CS591 : Seminar in Network Security
Boston University, Computer Science, Fall 2010

Instructor:     Sharon Goldberg
Dates:     Tuesday & Thursday 2-3:30
Location:     MCS 137
Office Hours:
Tuesday, 11-12:30 AM.
Tuesday, 3:30 - 4 PM
Thursday, 3:30 - 4:30 PM

  • Some advice on being a successful grad student, from my PhD advisor, Jen Rexford, here :)
  • Very soon, there will be a class mailing list. Registered students will be added automatically. If you are auditing the course, please send me an email with your info, and I'll add you to the mailing list.
  • The class calendar is here.
  • No class September 2 or 9. Our first class will be September 7.

Course Summary:

The seminar course will cover various aspects of network security, with a focus on designing secure protocols. In addition to discussing fundamental principles of security, we will look at recent research proposals and Internet standards and either develop rigorous arguments for their security, or come up with attacks that prove their insecurity. In this seminar, you'll get a taste for:

  1. The security issues at various network layers of the Internet, and the protocols proposed and deployed to deal with these security issues.
  2. Techniques for rigorously arguing about the security of protocols (e.g., game-based security definitions( from cryptography), mechanism design (from game theory))
  3. The primitives used in network security (e.g., encryption, authentication, hash functions, access control lists, etc.)

Prerequisites: CS330 and CS350 or permission of the instructor. CS455 is helpful but not required.

Other security courses at BU: If you're interested in security, I encourage you to consider taking Leo Reyzin's cryptography class this fall – CS538. This seminar uses cryptographic security definitions to build network protocols. CS538 goes down one level, and looks at designing the crypto primitives that fulfill the security definitions, and the reasons behind the security definitions. Even if you are not interested in becoming a cryptographer, CS538 give you more tools that you can use to develop formal security arguments. In the spring, Ari Trachtenberg and David Starobinski of ECE will be offering a systems security course. More details on their course soon.


As this is a seminar, the main point is for you to just learn the material, and get a taste for research in network security. Thus, I'd like to you read the assigned papers before class - these will be listed in the course calendar on the website - and be ready to participate in class discussions. At the end of the class, each student will be expected to prepare a poster of a topic of their choice. The poster should present a rigorous security analysis of a recent research paper(s) in network security. (You are also welcome, but not required, to present original research in your poster.) The remainder of your grade will be based on written critical reviews of research papers, and/or a quiz that will test your knowledge of security primatives. The grading scheme is as follows, subject to change:

Participation30 %
Homeworks / Quiz30 %
Poster40 %


For the poster, you can either (a) analyze a research paper related to network security, (b) analyze an internet standard, OR (c) analyze a software implementation of a cryptographic primative.


There is no textbook required for this seminar. The following two textbooks are optional:

Local Seminars:

The Boston area is a great place to do security research. In addition to security colloquia here at BU, here are a couple of local seminars that you should consider going to:

Topics: (This is a preliminary list. More topics will be added as the semester proceeds.)

Week Topic Notes Primative Readings
Sept 14-21

(3 lectures)

SSL / TLS End-to-end secure channels at the application layer.

We'll focus on the basics of security - the difference between encryption and authentication, and the order in which they should be performed. We'll work through the Krawcyzk paper together in class, so there is no need to read this paper ahead of time. A good summary of the results of Krawcyzk's paper also appear in Boaz Barak's crypto lecture notes (reading these is optional).

In this set of classes, we'll learn about the cryptographic definitions for symmetric CPA-secure encryption, symmetric CCA-secure encryption, and secure MACs (Message Authentication Codes).


