Contact Information:

10:00AM - 10:00 PM EST
717-329-9836
717-258-5693
cto@infosec-technologies.com
crypto@gwu.edu
www.infosec-technologies.com

Kaufman, Perlman and Speciner, (NS) Network Security: Private Communication in a Public World (2nd ed). Upper Saddle River, NJ: Prentice Hall, 2002. [ISBN: 0-13-046019-2]

Pfleeger, C. P, (SC) Security in Computing (3rd ed). Upper Saddle River, NJ: Prentice Hall, 2003. [ISBN: 0-13-337468-6]

American Psychological Association, Publication manual of the American Psychological Association (5th ed.). Washington, D.C.: APA. [ISBN: 1-55798-791-2]

Note: Required Textbooks are available and ready to ship, online, at the MBS (Missouri Book Store), which can be accessed at www.umuc.edu/bookstore.

Cryptography Decrypted (CD) by H.X. Mel and Doris Baker, Addison Wesley, April 2001. [ISBN 0-201-61647-5] My students tell me that this a winner and one of the more comfortable “reads” on cryptography.

Randall K. Nichols and Panos C. Lekkas, Wireless Security, (WS) McGraw-Hill Professional Books, January 2002. [ISBN: 0-07-138038-8.] One of the most comprehensive references on the subject of wireless security design, by far.

Dan Verton, Black Ice: The Invisible Threat of Cyber-Terrorism, (ICE) Osborne, 2004 [ISBN:0-07-222787-7] Connecting the dots between physical and cyber-terrorism.

Bruce Schneier, Beyond Fear: Thinking Sensibly About Security In an Uncertain World, (BF) Copernicus Books, 2003. [ISBN:0-387-02620-7] One of his best works!

Course Overview and Executive Summary

Cryptography is a maturing science that has global-ranging applications in business and Government. Every commercial establishment that either markets its products internationally or uses computer networks for global communications and customer services must be concerned with protecting its information assets from a variety of attacks.

The purpose of this course to provide a practical survey of the principles, best practices, policy, and management of cryptography with respect to business and government applications, and more specifically commercial computer security systems.

As a class, we will develop a comfortable grounding in encryption systems. We will examine classical and modern systems. There will be two hands-on field exercises scheduled to demonstrate the "on-the-fire" side of encryption in the field. Class participation is very important. Team learning facilitates a better understanding of the critical issues. Individual students will be assigned a short paper for the midterm detailing one of several modern cryptographic encryption systems. The class will explore biometric systems to enhance the effectiveness of encryption systems. The class will be divided into working teams and assigned a semester long research paper on current technical / network / business / Cryptographic / Wireless / Anti-Terror / INFOWAR / or INFOSEC cryptographic issues.

• How Cryptography works and lessons from Classical Cryptography History
• Key Management
• Modern Cryptography -Authentication, Confidentiality, Data Integrity and Non-Repudiation
• RSA vs. Elliptic Curve Cryptography (ECC) crypto systems
• Secure E-Commerce and Internet Cryptography
• Public Key Infrastructure (PKI)
• Wireless Security - encryption features and standards
• Digital Signatures and Certification Authorities
• Cryptanalysis and Security of Cryptographic Systems
• Hands-on solutions to simple and moderate cryptograms
• Terrorist Cryptograms - Low Tech Codes [Brotherhood codes]; Al-Quada Communications
• Algorithms - both commercial and AES: Rijndael, GOST, Serpent, RC6, Misty, Twofish, IDEA
• SHA and Hash algorithms
• Policy decisions -PKI and COTS
• Implementation errors
• The myths of key size and crypto-strength and key escrow
• Traffic Analysis - Vertical Differentiation of Crypto Systems and Difficulties of System ID with AES Group using the ATS
• Cryptography and INFOSEC - due diligence
• Cryptography and INFOWAR - Terror
• Government / Privacy / Law Enforcement /Terrorism

1. Assess threats to stored and communicated data and vulnerabilities inherent in networked information systems that can be exploited to attack stored and communicated data.
   
2. Compare and contrast the basic mathematical characteristics of commonly available commercial cryptographic algorithms and their relative strengths and weaknesses.
   
3. Analyze various encryption techniques and their appropriate uses in the assurance of privacy, integrity, and authentication in information systems.
   
4. Distinguish among applicable cryptographic protocols and other security countermeasures and assess tradeoffs of security, performance and cost.
   
5. Assess the security impacts on cryptographic systems of technological advances in computing, networks, and telecommunications.
   
6. Evaluate the technical and non-technical issues involved with using cryptography for data protection in the burgeoning controversies surrounding security, privacy, electronic commerce, computer crime, information sharing, and cyberwar, and be able to relate these issues to their own environment wherever applicable.

According to the Graduate School’s grading policy, the following symbols are used: A = excellent;
B = good; C = passing; and F = failure.

