Yingjiu Li's Teaching

IS 302: Information Security and Trust

Term 2, 2011~2012

Announcement: Welcome back to SMU! Welcome to IS 302!

The textbook; the course design document; the learning outcomes.

Project teams G5, G6, G7

How do we evaluate class participation?

The class participation will be evaluated based on how actively students participate in classroom discussions. Roughly, if the students are active in discussions, they may get 9~10 points; if they participate in discussions occasionally, 7~8 points; if they are silent most of time, 5~6 points. Some points will be deduced if the students are absent from class with no good reasons.

Project (25%) consists of part A (15%) and part B (10%)

Teaming: ~10 random teams per class (4~5 members per team)
References: internet, textbook

Part A: Open-ended investigation into a security-related topic (each team chooses a different topic)

Students are given a list of security-related topics such as cell phone security, RFID system security, and EMR system security
Grading: 5% presentation + 10% project report (5% breadth, 5% depth)
Deliverables: Each team will write a project report on their findings, and deliver an oral presentation. The report will be within 10~15 pages, using 11pt font, single column and single space format. The oral presentation will be delivered in 20 minutes including Q&A.
Requirements: In both report and presentation, each team should:

a) Describe the background of the related topic

b) Evaluate major/certain security problem(s) in the field

c) Present solutions to the problem(s)

d) Analyze the possible impact/benefits of deploying the solutions in one or more business sectors, and provides a simple case study where appropriate

Part B: prototype and demo of a secure RFID system

Background: Company SEC decides to implement RFID technology to increase the efficiency and visibility of tracking its products. However, security is a major concern since SEC does not want any of its competitors to be able to collect its RFID information (e.g., its inventory level, where, when, and what products are processed) via the wireless communication channel from a distance. Therefore, it decides to implement a secure RFID communication protocol so that an adversary, without knowing tag secret keys, will not be able to identify or track any tags.
Setting: there are 1000 RFID tags and one reader. Each of the tags is assigned with a random key of 96 bits, and equipped with a pseudorandom number generator and a hash function (e.g., MD5 or SHA1). The reader maintains a database of the keys for all 1000 tags.
Protocol: the protocol is run between the reader and any tag. To authenticate or identify the tag, the reader first generates a random number C1 of at least 80 bits, and sends it to the tag. Upon receiving C1, the tag generates another random number C2, computes R=Hash(K,C1,C2), and sends (C2, R) back to the reader, where K is the key of this tag. Upon receiving (C2, R), the reader will search in its database to find out the correct key K which will produce the same R as received from the tag. The reader will output the serial number of this key K in its database as the tag’s ID.
Requirements: the students are required to simulate the protocol in programming (e.g., Java, or OpenSSL). The input of the protocol is any tag (whose key is taken from the reader’s database). The output should be the correct serial number of the tag’s key in the reader’s database, as well as the exact time that is spent by the reader in identifying the tag in the protocol. Additional requirement (optional) is to simulate the memory of EPC tag in protocol running.
Deliverables: the students should demo their simulation of the protocol within 10 minutes in their presentations (in weeks 12 and 13). In addition, they need to write a report within 5 pages on their designs, and attach their codes. In the report, the students should analyze why this protocol is secure.
Grading: 10% based on both demo and report (4% correctness, 3% security, 3% efficiency and quality).

The project outline/draft within 5 pages on both part A and part B (hardcopy) is due before or during the class in week 9. The presentations & demos will be delivered in weeks 12 and 13. The final report is due on Monday in week 14.

Synopsis: This course provides both fundamental principles and technical skills for analyzing, evaluating, and developing secure systems in practice. Students will learn essentials about security models, algorithms, protocols, and mechanisms in applied cryptograph, computer networks, and access control systems. Classroom instruction will be integrated with hands-on exercises on security tools in Windows and Java language.

Text book: Security in Computing (4^th/3^rd edition) by Charles P. Pfleeger and Shari L. Pfleeger, Prentice Hall (2007/2003)

Class time and venue:

G5: Thursday, 8:30~11:45pm, SISSR2.4
G6: Thursday, 3:30~6:45am, SISSR2.4
G7: Friday, 8:30~11:45am, SISSR2.4

Course web sites: http://www.mysmu.edu/faculty/yjli/teach/current.html

Professor

Yingjiu Li (yjli@smu.edu.sg)

Teaching Assistants: Pan Fei (feipan.2009@sis.smu.edu.sg); Gan Tian (tian.gan.2009@sis.smu.edu.sg)

Pan Fei (odd weeks) and Gan Tian (even weeks) take turns on G5
Pan Fei serves on G6
Gan Tian serves on G7
Main duty: help on hands-on exercise in each class.

Office hour:

By appointment

Course schedule:

Week	Topic	Lab and Assignment
1	Introduction (Chapter 1, 7.1)	Group formation (10 teams)
2	Encryption basics (Chapter 2.1-2.4)	OpenSSL and JCE AesGenKey.java, LabPrep.doc, LabTest.doc
3	DES, AES (Chapter 2.5-2.6, 10.2)	OpenSSL and JCE Lab.doc, AesEncrypt.java, AesDecrypt.java, AesGenKey.java, largefile.txt Assignment 1 (5%)
4	RSA (Chapter 2.7-2.8, 10.3)	OpenSSL and JCE Lab.doc, RsaGenKey.java, RsaEncrypt.java, RsaDecrypt.java, smallfile.txt, largefile.txt Assignment 1 due before this class
5	Integrity (Chapter 2.8, 10.3)	OpenSSL and JCE week5.zip
6	Certificate, PKI (Chapter 2.8, 7.6)	email sec, Windows cert mgt COMODO, firefox
7	User authentication I (Chapter 4.5)	Mid-Term Quiz (15%)
8	Recess week	Recess
9	User authentication II (Chapter 4.5) Internet security (Chapter 7.3)	Windows passwords, Windows firewall Project draft due
10	Access control (Chapter 4.1-4.4, 5.1-5.3)	Java SecurityManager hands_on.zip Assignment 2 (5%)
11	Lab@SAS-SMU Enterprise Intelligence Lab (instructions)	Password cracking, Firewall and IDS Assignment 2 due
12	Project presentation	Teams 1~8 (part A)
13	Project presentation & demo	Teams 1~8 (part B), teams 9,10 (part A & B)
14	Review week (no class)	Project report due on Monday of this week
15	Final exam (40%)	Final exam (40%)

Note: Learning slides are available before each class. The slides may be deleted one week after the class.