Welcome to the course Tuomas Aura CSEC 3400

Welcome to the course! Tuomas Aura CSE-C 3400 Information security Aalto University, autumn 2014

Goals § You are familiar with the fundamental concepts and models of information security. You can analyze threats, know common security technologies, and understand how they can be applied to protect against the threats. You are able to participate in practical security work § Understand the limitations of security technologies to use them right § Be aware of many pitfalls in security engineering § Some hands-on experience of software security § Learn the adversarial mindset of security engineering § Starting point for learning more 2

My background § Lecturer: Tuomas Aura – Professor at Aalto 2008– – Microsoft Research, UK, 2001– 2009 – Ph. D from Helsinki University of Technology in 2000 § Research areas: – Security of new technologies – Security protocol engineering – Security for ubiquitous computing, e. g. displays – Network protocol security, Do. S resistance – NFC applications, ticketing and payment – Privacy of mobile users – Security of mobility protocols (Mobile IPv 6, SEND, etc. ) 3

Lectures § Lecturer: Tuomas Aura § 12 lectures in Sep-Oct 2014 – Tuesdays 12: 15 -14 T 1 – Thursdays 14: 15 -16 AS 1 (TUAS building) § Attendance not mandatory but some material will only be covered in the lectures § Lecture slides published in Noppa after each lecture – Published slides include some additional pages not covered in the lectures § No tutorial or exercise sessions to attend 4

Exercises § Goal: broadening the scope of the course with hands-on experience especially in software security – Different from the content covered in the lectures and exam § 6 exercise rounds, starting next week, continuing to exam week § Exercise problems in Noppa by Sunday each week (first round on 19 September) § Deadline on the following Sunday 23: 59. Reports to be returned to Rubyric § Course assistants – Markku Antikainen and Elena Oat – email: t-110. 4206@tkk. fi § Course assistants available for advice in the Playroom: – Tuesday, Wednesdays and Thursday at 16: 15 -18 in room A 120 5

Advice for the exercises § Programming skills are a prerequisite for this course § Try to solve all problems at least partly § Each exercise round has (a) and (b) parts, each worth 5 points. If you find the exercises hard, try to do the (a) part in every round as well as you can! § Individual work: It is ok to discuss with other students but do not copy or even read the written solutions of other students. Do all practical experiments independently § If you quote any text written by someone else, mark it clearly as a ”quotation” and give the source, e. g. [RFC 1234, section 5. 6. 7] 6

Assessment § Examination Thu 34 Oct 2014 at 13: 00 -16: 00 in T 1 Remember to register for the exam two weeks earlier! § Examination scope: lectures, recommended reading material, exercises, good general knowledge of the topic area § Marking: – exam max. 30 points – exercises max 6 x 10 = 60 points – grading based on total points = exam + roundup(exercises / 5) (total max 30+12=42 points) § Exercises are not mandatory but strongly recommended – Try to do at least the (a) part of each exercise round. If you find the workload too high, not doing the (b) parts will cost some points, but you should still be able to pass the course § Course feedback is mandatory 7

Approximate course contents 1. Computer security overview 2. Access control models and policies 3. Operating system security 4. Cryptography 5. User authentication 6. Threat analysis 7. Certificates and network security 8. Data encryption 9. Identity management 10. Privacy 11. Payment systems Up dat ed 8

Recommended reading § Dieter Gollmann, Computer Security, 3 rd ed. , 2011 (good overview) § Ross Anderson, Security Engineering: A Guide to Building Dependable Distributed Systems, 2 nd ed. , 2008 (fun real-life stories) § Matt Bishop, Introduction to computer security, 2004/2005 (for research students) 9

Course development § In 2014, the course got a new code CSE-C 3400 Information Security – Optional course for Bachelor students, mandatory for some first-year Master students – From 3 cr to 5 cr – Increased the workload of the exercises, emphasis on software security – Several lectures updated § About student feedback in the previous years: – Students like the hands-on exercise. We have increased their weight in the course. – Some found the exercises to be a lot of work, others way too easy. Now each exercise has (a) and (b) parts, and doing just the (a) part is sufficient to pass the course. – More points given for the exercises to match the workload. – There is a fine line between the course assistant giving advice on the exercises and giving you the solution outright. We’ll try to find the right balance. – Students liked discussion in the lectures. Please do continue to tell about your experiences and do ask questions. – Some slides are in the handouts but not shown during lectures. This is intentional. They are supporting material. 10