harrison-Ruzzo-Ullman, Chinese Wall Cyber Exercise [12h hands on] RECOMMENDED READING/BIBLIOGRAPHY Teaching material (slides and exercises) are available on AulaWeb. Charles P. Pfleeger Shari Lawrence Pfleeger. Security in Computing, 4/E. ISBN-10:0132390779, ISBN-13: 9780132390774, Prentice Hall Editor, 2007. (Available also in Italian) William Stallings, Lawrie Brown. Computer Security: Principles and Practice (3rd Edition). Pearson Ed., 2015 TEACHERS AND EXAM BOARD ALESSANDRO ARMANDO Ricevimento: Meetings via MS Teams or in person (office 102, DIBRIS, via Dodecaneso 35, Genoa) must be agreed in advance by email. For meeting requests, a message must be sent to alessandro.armando@unige.it with the subject starting with the string “[SO]”. Exam Board ALESSANDRO ARMANDO (President) ENRICO RUSSO LUCA VERDERAME (President Substitute) LESSONS LESSONS START https://courses.unige.it/11160/p/students-timetable Class schedule COMPUTER SECURITY EXAMS EXAM DESCRIPTION Written Exam based on open–ended questions. Hands-on Assessment (CyberEx) requiring the solution of “Capture-the-Flag” problems. ASSESSMENT METHODS The written assessment will assess The understanding of the fundamental problems and techniques of Computer Security the ability to critically evaluate the characteristics of the various solutions to classical security problems (e.g. data protection, authentication, authorization) The practical assessment will assess The ability to use penetration testing tools the ability to discover vulnerabilities and exploits in computer systems. Students with certification of Specific Learning Disabilities (SLD), disabilities, or other special educational needs must contact the instructor at the beginning of the course to agree on teaching and examination methods that, while respecting the course objectives, take into account individual learning styles and provide appropriate compensatory tools. It is reminded that the request for compensatory/dispensatory measures for exams must be sent to the course instructor, the School representative, and the “Settore servizi per l'inclusione degli studenti con disabilità e con DSA” office (dsa@unige.it<mailto:dsa@unige.it>) at least 10 working days before the test, as per the guidelines available at the link: https://unige.it/disabilita-dsa Exam schedule Data appello Orario Luogo Degree type Note 10/01/2025 16:00 GENOVA Scritto B2 21/01/2025 14:00 GENOVA Laboratorio Aula Software 1 - Valletta Puggia 05/02/2025 16:00 GENOVA Scritto Room 505 & 506 (Valletta Puggia Via Dodecaneso, 35) 14/02/2025 15:00 GENOVA Laboratorio Aula 222-Software 1 - Valletta Puggia - DIBRIS-DIMA 12/06/2025 16:00 GENOVA Scritto 10/07/2025 16:00 GENOVA Scritto 22/07/2025 15:00 GENOVA Laboratorio 01/09/2025 16:00 GENOVA Scritto Agenda 2030 - Sustainable Development Goals Quality education Gender equality Decent work and economic growth Industry, innovation and infrastructure