The grade of “B” represents the benchmark for the Graduate School. It indicates that the student has demonstrated competency in the subject matter of the course, e.g., has fulfilled all course requirements on time, has a clear grasp of the full range of course materials and concepts, and is able to present and apply these materials and concepts in clear, well-reasoned, well-organized, and grammatically correct responses, whether written or oral.

Only students who fully meet this standard and, in addition, demonstrate exceptional comprehension and application of the course subject matter earn a grade of “A.”

Students who do not meet the benchmark standard of competency fall within the “C” range or lower. They, in effect, have not met graduate level standards. Where this failure is substantial, they can earn an “F.”

Plagiarism is the intentional or unintentional presentation of another person’s idea or product as one’s own. Plagiarism includes, but is not limited to, the following: copying verbatim all or part of another’s written work; using phrases, charts, figures, illustrations, or mathematical or scientific solutions without citing the source; paraphrasing ideas, conclusions, or research without citing the source; and using all or part of a literary plot, poem, film, musical score, or other artistic product without attributing the work to its creator. Students can avoid unintentional plagiarism by following carefully accepted scholarly practices. Notes taken for papers and research projects should accurately record sources to material to be cited, quoted, paraphrased, or summarized, and papers should acknowledge these sources. The penalties for plagiarism include a zero or a grade of “F” on the work in question, a grade of “F” in the course, suspension with a file letter, suspension with a transcript notation, or expulsion.

• Introductions
• Administrative and Ethics Issues
• Non-duplicated Required Bullets for each class period.
• Formation of working teams and suggestions for effective implementation; Team leader requirements

  TEAM RESEARCH PAPER Requirements and my expectations - Cryptography, INFOSEC, Network Security, AES or Cyber-Terror as Topics

• How Cryptography Works and Historical Lessons from Classical Cryptography
• Choice of Cryptographic Algorithm for Midterm
• Choice of Biometric for in-class presentation
• Download Instructions PGP for Robust Authentication

CD: (optional)
Chapter 1: Secret Key Cryptography Locks and Keys
Chapter 2: Substitution and Caesars Cipher
Chapter 3: Transposition Ciphers: Moving Around

BF: (optional)
Chapter 1: All Security Involves Trade-Offs
Chapter 2: Security Trade-Offs are Subjective

ICE: (optional)
Chapter 1: Cyber-Terrorism: Fact or Fiction?
Appendix C: Remarks on Cyber-Terrorism

BF: (optional)
Chapter 3: Security Trade-Offs Depend On Power and Agenda
Chapter 4: Systems and How they Fail

WS: (optional)
Chapter 1: Why Wireless is Different

ICE: (optional)
Chapter 2: Black-Ice Cyber-Terrorism Hidden Dangers
Appendix A: Critical Infrastructures

Topics: Lessons from Classical History: Principal of Cryptographic Universality, Basic operations - substitution and transposition, one time pads, cipher wheels, block and stream ciphers, product ciphers, cipher machines, statistical identification. Examples - Civil War, Kennedy, W.W.II, Viggy and Delastelle systems. Some insights into Pearl Harbor intelligence failure.

Class Team Exercise 1 - Construction of simple encryption system "on the fly", Use of the ENIGMA Simulation or CSP 1500; use of commercial compression codes – Bentley; comparison with modern equivalents. 2nd part: Cryptanalysis of Simple Risties and Patties.

Learning objectives (sessions 2 through 4): Students evaluate and practice basic cryptographic and cryptanalysis techniques.

***SUBMIT CHOICE OF RESEARCH TOPIC and Get Started! ***

CD: (optional)
Chapter 7: Secret Key Assurances
Chapter 8: Problems with Secret Key Exchange

BF: (optional)
Chapter 5: Knowing the Attackers
Chapter 6: Attackers never change their tunes, Just their instruments

ICE: (optional)
Chapter 3: Terror on the Wire: The Internet as a Weapon

Topics: XOR substitution, pseudorandom number generation, DES, Brief review of ISO/IEC, FIPS, PKIX, ANSI, RFCs. Problems with standards. RSA standards. International issues – Common Criteria and Certification.

Topics: a layman's introduction to both commercial algorithms and AES (especially Rijndael). Review of IDEA, DES, 3DES, RC5, and Elliptic Curve Cryptography (ECC), Comparison of hardware and software characteristics. Cryptographic systems -IFP, DLP, ECC, Security / Strength Comparisons.

