T-110.4206 Information Security Technology Aalto University, autumn 2013

My background Lecturer: Tuomas Aura Research areas: PhD from Helsinki University of Technology in 2000 Microsoft Research, UK, 2001–2009 Professor at Aalto 2008– Research areas: Security of new technologies Network security, DoS resistance NFC applications, ticketing and payment Privacy of mobile users Security protocol engineering Security of mobility protocols (Mobile IPv6, SEND, etc.)

Lectures Lecturer: Tuomas Aura 12 lectures in Sep-Oct 2013 Tuesdays 12:15-14 T1 Thursdays 14:15-16 T1 Attendance not mandatory but some material will only be covered in the lectures Lecture slides published in Noppa after each lecture Published slides include some additional pages No tutorial or exercise sessions to attend

T-110.2100 Johdatus tietoliikenteeseen, kevät 2010 Exercises Goal: broadening the scope of the course with hands-on experience (sorry, no prep questions for the exam) 6 exercise rounds, starting next week, continuing to exam week Exercise problems in Noppa by Sunday each week (first round on 15 September) Deadline on the following Sunday 23:59; reports to be returned to Rubyric Course assistants Aapo Kalliola and Markku Antikainen email: t-110.4206@tkk.fi Course assistants available in the Playroom for advice and equipment: Wednesdays 16:15-18 room A120 Thursdays 16:15-18 room A120 (these are the corrent times)

Advice for the exercises Programming skills are a prerequisite for this course Try to solve all problems at least partly Individual work: It is ok to discuss with other students but do not copy or even read the written solutions of other students. Do all practical experiments independently If you quote any text written by someone else, mark it clearly as a ”quotation” and give the source, e.g. [RFC 1234, section 5.6.7]

Assessment Examination Thu 24 Oct 2013 at 13:00-16:00 in T1 Remember to register for the exam two weeks earlier! Examination scope: lectures, recommended reading material, exercises, good general knowledge of the topic area Some old exams in Noppa under Additional Reading Exercises are not mandatory but strongly recommended Marking: exam max. 30 points exercises max 6 x 10 = 60 points grading based on total points = exam + roundup(exercises / 10) (total max 30+6=36 points) Course feedback is mandatory

Goals You are familiar with the fundamental concepts and models of information security. You can analyze threats, know common security technologies, and understand how they can be applied to protect against the threats. You are able to participate in practical security work Understand the limitations of security technologies to use them right Be aware of many pitfalls in security engineering Learn the adversarial mindset of security engineering Starting point for learning more

Approximate course contents Computer security overview Access control models and policies Operating system security Software security User authentication Applied cryptography Certificates and network security Encrypting stored data Identity management Threat modeling Payment systems Privacy

Recommended reading Dieter Gollmann, Computer Security, 3rd ed., 2011 (good overview) Ross Anderson, Security Engineering: A Guide to Building Dependable Distributed Systems, 2nd ed., 2008 (fun real-life stories) Matt Bishop, Introduction to computer security, 2004/2005 (for research students)

Course development In 2014, this course will be CSE-C3400 Information Security From 3 cr to 5 cr; more exercises on software security No major changes to the course content this year. Annual updates to the content What has or has not changed based on 2012 student feedback? Students liked the hands-on exercises. Some found the exercises to be a lot of work, others way too easy. Only minor changes were for this year as it is still only a 3-cr course. There is a fine line between the course assistant giving advice on the exercises and giving you the solution outright. We’ll try to find the right balance. Students liked discussion in the lectures. Please do continue to tell about your experiences and do ask questions. Sorry, I won’t publish model answers to the exam questions. There are many ways to answer the problems, and writing short model answers would create more questions than it answers. Some slides are in the handouts but not shown during lectures. This is intentional. They are supporting material.