COMP 5407W (Winter 2019): Authentication and Software Security [A, S]

Course web site for updates:
Last updated: 16 Mar 2019. Comments to: paulv (insert @ here)

Overview. The course explores computer security from the perspective of authentication and software security in the evolving Internet, with special focus (Jan-Apr 2019) on Internet of Things (IoT) security. Case studies drive home principles and provide exposure to open research problems related to: password-based user authentication and alternatives; password-authenticated key exchange (PAKE) protocols; browser-server authentication (TLS 1.3) and trust models; certificate-based infrastructure (for TLS, secure email); secure email (S/MIME, PGP, cloud); IoT security (onboarding, authentication infrastructure, software updates).

Objectives. The aim for students new to security is to sufficient background to gain an understanding of important issues and solution approaches. For students with existing security background, the course provides a springboard for research and exposure to important current problems.

Essential Details: References and Sources. Content will include material presented in class (students are thus expected to attend all classes), research papers (online), and reference book chapters (access to chapters of a draft book, via cuLearn). Students are also encouraged to obtain (optional): The Internet of Risky Things (S. Smith, 2017; O'Reilly). For students wishing to brush up on background reading, recommendations include Stallings and Brown (4/e, 2017) and Gollman (2011) among others found on this list. No specific access to computing labs should be required, but labs in the Herzberg Building require a Carleton University Campus Card, with access based on the courses you are registered in.

cuLearn. Carleton students registered in this course should automatically have access to cuLearn. UofO students will need to fill out the form found here in order to get access. This information has also been mailed to all registered OttawaU students on 4 January 2019; if you did not receive it, please check with your University of Ottawa administrator.

University Policies. See the bottom of this page.

Detailed Topics. A preliminary plan for the Jan-Apr 2019 term follows (these are representative; to be updated over the term).

  • Classes 1-4 (Jan.8, 10, 15, 17): User authentication: passwords and alternatives. Begin Project 1 immediately (see above).
    Background: book chapter 3 (available via cuLearn for registered students).
    An Administrator's Guide to Internet Password Research (USENIX LISA, 2014).
    The Quest to Replace Passwords (IEEE Oakland, 2012).

  • Classes 5-8 (Jan.22, 24, 29, 31): Password-authenticated key exchange (PAKE) protocols.
    Background: book chapter 4.
    EKE: Password-Based Protocols Secure Against Dictionary Attack (IEEE S&P 1992).
    SPEKE: Strong Password-Only Authenticated Key Exchange (ACM Computer Commns Review, Oct.1996).
    Secure modular password authentication for the web using channel bindings (SSR 2014)
    Supplementary papers:
    SPEKE follow-up (WET-ICE 1997): Extended Password Key Exchange Protocols Immune to Dictionary Attack.
    SRP: The Secure Remote Password Protocol (NDSS 1998), and related IETF RFCs.
    J-PAKE: Authenticated Key Exchange without PKI (Hao, Ryan, 2010).

  • Classes 9-12 (Feb.5, 7, 12, 14): Public-key certificates, browser trust models and HTTPS infrastructure. Project 1 is due in class Feb.14 (hard copy).
    Background: book chapter 8 and section 9.2 (TLS 1.3).
    The Inconvenient Truth about Web Certificates (WEIS 2011).
    Security Collapse in the HTTPS Market (C.ACM 57(10)47-55, Oct.2014).
    Certificate Transparency (Laurie; CACM Oct.2014); see also IETF RFC 6962 and Google's project site.
    Supplementary: Analysis of the HTTPS Certificate Ecosystem (IMC 2013), and
    Evaluating Web PKIs (J. Yu, M. Ryan, 2017), Chapter 7 in Software Architectures for Big Data and the Cloud.
    Additional background: SSL and HTTPS: Revisiting past challenges and evaluating certificate trust model enhancements (IEEE Oakland, 2013) [omit section III].

  • Class 13-14 (Feb.26, 28): Secure email and support infrastructure (PGP, S/MIME, online/cloud services), past, present, future. Project 2 topic proposal due: Feb.28.
    Background: book chapter 8.6, also PGP guide (Zimmermann).
    Securing email (Clark et al., preprint 2018).
    I'm throwing in the towel on PGP (Filippo Valsorda, arsTechnica 2016).
    A Tour of the Automatic Certificate Management Environment (ACME) (McCarney, Internet Protocol Journal, Jun 2017).
    Supplementary: Enhanced certificate transparency and end-to-end encrypted email, M. Ryan (NDSS 2014); and
    infrastructure measurement studies on TLS-secured email.