  • Have a look at the April 2008 article from the Journal of Craptology, and think about why the "theorems" and "proof sketches" in Section 3 are funny.
  • After class on September 16, please read Section 4 of Krawcyzk's paper, and especially the counterexample in Section 4.2. (To properly understand Section 4, it's worthwhile to go through the earlier sections of the paper.)
  • Also, class on September 16: To get some practice reading Internet standards, have a look at the latest TLS standard (RFC5246). Homework is to figure out which part of the protocol handles symmetric encryption and authentication, and the order in which they are performed in current versions of TLS.
  • Class on Sept 21. We will work through the proof that (CPA-secure) Encrypt-then-Authenticate gives a CCA-secure encryption. We will follow the notes in Section 2 of Trevisan's class notes.

Symmetric encryption.

Message authentication codes (MACs).



Barak's lecture notes


Trevisan's lecture notes

Sept 23 Kerberos

Secure password-based login at the application layer, using symmetric encryption.

Please read all the handouts before class, and think about the flaws in Kerberos V4. Copies of the readings are available in the CS department office. If you can't physically pick them up, email me and I'll get them to you.

Before class on Sept 23: To prepare, read the handouts, that can be picked up in the CS department office. Please write down the “threat model” considered in Kerberos: namely, who is the attacker, where in the system is he located, what are his “powers” ( ie. What can he learn? What can he do to the Kerberos messages?), and finally, what is considered a “break” of the system? Please bring printouts of your _typed_ write-ups to class on Sept 23, and also email them to me (goldbe||cs||bu||edu), with “CS591 Kerberos Writeup” in the subject line, before the beginning of that class.

Optional: Backes, Cervesato, Jaggard, Scedrov, and Tsay present a formal security analysis of Kerberos. We won't cover this in class, it's optional reading.


Symmetric encryption.

MIT's intuitative discussion of how Kerberos works


Section 4.2 in Stallings

Section 8.3.1 in Rubin

Backes et. al'06

Sept 28 Secure multicast Securing multicast content from webservers at the application layer.

Using HTTPS (HTTP over SSL/TLS) vs, "How to Sign Digital Streams?", and how they deal with web proxies.


  • Start by reading and understand the SSL-splitting paper. Write down a trust/threat model for the paper, the way we've been discussing in class, and email it to me before class.
  • Next, read the Gennaro-Rohatgi paper, from the start until the OFFLINE protocol in Section 3. Understand how the OFFLINE protocol works, and think about how the OFFLINE protocol might be solving a similar problem to the one discussed in the SSL-splitting paper. You should also try looking through the security proof of the offline protocol in Section 5; we will work through this together in class.

Homework: Here's a sample threat model homework. Notice how the threat model focuses on the parties that participate in the protocol, and not use any protocol specific details. Also, I'm looking for crisp statements of the problem. As reader, long discussions are confusing and often obfuscate meaning; have sympathy for your readers, and make things short and clear!

Public-key signatures.

Collision resistant hash functions


SSL splitting

Oct 7 PKI and Key Exchange Using public keys infrastructure to set up symmetric session keys.


  • Section 7 of Rubin, for an overview of key distribution (I sent via the class email list).
  • Section 8.4 and 8.6 of Rubin. Spend some time thinking about the Diffie-Helman key exchange protocol. This is what we'll focus on in class.
  • Finally, we'll be looking at (another) paper of Krawcyzk's, this time on the key agreement protocols use in IPSec. This is another difficult paper, but please try to read up to page 14 (of course, if you want to read more, even better). This paper gives a nice view of cryptographer's formalization of the very hairy problem of key agreement. I especially want you to focus on Section 2.1, which articulates Krawcyzk's security requirements for the system.
  • Optional reading, for those who are interested in engineering issues related to the design of public key infrastructures, is the survey of Radia Perlman. While initially these issues may not seem super exciting, they are one of the reasons we've had so much trouble deploying protocols like DNSsec and Secure BGP in the Internet.

Homework: Read through Section 2 of Krawcyzk, and write down the threat model he considered. I challenge you the parse all this technical detail, and write down a *very short* and simple summary of exactly two threats that Krawcyzk is thinking about (there are more than that in there). As usual, email me before class on Oct 7, with subject "CS591 KE Writeup".

Public Key Infrastructure (PKI).

