@Yuan Xue CS 285 Network Security Fall 2013 Yuan Xue

@Yuan Xue Course Information When and Where Tuesday/Thursday 1:10pm-2:25pm 298 Featheringill HallFeatheringill Hall Instructor: Yuan Xue Office: 383 Jacobs Hall, Phone: Office hours: Tuesday/Thursday 3:00pm-4:00pm or by appointment. TA: Li Li Office: 385 Jacobs Hall, Office hours: Monday/Wednesday 1:00pm-2:30pm or by appointment. Web: fall fall201

@Yuan Xue Books and References Textbook [WS] Cryptography and Network Security: Principles and Practice (4 th /5th Edition) by William Stallings Reference books [DM] The Web Application Hacker's Handbook: Discovering and Exploiting Security Flaws, by Dafydd Stuttard and Marcus Pinto [MZ] The Tangled Web: A Guide to Securing Modern Web Applications by by Michal Zalewski [KPS] Network Security: Private Communication in a Public World (2nd Edition), by Charlie Kaufman, Radia Perlman, Mike Speciner [AND] Security Engineering: A Guide to Building Dependable Distributed Systems, by Ross J. Anderson [CSP] Security in Computing (3rd Edition), by Charles P. Pfleeger, Shari Lawrence Pfleeger [BIS] Computer Security: Art and Science, by Matthew A. Bishop

@Yuan Xue Course Component Lecture Slides + white board Take note Online digest/slides Participation Discussion Presentation Homework 5 assignments Pencil/paper + programming Midterm Project Important component Start early Potential topics Grading Policy  Participation: 10%  Homework: 35%  Midterm: 25%  Project: 30%

@Yuan Xue What you will learn from this course What is “ Security ” ? Where the security problems come from?  Potential threats to a system or an application What are the solutions? Apply an appropriate mix of security measures Knowing what has worked, what has failed Both theory, design, principle as well as hands-on experience Security involves many aspects -Operating system, programming language, administration and policy Our Focus: Network Security (Algorithm, protocol, mechanism) We will also discuss OS, programming related security issues.

@Yuan Xue Course Topics Security Basics and Principles Symmetric/ Asymmetric Cryptography Basic concept, algorithm, mechanism, Design principles Security Practices Secure protocols, systems and applications (SSL, IPSec, PGP) Hand-on experiences (system/network exploits, defenses) Hot Topics and Recent Development Web security, Wireless Network security, Smartphone, Cloud computing, Worm, DoS attack, etc.

@Yuan Xue Survey and Feedback Your input is important Online Survey  Feedback

@Yuan Xue What is security? In general, security is the condition of being protected against danger or loss. (Wikipedia) In computer security and network security What are the subjects that need to be protected? Let’s start with some terms System  computer, network, application, data, resource Principal: an entity that participate in a system  user, person

@Yuan Xue What is security? Computer Security Confidentiality means that only authorized people or system can access the data or resource.  it’s about the receiver Integrity refers to the trustworthiness of data or resources.  about the source  Data integrity means that data can only be modified by authorized people or system in authorized ways  Origin integrity (also called source authentication) means that the source of the data is trustworthy.  Message authentication (= data integrity + origin integrity) means messages received are exactly as sent (i.e. no modification, insertion, deletion, or replay), and the ID of the sender is valid.  Note: timing information (timestamp) is also considered as part of the message. Availability means that people has the ability to use the information or resource desired. Refer to [MB]1.1

@Yuan Xue Where the security problem comes from? Let’s look at some example systems Bank Bookkeeping  Core operations customer account, journals recording the transactions  Who has the access to the information? Bank’s own staff – what if they cheat? ATM  Authenticate users based on card and ID number Let’s go Internet  The user – how do we know they are the “real” (authenticate) user?  Protect web servers and bookkeeping database

@Yuan Xue Where the security problem comes from? Hospital Patient record system  Who can access the record? – Many parties – insurance company, care giver, researcher, Complicated -- role can change Privacy issue – HIPPA Anonymize the record for research  Is it sufficient? Show me all records of 59-year-old males who were treated for a broken collarbone on September 15, 1966 Drug management Let’s go to Internet/Web  Patient Portal, Electronic Medical Record

@Yuan Xue Where the security problem comes from? In real world where systems interact with each other… imagine physical systems controlled by computers, communicated via networks (cyber-physical system) Let’s watch a video clip..