Tuomas AuraAalto University

T-110.4206 Information Security Technology

Aalto University, autumn 2012

2

My background Lecturer: Tuomas Aura– PhD from Helsinki University of Technology in 2000– Microsoft Research, UK, 2001–2009– Professor at Aalto 2008–

Research areas:– Network security– DoS resistance– Privacy of mobile users– Security protocol engineering– Security of mobility protocols (Mobile IPv6, SEND, etc.)– Ticketing and payment

3

Lectures Lecturer: Tuomas Aura 12 lectures in Sep-Oct 2011 – Wednesdays 14:15-16 T1– Thursdays 14:15-16 TU1

Attendance not mandatory but some material will only be covered in the lectures

No tutorial or exercise sessions to attend

4

Exercises 6 exercise rounds, starting next week Exercise problems in Noppa by Sunday each week (first

round on 16 September) Deadline on the following Sunday 23:59;

reports to be returned to Rubyric Course assistants – Aapo Kalliola and Jaakko Salo– email: t-110.4206@tkk.fi

Course assistants available on in the Playroom for advice and equipment:– Wednesdays 16:15-18 room A120 – Thursdays 16:15-18 room A120

5

Advice for exercises Try to solve all problems at least partly Individual work: It is ok to discuss with other

students but do not copy or even read the written solutions of other students. Do all practical experiments independently

If you quote any text written by someone else, mark it clearly as a ”quotation” and give the source, e.g. [RFC 1234, section 5.6.7]

6

Assessment First examination Thu 25 Oct 2012 at 09:00-12:00 in T1

Remember to register for the exam two weeks earlier! Examination scope: lectures, recommended reading

material, exercises, good general knowledge of the topic area

Exercises are not mandatory but strongly recommended Marking:

– exam max. 30 points– exercises max 6 x 10 = 60 points – grading based on

total points = exam + (exercises / 10)(total max 30+6=36 points)

Course feedback is mandatory

7

Goals You are familiar with the fundamental concepts and

models of information security. You can analyze threats, know common security technologies, and understand how they can be applied to protect against the threats. You are able to participate in practical security work

Understand the limitations of security technologies to use them right

Be aware of the pitfalls in security engineering: security is not just mathematics or just code

Starting point for learning more Learn the adversarial mindset of security engineering

Approximate course contents

1. Computer security overview2. Access control models and policies3. User authentication4. Operating system security5. Applied cryptography 6. Certificates and network security7. Encrypting stored data8. Software security9. Identity management10. Threat modeling11. Security regulation and management12. Payment systems

8

9

Recommended reading Dieter Gollmann, Computer Security, 3rd ed.,

2011 (good overview) Ross Anderson, Security Engineering: A Guide

to Building Dependable Distributed Systems, 2nd ed., 2008 (fun real-life stories)

Matt Bishop, Introduction to computer security, 2005 (for research students)

Course development No major changes to the course content this year. Some updates to the content. Based on student feedback, this course was the 2nd most liked large course (over 50

students) in computer-science in the year 2011-12 What has or has not changed based on student feedback?

– Students liked the hands-on exercises. Only minor changes made to last year. – Students liked discussions in the lectures. Please do continue to tell about your experiences and

do ask questions.– For some students, the exercises are easy. — True, the exercises are planned not to take much

time. The reporting was simplified for this reason last year. In the future, we plan to increase the credits and add more demanding projects.

– The exercise topics are different from the lectures and the exercises do not prepare the students for the exam. — This is true. The hands-on exercise are designed to broaden the scope of the course.

– The exercises are not fully in sync with the lectures. — True. Let’s see if we can improve this. – Some students would want to have the lecture slides in advance. Ok, I may publish some slides in

advance but only some. The slides are typically not ready until 5 minutes before the lecture. Other notes:

– Some slides are in the handouts but not shown during lectures. This is intentional. There is more material in the handouts than can be covered in the lectures.

– We will try to publish the exercise questions some days earlier than last year. However, course assistants can usually only set up and maintain the equipment for one exercise round at a time.

10