COMP 5407W (Winter 2019): Authentication and Software Security [A, S]
Course web site for updates: http://people.scs.carleton.ca/~paulv/5407jan2019.html
Last updated: 16 Mar 2019.
Comments to: paulv (insert @ here) scs.carleton.ca
Overview. The course explores computer security from the perspective of
authentication and software security in the evolving Internet,
with special focus (Jan-Apr 2019) on Internet of Things (IoT) security.
Case studies drive home principles and provide exposure
to open research problems related to:
password-based user authentication and alternatives;
password-authenticated key exchange (PAKE) protocols;
browser-server authentication (TLS 1.3) and trust models;
certificate-based infrastructure (for TLS, secure email);
secure email (S/MIME, PGP, cloud);
IoT security (onboarding, authentication infrastructure, software updates).
Objectives. The aim for students new to security is to sufficient background to gain
an understanding of important issues and solution approaches.
For students with existing security background, the course provides
a springboard for research and exposure to important current problems.
Essential Details:
-
Class times: 10:00-11:30, Tues+Thurs (Jan.8 to Apr.9, 2019; Feb.18-22 is winter break)
-
Location: 317 SA (Southam Hall), Carleton University
-
Instructor: Professor P. Van Oorschot
-
Office hours: TR 11:30-12:30, 5173HP
-
Prerequisites:
COMP 3000 (operating systems) or equivalent,
recommended COMP 4108 (computer systems security) or equivalent.
Otherwise requires instructor permission.
-
Course Text:
(optional)
The Internet of Risky Things (2017). See additional information below.
-
Marking Scheme
(dates are firm - please plan in advance):
30% Project 1: hard-copy due Thurs Feb.14 in class.
The report (at most 20 pages) is a technical summary of software
security "incidents", e.g., major vulnerabilities that have been exploited.
There are two options.
Option A: IoT security specifically, 3 incidents past 12 months + IoT overview.
Option B: software security in general, 4 incidents over Jan.9-Feb.5 2019.
Click
here for full Project1 details.
30% Midterm test: Tues. Mar.5 (in class); covers all material up to test date.
40% Project 2 (Research Summary Paper; proposal due Feb.28, final hard-copy due in class Tues. Apr.9)
= (10% for in-class presentation + participation during other presentations; 30% for written report).
Full
details are now provided (click here).
References and Sources.
Content will include material presented in class (students are thus expected to attend all classes),
research papers (online), and
reference book chapters (access to chapters of a draft book, via cuLearn).
Students are also encouraged to obtain (optional):
The Internet of Risky Things (S. Smith, 2017; O'Reilly).
For students wishing to brush up on background reading, recommendations include
Stallings and Brown (4/e, 2017) and Gollman (2011) among others found on
this list.
No specific access to computing labs should be required,
but labs in the Herzberg Building require a
Carleton University Campus Card,
with access based on the courses you are registered in.
cuLearn.
Carleton students registered in this course should automatically have
access to
cuLearn.
UofO students will need to fill out the form found
here
in order to get access. This information has also been mailed to all
registered OttawaU students on 4 January 2019; if you did not receive
it, please check with your University of Ottawa administrator.
University Policies.
See the bottom of this page.
Detailed Topics.
A preliminary plan for the Jan-Apr 2019 term follows
(these are representative; to be updated over the term).
Classes 1-4 (Jan.8, 10, 15, 17): User authentication: passwords and alternatives.
Begin Project 1 immediately (see above).
Background: book chapter 3 (available via cuLearn for registered students).
An Administrator's Guide to Internet Password Research (USENIX LISA, 2014).
The Quest to Replace Passwords (IEEE Oakland, 2012).
Classes 5-8 (Jan.22, 24, 29, 31): Password-authenticated key exchange (PAKE) protocols.
Background: book chapter 4.
EKE: Password-Based Protocols Secure Against Dictionary Attack (IEEE S&P 1992).
SPEKE:
Strong Password-Only Authenticated Key Exchange
(ACM Computer Commns Review, Oct.1996).
Secure
modular password authentication for the web using channel bindings (SSR 2014)
Supplementary papers:
SPEKE follow-up (WET-ICE 1997): Extended Password Key Exchange Protocols Immune to Dictionary Attack.
SRP:
The Secure Remote Password Protocol (NDSS 1998),
and related IETF RFCs.
J-PAKE: Authenticated Key Exchange without PKI (Hao, Ryan, 2010).
Classes 9-12 (Feb.5, 7, 12, 14): Public-key certificates, browser trust models and HTTPS infrastructure.
Project 1 is due in class Feb.14 (hard copy).
Background: book chapter 8 and section 9.2 (TLS 1.3).
The Inconvenient Truth about Web Certificates (WEIS 2011).
Security Collapse in the HTTPS Market (C.ACM 57(10)47-55, Oct.2014).
Certificate
Transparency (Laurie; CACM Oct.2014);
see also IETF RFC 6962
and
Google's project site.
Supplementary:
Analysis of the HTTPS Certificate Ecosystem (IMC 2013), and
Evaluating Web PKIs (J. Yu, M. Ryan, 2017), Chapter 7 in
Software Architectures for Big Data and the Cloud.
Additional background:
SSL and HTTPS:
Revisiting past challenges and evaluating certificate trust model enhancements
(IEEE Oakland, 2013) [omit section III].
Class 13-14 (Feb.26, 28):
Secure email and support infrastructure (PGP, S/MIME, online/cloud services),
past, present, future.
