CSE-C3400 Information security Welcome to the course! Tuomas Aura CSE-C3400 Information security Aalto University, autumn 2015

Goals Learn the key concepts and abstractions of information security Understand the purpose and function of several security technologies, as well as their limitations e.g. security policies , authentication, access control, cryptography, network security Be able to model threats and analyze the security of a system critically, from the viewpoint of an attacker Have some hand-on experience of security flaws in software Learn the adversarial mindset of security engineering Starting point for learning more

My background Lecturer: Tuomas Aura Research areas: Professor at Aalto 2008– Microsoft Research, UK, 2001–2009 PhD from Helsinki University of Technology in 2000 Research areas: Security analysis of new technologies Security for ubiquitous computing, e.g. displays Security protocol engineering Network protocol security, DoS resistance Security without expensive infrastructure Privacy of mobile users Security of mobility protocols (Mobile IPv6, SEND, etc.)

Lectures Lecturer: Tuomas Aura 12 lectures in Sep-Oct 2015 Tuesdays 14:15-14 TU1 (TUAS building) Thursdays 14:15-16 AS1 (TUAS building) Attendance not mandatory but some material will only be covered in the lectures Lecture slides published in Noppa after each lecture Published slides include some additional pages not covered in the lectures No tutorial or exercise sessions to attend

T-110.2100 Johdatus tietoliikenteeseen, kevät 2010 Weekly exercises Goal: broadening the scope of the course with hands-on experience especially in software security Different from the content covered in the lectures and exam 6 exercise rounds, first round on second lecture week, last round on exam week Exercise problems in My Courses by Sunday each week (first round on 13 September 2015) Deadline one week later on Monday at 12:00 noon. Reports to be returned to Rubyric Course assistants Sanna Suoranta, Thanh Bui, Sid Rao, Debopam Bhattacherjee, Andi Bidaj email: cse-c3400@aalto.fi Course assistants available for advice in the Playroom: Tuesday, Wednesdays and Thursday at 16:15-18 in room A120

Advice for the exercises Programming skills are a prerequisite for this course Try to solve all problems at least partly Each exercise round has (a) and (b) parts, each worth 5 points. If you find the exercises hard, try to do the (a) part in every round as well as you can! Individual work: It is ok to discuss with other students but do not copy or even read the written solutions of other students. Do all practical experiments independently If you quote any text written by someone else, mark it clearly as a ”quotation” and give the source, e.g. [RFC 1234, section 5.6.7]

Assessment Examination Thu 22 Oct 2015 Remember to register for the exam two weeks earlier! Examination scope: lectures, recommended reading material, exercises, general knowledge of the topic area Marking: exam max. 30 points exercises max 6 x 10 = 60 points grading based on total points = exam + roundup(exercises / 5) (total max 30+12=42 points) Exercises are not mandatory but strongly recommended Try to do at least the (a) part of each exercise round. If you find the workload too high, not doing the (b) parts will cost some points, but you should still be able to pass the course Course feedback is mandatory

Approximate course contents Computer security overview Access control models and policies Operating system security Cryptography User authentication Threat analysis Certificates and network security Data encryption Identity management Privacy Payment systems Current topics Subject to change

Recommended reading Dieter Gollmann, Computer Security, 3rd ed., 2011 (easy-to-read overview) Ross Anderson, Security Engineering: A Guide to Building Dependable Distributed Systems, 2nd ed., 2008 (fun real-life stories) Matt Bishop, Introduction to computer security, 2004/2005 (for prospective research students)

Course development 2014 feedback Students liked the hand-on exercises, helpful course assistants, lectures, threat analysis Some found the exercises hard (take lots of time, require programming skills) – that is why we now have the (a) and (b) parts Too hard to install Linux and Windows in VM for the first exercise round Exercise server down – we were lucky last year with few outages, but the lecturer and CSC caused some Not all material covered in the lectures – true, I always have many extra slides and don’t know what exactly can be covered Some ask for the lecture slides in advance – sorry, I make last minute changes Some have taken a course on security before and don’t learn much new (typically exchange students or double-degree students) Access control models are boring – abstractions will be useful later in your career but, to be honest, we start with the boring stuff to reduce the student numbers New in 2015 >260 registered students, big challenge to run the exercises smoothly, please be patient and email the course alias if the server is down! Major and minor updates to the lectures