COMS W4180 — Lectures (Spring '09)

Course Home
Lectures
Assignments
Submitting Homework

The lectures and readings listed here are subject to change, including in response to current events (i.e., major new security holes).

Jan 20

Introduction

Jan 22

Basic Concepts of Network Security

• Chapter 1 of Kaufman et al.
• Chapter 1 of Cheswick et al.

Jan 27

Introduction to Cryptography, Part I

• Chapters 2-4 of Kaufman et al.
• Appendix A of Cheswick et al. or section 13.1 of the first edition.

Jan 29

Introduction to Cryptography, Part II

• Chapters 5-6 of Kaufman et al.
• Chapters 7-8 of Kaufman et al. (optional)

Feb 03

Modes of Operation

• NIST's Current Modes (optional)
• Randomness Requirements for Security, RFC 4086, D. Eastlake, 3rd, J.Schiller, S. Crocker. June 2005.
• NSA Suite B Cryptography

Feb 05

Authentication; Certificates

• Robert H. Morris and Ken Thompson, Password security: a case history, Communications of the ACM 22:11, November 1979
• Columbia University Certificate
• CS Department Certificate
• The issuer's Certificate
• GeoTrust Certification Practice Statement, Version 1.1, April 3, 2008 (skim, very lightly)

Feb 10

Key exchange protocols; Kerberos

• Designing an Authentication System: a Dialogue in Four Scenes
• Kaufman et al., chapters 13-14

Feb 12

SSL

• Chapter 19 of Kaufman et al.
• SSL & TLS Essentials: Securing the Web, Stephen A. Thomas, Wiley Computer Publishing, 2000. See especially Chapter 3. (recommended; available as an E-book via CU library)
• SSL and TLS: Designing and Building Secure Systems, Eric Rescorla, Addison-Wesley, 2001. See especially Chpater 3. (optional)

Feb 17

Web Security I

• Chapter 25 of Kaufman et al.
• Chapter 4 of Cheswick et al.
• Steven M. Bellovin and Eric K. Rescorla, "Deploying a New Hash Algorithm", in Proceedings of the Symposium on Network and Distributed System Security, San Diego, CA, Feb. 2006.

Feb 19

Web Security II; Email Security I

• Chapter 20-22 of Kaufman et al.
• Secure Email

Feb 24

Email Security II

Feb 26

IPsec

Chapter 17 of Kaufman et al.

Mar 03

IPsec Key Management: IKE; IPsec Attacks

• Chapter 18 of Kaufman et al.
• Steven M. Bellovin, "Problem Areas for the IP Security Protocols", in Proceedings of the Sixth Usenix Unix Security Symposium, pp. 1-16, San Jose, CA, July 1996.
• Steven M. Bellovin, "Probable Plaintext Cryptanalysis of the IP Security Protocols", in Proceedings of the Symposium on Network and Distributed System Security, San Diego, CA, pp. 155-160, February 1997.

Mar 05

SSH

• SSH — Secure Login Connections over the Internet, Tatu Ylönen, Proceedings of the Sixth Usenix Security Symposium, 1996.
• Inoculating SSH against address-harvesting worms, S. E. Schechter, J. Jung, W. Stockwell, and C. McLain, May 2005.

Mar 10

SIP and VoIP

• Section 26 of RFC 3261: SIP: Session Initiation Protocol
• RFC 5393: Addressing an Amplification Vulnerability in Session Initiation Protocol (SIP) Forking Proxies

Mar 12

Midterm
Grade histogram

Mar 24

Networked Storage Security

• RFC 3723 Securing Block Storage Protocols over IP. B. Aboba, J. Tseng, J. Walker, V. Rangan, F. Travostino. April 2004.

Mar 26

Wireless Security

• Intercepting Mobile Communications: The Insecurity of 802.11, Nikita Borisov, Ian Goldberg, and David Wagner. MOBICOM 2001.
• The Final Nail in WEPs Coffin, Andrea Bittau, Mark Handley and Joshua Lackey, IEEE Symposium on Security and Privacy, 2006 (recommended).