Project 2 topic proposal due: Feb.28.
Background: book chapter 8.6, also PGP guide (Zimmermann).
Securing email (Clark et al., preprint 2018).
I'm throwing in the towel on PGP (Filippo Valsorda, arsTechnica 2016).
A Tour of the Automatic Certificate Management Environment (ACME)
(McCarney, Internet Protocol Journal, Jun 2017).
Supplementary:
Enhanced
certificate transparency and end-to-end encrypted email, M. Ryan
(NDSS 2014); and
infrastructure measurement studies on TLS-secured email.
Class 15 (Mar.5): Term Test (in class). Up to and including Class 14 material.
Classes 16-19 (Mar.7, 12, 14, 19): Internet of Things security.
Selected literature; The Internet of Risky Things (S. Smith, 2017; O'Reilly).
Classes 20-24 (Mar.21-Apr.4): Project 2 student presentations (see above).
The papers forming the basis of the project must include
papers from the big-four security conferences during 2016-2018:
IEEE Symp. Security & Privacy, ACM CCS, USENIX Security, ISOC NDSS.
Class 20 (Mar. 21): Christopher Bennett (Diffie-Hellman in practice and small subgroup atacks).
Class 21 (Mar. 26): Sehajpreet Teneja (Secure messaging and secure email).
Class 22 (Mar. 28): Daniel Afriyie (HTTPS/TLS interception)..
Class 23 (Apr. 2): Khadija Osman (IoT authentication and access control).
Class 24 (Apr. 4): Michael Vezina (J-PAKE and related issues).
Class 25 (Apr.9): Project 2 final written report: hard copy due at start of class.
=== University Policies (start) ===
Requests for Academic Accommodation:
You may need special arrangements to meet your academic obligations
during the term. For an accommodation request, the processes are as
follows:
Pregnancy Obligation:
Please contact your instructor with any requests for academic
accommodation during the first two weeks of class, or as soon as
possible after the need for accommodation is known to exist. For more
details, visit the Equity Services website:
carleton.ca/equity/wp-content/uploads/Student-Guide-to-Academic-Accommodation.pdf
Religious Obligation:
Please contact your instructor with any requests for academic
accommodation during the first two weeks of class, or as soon as
possible after the need for accommodation is known to exist. For more
details, visit the Equity Services website:
carleton.ca/equity/wp-content/uploads/Student-Guide-to-Academic-Accommodation.pdf
Academic Accommodations for Students with Disabilities:
If you have a documented disability requiring academic accommodations in
this course, please contact the Paul Menton Centre for Students with
Disabilities (PMC) at 613-520-6608 or pmc@carleton.ca for a formal
evaluation or contact your PMC coordinator to send your instructor your
Letter of Accommodation at the beginning of the term. You must also
contact the PMC no later than two weeks before the first in-class
scheduled test or exam requiring accommodation (if applicable). After
requesting accommodation from PMC, meet with your instructor as soon as
possible to ensure accommodation arrangements are made. carleton.ca/pmc
Survivors of Sexual Violence:
As a community, Carleton University is committed to maintaining a
positive learning, working and living environment where sexual violence
will not be tolerated, and survivors are supported through academic
accommodations as per Carleton's Sexual Violence Policy. For more
information about the services available at the university and to obtain
information about sexual violence and/or support, visit:
carleton.ca/sexual-violence-support
Accommodation for Student Activities
Carleton University recognizes the substantial benefits, both to the
individual student and for the university, that result from a student
participating in activities beyond the classroom experience. Reasonable
accommodation must be provided to students who compete or perform at the
national or international level. Please contact your instructor with any
requests for academic accommodation during the first two weeks of class,
or as soon as possible after the need for accommodation is known to
exist.
https://carleton.ca/senate/wp-content/uploads/Accommodation-for-Student-Activities-1.pdf
Additional policies:
Medical Certificate:
The official medical certificate (form) accepted by Carleton
University for the deferral of final examinations or assignments in
undergraduate courses can be accessed from:
http://www.carleton.ca/registrar/forms
Student Academic Integrity Policy.
Every student should be familiar with the Carleton University student
academic integrity policy. A student found in violation of academic
integrity standards may be awarded penalties which range from a
reprimand to receiving a grade of F in the course or even being expelled
from the program or University. Some examples of offences are:
plagiarism and unauthorized co-operation or collaboration. Information
on this policy may be found in the Undergraduate Calendar.
Plagiarism.
As defined by Senate, "plagiarism is presenting, whether
intentional or not, the ideas, expression of ideas or work of others as
one's own". Reported offences will be reviewed by the office of the Dean
of Science.
Unauthorized Co-operation or Collaboration.
Senate policy states that "to
ensure fairness and equity in assessment of term work, students shall
not co-operate or collaborate in the completion of an academic
assignment, in whole or in part, when the instructor has indicated that
the assignment is to be completed on an individual basis". Please refer
to the course outline statement or the instructor concerning this issue.
COMP 5407 addendum:
Beyond any other standard university policies,
any student submitting work including uncited portions originating
from someone else, is subject to a mark of negative 100%
on the entire work item. For example, if an assignment
is worth 10%, the 10% is lost plus an additional 10% penalty, making the
best possible course mark 80%.
Both students may be penalized if the infraction involves copying
from another student.
Each student must write up submitted work individually
unless explicitly allowed otherwise per official instructions
(e.g., in group-based assignments).
=== Policies (end) ===