Diffie-Helman Key exchange

Section 7, 8.4, 8.6 in Rubin

Krawcyzk '03

Perelman '99

Oct 14 Side Channels Guest Lecture by Nadia Heninger

What happens when the attacker attacks you outside the security model? The Cold Boot attack. Please watch the video and read the paper before class. (This is not exactly network security, it's too fascinating to resist.)

Nadia's Abstract The "cold boot" attack is a side-channel attack that allows an attacker to extract encryption keys from data that is still left in a computer's RAM after the power has been cut. I will discuss how the attack works, some realistic models for errors that might occur during the attack, and some techniques for efficiently correcting such errors in cryptographic keys.



ColdBoot research paper

Oct 19 - 21 BGP Security. We'll talk about the security of BGP, the routing protocol that runs the global Internet's routing system. I'm assigning two papers to be read, the BGPsurvey, and my recent SIGCOMM'10 paper. Homework, due TUESDAY Oct 19, is to read the BGP survey, and focus especially on the following security technologies:
  1. Origin Authentication
  2. Secure Origin BGP
  3. Secure BGP
Again, the survey is very long, so you don't need to read every detail (unless you want to), but focus specifically on these protocols. Each of these protocols was designed for a different threat model. In your writeup, give a short description of the threat model each of these protocols was designed for (so I want to see 3 different sections to your writeup), and mail by Tuesday Oct 19 before class as "CS591 BGP Writeup". It might also help to have a look at our SIGCOMM'10 paper, as there is some information about this in there. We'll spend Tuesday Oct 19, reviewing different security technologies for BGP, and Thursday Oct 21 I'll present our SIGCOMM paper.
Digital signatures.

Access control lists.

BGP security survey


Oct 28-Nov 2 Data privacy

In this set of classe we'll talk about privacy issues relating to network data. We'll learn about the definition of differential privacy, and then have a guest lecture by one of the inventors of differential privacy, Frank McSherry, about an API from querying datasets in a differentially private way.


  • First, we'll look at some practical attacks. Read the two attack papers. Each paper considers a particular threat, and shows how to carry out the threat and break the system. Homework due before class on Oct 26 is to write down the definition of the threat considered in each paper, and then a 2 sentence summary of how the authors perform the attack.
  • As a follow up to the attack class, have a look at the MSNBC link about facebook privacy, the other NR'08 paper on social graph privacy, LaTanyna Sweeny's thesis, and the AOL query log release fiasco.
  • Next, we'll study the definition of differential privacy, and go through the proof of how we can count records differentially-privately. It turns out that majority of database operations that we'd like to perform privately are based on the count operation. Homework, due before class on Oct 28 is to read McSherry'09, and then write down (1) the defnition of differential privacy, and (2) describe how releasing data differentially-privately would thwart (or not thwart!) the attacks in the two attack papers we read last class.
  • The class on Nov 2 will be a guest lecture on PINQ, come ready to ask good questions! Optional homework (especially if you are a .NET programmer!) is to download the PINQ API (for Visual Studio) and play with it before/after class.
  • The class on Nov 4 will be about writing algorithms in PINQ, and finding ways to balance between privacy and the utility of the output we produce.
Other talks on Differential Privacy:
  • On Friday Oct 8, Guy Rothblum is giving a talk on differential privacy at MIT cryptoseminar at 10:30 AM at MIT Stata Center room G449, I encourage you to go.
-- Attack on Netflix data

Attack on social graph data

What is personally identifyable info?

Another attack on social graph data

Facebook ads may out gay men

AOL query log fiasco


PINQ API Download

Nov 9 Onion Routing.

This set of classes will cover anonymous routing using ToR (The Onion Router).