  • Class 15 (Mar.5): Term Test (in class). Up to and including Class 14 material.

  • Classes 16-19 (Mar.7, 12, 14, 19): Internet of Things security.
    Selected literature; The Internet of Risky Things (S. Smith, 2017; O'Reilly).

  • Classes 20-24 (Mar.21-Apr.4): Project 2 student presentations (see above). The papers forming the basis of the project must include papers from the big-four security conferences during 2016-2018: IEEE Symp. Security & Privacy, ACM CCS, USENIX Security, ISOC NDSS.
    Class 20 (Mar. 21): Christopher Bennett (Diffie-Hellman in practice and small subgroup atacks).
    Class 21 (Mar. 26): Sehajpreet Teneja (Secure messaging and secure email).
    Class 22 (Mar. 28): Daniel Afriyie (HTTPS/TLS interception)..
    Class 23 (Apr. 2): Khadija Osman (IoT authentication and access control).
    Class 24 (Apr. 4): Michael Vezina (J-PAKE and related issues).

  • Class 25 (Apr.9): Project 2 final written report: hard copy due at start of class.

    === University Policies (start) ===
    Requests for Academic Accommodation: You may need special arrangements to meet your academic obligations during the term. For an accommodation request, the processes are as follows:
    Pregnancy Obligation: Please contact your instructor with any requests for academic accommodation during the first two weeks of class, or as soon as possible after the need for accommodation is known to exist. For more details, visit the Equity Services website:
    Religious Obligation: Please contact your instructor with any requests for academic accommodation during the first two weeks of class, or as soon as possible after the need for accommodation is known to exist. For more details, visit the Equity Services website:
    Academic Accommodations for Students with Disabilities: If you have a documented disability requiring academic accommodations in this course, please contact the Paul Menton Centre for Students with Disabilities (PMC) at 613-520-6608 or for a formal evaluation or contact your PMC coordinator to send your instructor your Letter of Accommodation at the beginning of the term. You must also contact the PMC no later than two weeks before the first in-class scheduled test or exam requiring accommodation (if applicable). After requesting accommodation from PMC, meet with your instructor as soon as possible to ensure accommodation arrangements are made.
    Survivors of Sexual Violence: As a community, Carleton University is committed to maintaining a positive learning, working and living environment where sexual violence will not be tolerated, and survivors are supported through academic accommodations as per Carleton's Sexual Violence Policy. For more information about the services available at the university and to obtain information about sexual violence and/or support, visit:
    Accommodation for Student Activities Carleton University recognizes the substantial benefits, both to the individual student and for the university, that result from a student participating in activities beyond the classroom experience. Reasonable accommodation must be provided to students who compete or perform at the national or international level. Please contact your instructor with any requests for academic accommodation during the first two weeks of class, or as soon as possible after the need for accommodation is known to exist.
    Additional policies:
    Medical Certificate: The official medical certificate (form) accepted by Carleton University for the deferral of final examinations or assignments in undergraduate courses can be accessed from:
    Student Academic Integrity Policy. Every student should be familiar with the Carleton University student academic integrity policy. A student found in violation of academic integrity standards may be awarded penalties which range from a reprimand to receiving a grade of F in the course or even being expelled from the program or University. Some examples of offences are: plagiarism and unauthorized co-operation or collaboration. Information on this policy may be found in the Undergraduate Calendar.
    Plagiarism. As defined by Senate, "plagiarism is presenting, whether intentional or not, the ideas, expression of ideas or work of others as one's own". Reported offences will be reviewed by the office of the Dean of Science.
    Unauthorized Co-operation or Collaboration. Senate policy states that "to ensure fairness and equity in assessment of term work, students shall not co-operate or collaborate in the completion of an academic assignment, in whole or in part, when the instructor has indicated that the assignment is to be completed on an individual basis". Please refer to the course outline statement or the instructor concerning this issue.
    COMP 5407 addendum:
    Beyond any other standard university policies, any student submitting work including uncited portions originating from someone else, is subject to a mark of negative 100% on the entire work item. For example, if an assignment is worth 10%, the 10% is lost plus an additional 10% penalty, making the best possible course mark 80%. Both students may be penalized if the infraction involves copying from another student. Each student must write up submitted work individually unless explicitly allowed otherwise per official instructions (e.g., in group-based assignments).

    === Policies (end) ===