The seminar course will cover various aspects of network security, with a focus on designing secure protocols. In addition to discussing fundamental principles of security, we will look at recent research proposals and Internet standards and either develop rigorous arguments for their security, or come up with attacks that prove their insecurity. In this seminar, you'll get a taste for:
Prerequisites: CS330 and CS350 or permission of the instructor. CS455 is helpful but not required.
Other security courses at BU: If you're interested in security, I encourage you to consider taking Leo Reyzin's cryptography class this fall – CS538. This seminar uses cryptographic security definitions to build network protocols. CS538 goes down one level, and looks at designing the crypto primitives that fulfill the security definitions, and the reasons behind the security definitions. Even if you are not interested in becoming a cryptographer, CS538 give you more tools that you can use to develop formal security arguments. In the spring, Ari Trachtenberg and David Starobinski of ECE will be offering a systems security course. More details on their course soon.
As this is a seminar, the main point is for you to just learn the material, and get a taste for research in network security. Thus, I'd like to you read the assigned papers before class - these will be listed in the course calendar on the website - and be ready to participate in class discussions. At the end of the class, each student will be expected to prepare a poster of a topic of their choice. The poster should present a rigorous security analysis of a recent research paper(s) in network security. (You are also welcome, but not required, to present original research in your poster.) The remainder of your grade will be based on written critical reviews of research papers, and/or a quiz that will test your knowledge of security primatives. The grading scheme is as follows, subject to change:
|Homeworks / Quiz||30 %|
For the poster, you can either (a) analyze a research paper related to network security, (b) analyze an internet standard, OR (c) analyze a software implementation of a cryptographic primative.
There is no textbook required for this seminar. The following two textbooks are optional:
The Boston area is a great place to do security research. In addition to security colloquia here at BU, here are a couple of local seminars that you should consider going to:
Topics: (This is a preliminary list. More topics will be added as the semester proceeds.)
|SSL / TLS||End-to-end secure channels at the application layer.
We'll focus on the basics of security - the difference between encryption and authentication, and the order in which they should be performed. We'll work through the Krawcyzk paper together in class, so there is no need to read this paper ahead of time. A good summary of the results of Krawcyzk's paper also appear in Boaz Barak's crypto lecture notes (reading these is optional).
In this set of classes, we'll learn about the cryptographic definitions for symmetric CPA-secure encryption, symmetric CCA-secure encryption, and secure MACs (Message Authentication Codes).
Message authentication codes (MACs).
Secure password-based login at the application layer, using symmetric encryption.
Please read all the handouts before class, and think about the flaws in Kerberos V4. Copies of the readings are available in the CS department office. If you can't physically pick them up, email me and I'll get them to you.
Before class on Sept 23: To prepare, read the handouts, that can be picked up in the CS department office. Please write down the “threat model” considered in Kerberos: namely, who is the attacker, where in the system is he located, what are his “powers” ( ie. What can he learn? What can he do to the Kerberos messages?), and finally, what is considered a “break” of the system? Please bring printouts of your _typed_ write-ups to class on Sept 23, and also email them to me (goldbe||cs||bu||edu), with “CS591 Kerberos Writeup” in the subject line, before the beginning of that class.
Optional: Backes, Cervesato, Jaggard, Scedrov, and Tsay present a formal security analysis of Kerberos. We won't cover this in class, it's optional reading.
Section 4.2 in Stallings
Section 8.3.1 in Rubin
|Sept 28||Secure multicast||Securing multicast content from webservers at the application layer.
Using HTTPS (HTTP over SSL/TLS) vs, "How to Sign Digital Streams?", and how they deal with web proxies.
Homework: Here's a sample threat model homework. Notice how the threat model focuses on the parties that participate in the protocol, and not use any protocol specific details. Also, I'm looking for crisp statements of the problem. As reader, long discussions are confusing and often obfuscate meaning; have sympathy for your readers, and make things short and clear!
Collision resistant hash functions
|Oct 7||PKI and Key Exchange||Using public keys infrastructure to set up symmetric session keys.
Homework: Read through Section 2 of Krawcyzk, and write down the threat model he considered. I challenge you the parse all this technical detail, and write down a *very short* and simple summary of exactly two threats that Krawcyzk is thinking about (there are more than that in there). As usual, email me before class on Oct 7, with subject "CS591 KE Writeup".
Public Key Infrastructure (PKI).
Diffie-Helman Key exchange
Section 7, 8.4, 8.6 in Rubin
|Oct 14||Side Channels|| Guest Lecture by Nadia Heninger
What happens when the attacker attacks you outside the security model? The Cold Boot attack. Please watch the video and read the paper before class. (This is not exactly network security, it's too fascinating to resist.)
Nadia's Abstract The "cold boot" attack is a side-channel attack that allows an attacker to extract encryption keys from data that is still left in a computer's RAM after the power has been cut. I will discuss how the attack works, some realistic models for errors that might occur during the attack, and some techniques for efficiently correcting such errors in cryptographic keys.
|Oct 19 - 21||BGP Security.|| We'll talk about the security of BGP, the routing protocol that runs the global Internet's routing system. I'm assigning two papers to be read, the BGPsurvey, and my recent SIGCOMM'10 paper. Homework, due TUESDAY Oct 19, is to read the BGP survey, and focus especially on the following security technologies:
|| Digital signatures.
Access control lists.
|Oct 28-Nov 2||Data privacy||
In this set of classe we'll talk about privacy issues relating to network data. We'll learn about the definition of differential privacy, and then have a guest lecture by one of the inventors of differential privacy, Frank McSherry, about an API from querying datasets in a differentially private way.
|--||Attack on Netflix data|
|Nov 9||Onion Routing.||
This set of classes will cover anonymous routing using ToR (The Onion Router).
Homework: (Due before class on Tues Nov 9) The readings give a fairly detailed view of the threat model and design decisions used by ToR. In your writeup "CS591 ToR Writeup" answer the following questions. I challenge you to answer them as clearly and simply as possible, despite the high level of detail in all of the readings.
|Nov 11-Nov 16||Privacy-preserving peer-to-peer||
Next, we move on to the related topic of `privacy preserving' peer-to-peer networks. Please read the OneSwarm paper from this year's SIGCOMM. No writeup is required this time, but please make sure to read the paper carefully; in class we will be breaking up into small groups and trying to develop a security definition for each of the papers. The discussion will center around the different security definition developed by each group.
Option reading: Also, see some references on DHTs.
|Nov 16-23||Social Networks and Transistive Trust||
Readings: We'll continue our discussion of social networks and transistive trust, with three papers.
Homework (SybilGuard due Tuesday Nov 16, other two due Thursday Nov 18): For each paper, write down the threat model, as we usually do. Also, answer the following question: is there a transitive trust assumption here, and if so, what kind? (i.e. is it "binary" - If (A trust B) and (B trust C) then (A trust C), or does it "degrade" If (A trusts B with value x) and (B trusts C with value y) then (A trust C with value z) where z < x,y ?)
Other interesting talks on social networks this week
|Nov 30||DNS Security||
We focus on DNS security, and in particular the 2008 Kaminsky vulnerability and the DNSsec protocol. The readings for Tuesday are:
Homework, due before class on Tuesday. Answer the following questions:
Some extra links (from Jef):
|Digital signatures, PKI, nonces|