  • Please read the two ToR papers (ToR, 2nd Generation Onion Router and ToR challenges). These papers give a very clear and detailed threat model for the ToR system.
  • Wikileaks has been in the news lately; there has been some discussion about how they use ToR. Have a look at ToR's blog to get an idea of the issues (and a link to The New Yorker article on WikiLeaks).
  • Optional: A couple of formal treatments of onion routing have been presented. Optional (but recommended) reading is to glance through CL'05 for an idea of what cryptographers have done; CL's proof is done in the UC (Universal Composeablity framework) of Canetti, which is an advanced framework for proving properties of crypto protocols and is too advanced for this class. So, it's probably best to stop reading at Theorem 1. You might also want to have a look at the formal treatment in FJS'07.

Homework: (Due before class on Tues Nov 9) The readings give a fairly detailed view of the threat model and design decisions used by ToR. In your writeup "CS591 ToR Writeup" answer the following questions. I challenge you to answer them as clearly and simply as possible, despite the high level of detail in all of the readings.

  1. Give a layman's description of the security properties of ToR. (i.e. why would you use it?).
  2. List two attacks on ToR that could compromise a user's anonymity. Explain why the ToR designers chose not to protect against this type of attack.

ToR - The 2nd generation onion router

ToR Challenges

ToR blog on WikiLeaks



Nov 11-Nov 16 Privacy-preserving peer-to-peer

Next, we move on to the related topic of `privacy preserving' peer-to-peer networks. Please read the OneSwarm paper from this year's SIGCOMM. No writeup is required this time, but please make sure to read the paper carefully; in class we will be breaking up into small groups and trying to develop a security definition for each of the papers. The discussion will center around the different security definition developed by each group.

Option reading: Also, see some references on DHTs.


OneSwarm SIGCOMM paper

Wiki DHT

Kademlia DHT paper

Wiki Kademlia

paper on crawling DHTs

Nov 16-23 Social Networks and Transistive Trust

Readings: We'll continue our discussion of social networks and transistive trust, with three papers.

  • SybilGuard, a scheme for detecting sybil attacks by leveraging social networks.
  • RE: Reliable Email, using social networks to reduce spam.
  • Ostra, another idea for leveraging social networks to reduce unwanted communication.

Homework (SybilGuard due Tuesday Nov 16, other two due Thursday Nov 18): For each paper, write down the threat model, as we usually do. Also, answer the following question: is there a transitive trust assumption here, and if so, what kind? (i.e. is it "binary" - If (A trust B) and (B trust C) then (A trust C), or does it "degrade" If (A trusts B with value x) and (B trusts C with value y) then (A trust C with value z) where z < x,y ?)

Other interesting talks on social networks this week

  • One of the authors of Ostra, Alan Mislove, will be visiting BU on Monday Nov 15, and giving a talk on social networks and system building at 11AM in MCS135. I encourage you to attend. Also, Alan will have an open office hour from 12:00 - 12:30 after his talk in my office, so you are encouraged to stop by and ask him your questions.
  • We'll have Gerome Miklau speaking on differential privacy in social networks at 4PM on Wednesday Nov 17 in MCS135. This is right on topic for what we've covered in class, so I hope you'll attend!
Trust (!)


RE: Reliable Email


Nov 30 DNS Security

We focus on DNS security, and in particular the 2008 Kaminsky vulnerability and the DNSsec protocol. The readings for Tuesday are:

  • Extremely simple overview of how DNS works from djb.
  • An Illustrated Guide to the Kaminsky DNS Vulnerability - we'll focus on this, so please read carefully.
  • An academic paper with an overview of DNSsec, please read only Section 2.

Homework, due before class on Tuesday. Answer the following questions:

  1. What does DNS do? (What is its purpose)
  2. List and briefly describe the different flaws in DNS that Kaminsky exploits in order to launch his attack.
  3. Explain how DNSsec would (or would not) thwart the Kaminsky attack.
  4. Why do you think its taken so long for DNSsec to be deployed? Answer should be max 3 sentences. (This is an open ended question, feel free to surf the Internet to read rants and opinions.)

Some extra links (from Jef):

Digital signatures, PKI, nonces

djb DNS intro

Kaminsky attack

deploying DNSsec