The University of Sheffield
Department of Computer Science

COM6014 Fundamental Security Properties and Mechanisms

Summary This wide-ranging module covers some fundamental concepts, properties, and mechanisms in security, e.g. identity, authentication, confidentiality, privacy, anonymity, availability and integrity. Cryptographic algorithms are explored together with major attacks (using a break-understand-and-fix approach). High level security protocols are explored (passwords, graphical passwords, key distribution and authentication protocols) together with some rigorous mechanisms for reasoning about their correctness (e.g. belief logics). Other mechanisms such as biometric authentication are also covered.
Session Autumn 2021/22
Credits 15
Assessment
  • Assignment 1: Cryptographic analysis task
  • Assignment 2: System cybersecurity report
  • Assignment 3: Podcast
Lecturer(s) Professor John Clark
Resources
Aims

This unit aims to:

  • A1 provide the student with an understanding of fundamental security properties that we desire to maintain and why they are important and of the principal security mechanisms used to uphold these properties;
  • A2 develop an understanding of important security strength criteria, an appreciation of the sources of confidence that are associated with specific security mechanisms, and the ability to calculate or otherwise determine the strength of specific mechanisms in their deployed context - We will address quantitative criteria (e.g. for cryptographic elements) and qualitative approaches (e.g. some formal methods for protocol proofs of correctness);
  • A3 develop the analysis and synthesis skills necessary to identify important threats to systems under examination, evaluate the degree to which threats to systems are countered, and propose countermeasures or appropriate changes to countermeasures to achieve effective and efficient risk reduction;
  • A4 enhance the communication and professional skills of the student;
  • A5 familiarise the student with the contextual issues relevant to the topics taught - professional, legal, ethical, political etc.
Objectives

By the end of the unit, a candidate will be able to:

  • LO1 [A1] explain what the major system security properties are, why they are important, and what mechanisms are available to support them;
  • LO2 [A2] describe security strength criteria for specific mechanisms, explain the rationale behind them, and determine the strength of specific mechanisms;
  • LO3 [A3] analyse deployed mechanisms, identify weaknesses in them, and demonstrate how they can be exploited;
  • LO4 [A3] choose suitable security requirements and mechanisms in a variety of system contexts and justify those choices;
  • LO5 [A4] independently research material relevant to the module and communicate findings to a non-specialist audience
  • LO6 [A5] articulate the contextual issues (professional, legal, ethical, political etc) that apply
Content

Security​ ​properties and mechanisms

  • Confidentiality,​ ​Integrity,​ ​Availability,​ ​Anonymity,​ ​Non-repudiation,​ ​Privacy​ ​etc.
  • Identification​ ​and​ ​Authentication:
  • Password​ ​systems,​ ​graphical​ ​passwords​ ​systems,​ ​biometrics,​ ​CAPTCHAs,​ ​etc
  • Social​ ​engineering​ ​attacks.

Access​ ​Control: MAC and DAC etc.

Modern​ ​cryptography:

  • Stream​ ​cipher​ ​basics.​ ​Divide​ ​and​ ​conquer​ ​correlation​ ​attacks.
  • Block​ ​ciphers​.
  • Modes​ ​of​ ​encryption:​ ​Code​ ​Book,​ ​CFB,​ ​OFB,​ ​CBC.
  • Attacks​ ​on​ ​cryptographic​ ​algorithms:​ ​linear​ ​cryptanalysis,​ ​differential cryptanalysis
  • Public​ ​key​ ​algorithms.
  • Cryptographic​ ​hash​ ​functions.
  • Power,​ ​timing, attacks
  • Brute​ ​force​ ​potential.​ ​The​ ​rise​ ​of​ ​compute​ ​power.
  • The​ ​threat​ ​from​ ​quantum​ ​computing.​
  • Quantum​ ​key​ ​distribution​ ​protocols.

Security Protocols:

  • What are security protocols?
  • Uses in one-way and two-way authentication, key distribution, and the like.
  • Proofs of claims: belief and knowledge approaches, model checking approaches,
  • synthesis of provably correct protocols.
Teaching Method
  • 10 hours of online materials. These content delivery elements will cover theoretical and practical aspects but also act as an index to referenced materials. All LOs except LO5. Detail provided by referenced materials.
  • 8 hours (4 x 2 hours) practical sessions on cryptography related aspects. - This addresses LO1, LO2, LO3 and LO4. Students have to implement attacks and analyses which exposes strengths and weakness of mechanisms;
  • 8 hours (4 x 2 hours) practical sessions on the non-cryptographic aspects. - This addresses LO1, LO2, LO3, LO4, LO6;
  • 10 hours (5 x 2 hours) seminars/discussions - Addresses all LOs except LO5;
  • 116 hours of independent study of supporting referenced materials. Wherever possible referenced materials will be freely available on the web. Students are expected to read around the subject. Independent study is an important component of the module. -Addresses all LOs.
Feedback Blackboard quiz results will be immediate. Podcast assignments marked using published criteria, submission commented and returned by Blackboard within 3 weeks. Formative feedback will be provided by: a) online quizzes or multiple choice quizzes; b) surgery hours by teaching staff; c) verbal feedback in practical sessions.
Recommended Reading See module web pages. Almost all supporting materials should be available from the web.