Welcome to the course!

Tuomas AuraCSE-C3400 Information security

Aalto University, autumn 2014

2

Goals You are familiar with the fundamental concepts and

models of information security. You can analyze threats, know common security technologies, and understand how they can be applied to protect against the threats. You are able to participate in practical security work

Understand the limitations of security technologies to use them right

Be aware of many pitfalls in security engineering Some hands-on experience of software security Learn the adversarial mindset of security engineering Starting point for learning more

3

My background Lecturer: Tuomas Aura– Professor at Aalto 2008–– Microsoft Research, UK, 2001–2009– PhD from Helsinki University of Technology in 2000

Research areas:– Security of new technologies– Security protocol engineering– Security for ubiquitous computing, e.g. displays– Network protocol security, DoS resistance– NFC applications, ticketing and payment– Privacy of mobile users– Security of mobility protocols (Mobile IPv6, SEND, etc.)

4

Lectures Lecturer: Tuomas Aura 12 lectures in Sep-Oct 2014 – Tuesdays 12:15-14 T1– Thursdays 14:15-16 AS1 (TUAS building)

Attendance not mandatory but some material will only be covered in the lectures

Lecture slides published in Noppa after each lecture– Published slides include some additional pages not

covered in the lectures No tutorial or exercise sessions to attend

5

Exercises Goal: broadening the scope of the course with hands-on

experience especially in software security– Different from the content covered in the lectures and exam

6 exercise rounds, starting next week, continuing to exam week Exercise problems in Noppa by Sunday each week (first round

on 19 September) Deadline on the following Sunday 23:59. Reports to be

returned to Rubyric Course assistants

– Markku Antikainen and Elena Oat– email: t-110.4206@tkk.fi

Course assistants available for advice in the Playroom:– Tuesday, Wednesdays and Thursday at 16:15-18 in room A120

6

Advice for the exercises Programming skills are a prerequisite for this course Try to solve all problems at least partly Each exercise round has (a) and (b) parts, each worth 5

points. If you find the exercises hard, try to do the (a) part in every round as well as you can!

Individual work: It is ok to discuss with other students but do not copy or even read the written solutions of other students. Do all practical experiments independently

If you quote any text written by someone else, mark it clearly as a ”quotation” and give the source, e.g. [RFC 1234, section 5.6.7]

7

Assessment Examination Thu 34 Oct 2014 at 13:00-16:00 in T1

Remember to register for the exam two weeks earlier! Examination scope: lectures, recommended reading material,

exercises, good general knowledge of the topic area Marking:

– exam max. 30 points– exercises max 6 x 10 = 60 points – grading based on

total points = exam + roundup(exercises / 5)(total max 30+12=42 points)

Exercises are not mandatory but strongly recommended– Try to do at least the (a) part of each exercise round. If you find the

workload too high, not doing the (b) parts will cost some points, but you should still be able to pass the course

Course feedback is mandatory

Approximate course contents1. Computer security overview2. Access control models and policies3. Operating system security4. Cryptography 5. User authentication6. Threat analysis7. Certificates and network security8. Data encryption9. Identity management10.Privacy11.Payment systems

8

Updated

9

Recommended reading Dieter Gollmann, Computer Security, 3rd ed.,

2011 (good overview) Ross Anderson, Security Engineering: A Guide

to Building Dependable Distributed Systems, 2nd ed., 2008 (fun real-life stories)

Matt Bishop, Introduction to computer security, 2004/2005 (for research students)

Course development In 2014, the course got a new code CSE-C3400 Information Security

– Optional course for Bachelor students, mandatory for some first-year Master students

– From 3 cr to 5 cr– Increased the workload of the exercises, emphasis on software security– Several lectures updated

About student feedback in the previous years:– Students like the hands-on exercise. We have increased their weight in the course.– Some found the exercises to be a lot of work, others way too easy. Now each

exercise has (a) and (b) parts, and doing just the (a) part is sufficient to pass the course.

– More points given for the exercises to match the workload.– There is a fine line between the course assistant giving advice on the exercises and

giving you the solution outright. We’ll try to find the right balance.– Students liked discussion in the lectures. Please do continue to tell about your

experiences and do ask questions.– Some slides are in the handouts but not shown during lectures. This is intentional.

They are supporting material. 10