Mar 31

Firewalls I

• Kaufman et al., chapters 23

Apr 02

Firewalls II

• S. Bellovin, The Security Flag in the IPv4 Header, RFC 3514, April 2003.
• Reactions to RFC 3514

Apr 07

Scanning

• Man page for nmap (on CLIC machines or here)
• Tyler Moore and Richard Clayton, "Evil Searching: Compromise and Recompromise of Internet Hosts for Phishing", 2008. (draft)

Apr 09

Intrusion Detection

• Stalking the wily hacker, Cliff Stoll, Communications of the ACM 31:5, May 1988.
• An Evening with Berferd, Chapter 10 of the first edition of Firewalls and Internet Security: Repelling the Wily Hacker, William R. Cheswick and Steven M. Bellovin, Addison-Wesley, 1994, or Chapter 16 of the second edition.
• Shadow Hawk Busted Again, Phrack 16, File 11 (Nov 1987) (recommended)
• Chicago Phone Freak Gets Prison Term, Risks Digest 8:29, 22 February 1989 (recommended)
• Chapter 15 of Cheswick et al. (recommended)

Apr 14

Worms

• Twitter StalkDaily Worm Postmortem
• 17-year-old Claims Responsibility for Twitter Worm
• F-Secure Corporation's Data Security Summary for 2003
• IBM Christmas Card Virus, RISKS Digest 5.80, December 21, 1987.
• The Internet Worm Program: An Analysis, Purdue Technical Report CSD-TR-823. Eugene H. Spafford. Department of Computer Sciences. Purdue University
• How to 0wn the Internet in Your Spare Time, Stuart Staniford, Vern Paxson, and Nicholas Weaver. Proceedings of the 11th USENIX Security Symposium, 2002.

Apr 16

Denial of Service Attacks

• Project Neptune, daemon9, route, infinity. Phrack Magazine, Vol. 7, Issue 48, File 13.
• Stopping the Flood, Avi Freedman. ISP Tech Talk, March 1997.
• SYN Cookies, Dan Bernstein.

Apr 21

Routing Security

Apr 23

Security for Ad Hoc Networks (Powerpoint)

• H Yang, H Y. Luo, F Ye, S W. Lu, and L Zhang, "Security in Mobile Ad Hoc Networks: Challenges and Solutions" (2004). IEEE Wireless Communications. 11 (1), pp. 38-47. (optional)
• D. Djenouri, L. Khelladi and A.N. Badache. "A Survey of Security Issues in Mobile Ad Hoc and Sensor Networks", Communications Surveys & Tutorials, IEEE, Vol. 7, Issue 4, pp. 2-28, Fourth Quarter 2005.
• Yih-Chun Hu , Adrian Perrig, "A Survey of Secure Wireless Ad Hoc Routing", IEEE Security and Privacy, v.2 n.3, p.28-39, May 2004 (optional)

Apr 28

Privacy

• Who Goes There?: Authentication Through the Lens of Privacy, National Academies Press, 2003. Chapter 3. (The HTML version is much more readable than the "full text" version.)

Apr 30

DNS Security

• A Look Back at "Security Problems in the TCP/IP Protocol Suite", Steven M. Bellovin, invited paper, "classic papers" session, 20th Annual Computer Security Applications Conference, December 2004.
• "DNS and BIND Security Issues", Paul Vixie, Proceedings of the Fifth Usenix Unix Security Symposium, 1995.
• Steven M. Bellovin, "Using the Domain Name System for System Break-Ins", in Proceedings of the Fifth Usenix Unix Security Symposium, June, 1995.
• Derek Atkins and Rob Austein, Threat Analysis of the Domain Name System (DNS), RFC 3833, August 2004.

May 12, 1:10-4:00

Final exam

Updated Monday, 19-Jan-2009 21:39:17 EST
This work by Steven M. Bellovin is licensed under a Creative Commons Attribution-Noncommercial 3.0 United States License.