CD: (optional)
Chapter 9: Public Key Cryptography: Public Exchange of Keys
Chapter 10: Confidentiality Using Keys
Chapter 11: Making Public Keys: Math Tricks
Appendixes A & B

BF: (optional)
Chapter 7 Technology creates security imbalances
Appendix B: PDD-63 at a glance

ICE: (optional)
Chapter 4: Terror on the Air: The Wireless Threat

NS: (required)
Chapter 5: Hashes and Message Digests; 5.1-5.8, 24.9

SC: (required)
Chapter 3: Program Security; 3.7.1-3.7.2, 3.10

----------------------------

CD: (optional)
Chapter 12: Creating Digital Signatures Using the Private Key
Chapter 13: Hashes: Non-Keyed message Digest

BF: (optional) (highly recommended)
Chapter 8: Security is a weakest link problem

WS: (optional) (highly recommended)
Chapter 5: Cryptographic Security

ICE: (optional) (highly recommended)
Chapter 5: Al-Quada: In search of Bin-Laden’s Hackers

Topics: Channels, ISO model, Authentication mechanisms, Identification, Secure Pipes-SSL, VPN, PKI, anonymous remailers, Internet threat model. Which layer Certificates and CA's. MD5, SHA-1, HMAC.

Class Team Exercise 2 - PGP Key exchange, shared keys and discussion of trust models or Zendian Problems cryptanalysis and Traffic Analysis problem

• Security protocols overview
• IP security
• Digital Notary Publics - Certified Time Stamping

NS: (required)
Chapter 9: Overview of Authentication Systems; 9.1-9.5
Chapter 10: Authentication of People; 10.1-10.10
Chapter 11: Security Handshake Pitfalls 11.1-11.8

SC: (required)
Chapter 4: Protection in General Purpose Operating
Systems: 4.1-4.5
Chapter 5: Designing Trusted Operating Systems; 5.1-5.6
Chapter 6: Database Security; 6.5

Topics: IPSec and applications, benefits, transport and tunnel modes. Hardware Implementations: A review of the tradeoffs -Performance, Security, Economics and Ergonomics.

Learning objectives: Students learn best practices in information security protocols.

***MIDTERM ENCRYPTION PAPERS / POWERPOINT PRESENTATIONS DUE***

(Incorporates material from modules 1-6)

Multiple Bullets Due

NS: (required)
Chapter 5: Hashes and Message Digests; 5.1-5.6,
Chapter 6: Public Key Algorithms; 6.1-6.4, 6.6-6.8

--------------------------

CD: (optional)
Chapter 14: Message Digest Assurances

BF: (optional)
Chapter 9: Brittleness makes for bad security

ICE: (optional)
Chapter 6: Web of Terror: What Al-Quada knows about the US

Topics: Digital signatures-What they are, what they do, can we trust them, document signing; X509 certificates, international issues - wide spectrum of legal responses. Legal resources from McBride-Coles.

Topics: Databases and database security. Architectures for secure databases. Clark-Wilson integrity interpretation. Inference attacks. Use of cryptography in database security.

Learning objectives: Students outline the major elements of database security

NS: (required)
Chapter 11: Security Handshake Pitfalls; 11.6-11.10,
Chapter 20: Electronic Mail Security; 20.1-20.16
Chapter 23: Firewalls; 23.1-23.7

SC: (required)
Chapter 9: Legal, Privacy, and Ethical Issues in Computer Security; 9.1-9.10

-------------------------------

CD: (optional)
Chapter 15: Comparing Secret key, Public Key and Message Digests

BF: (optional)
Chapter 10: Security revolves around people
Chapter 11: Detection works where Prevention fails
Chapter 12: Detection is Useless without Response

ICE: (optional)
Chapter 7: 9/11: The Cyber-Terrorist Attack

Topics: PGP again but with shared keys. Key exchange and discussion of trust models. Security with MIME. Exacting and robust authentication.

Learning objectives (sessions 9 & 10): Students compare costs and benefits of various security protocols and data protection standards

Class Team Exercise 3 - Improving a Virus (or worm or RAT or Web Bug) to weapons grade using encryption and random number generation. Defending against it with holistics.

CD: (optional)
Chapter 16: Digital certificates
Chapter: 17 X.509 Public Key Infrastructure

Guide: (optional)
Chapter 21: System Analysis and Identification

BF: (optional)
Chapter 13: Identification, Authentication, and Authorization
Chapter 14: All Countermeasures have some value, but no countermeasure is perfect

WS: (optional)
Chapter 12: Hardware Perspectives for End-to-End Security

Topics: System Identification and Key Clustering. Cryptanalytic attacks. Principals of vertical and horizontal differentiation based on repetitions, entropy, PRNG testing, compression and graphical analysis. Side channel attacks, differential and linear cryptanalysis, character and bit level analysis. Forensic Cryptanalysis

Demonstration: identification of traffic, signatures, and strength of encryption systems. Don't miss this class!

Interesting directions – Biometric encryption

NS: (required)
Chapter 15:PKI; 15.1-15.8
Chapter 16:Real Time Communications Security; 16.1-16.12
Chapter 17: IPSec; 17.1-17.2; 18.1-18.4
Chapter 19: SSL; 19.1-19.8
Chapter 25: Web Issues; 25.1-25.3,25.5

-----------------------

CD: (required)
Chapter: 18: PGP and The Web of Trust
Chapter 19: Real-World Systems: Secure E-Mail

BF: (optional)
Chapter 15: Fighting Terrorism

ICE: (optional)
Chapter 9: Dark Winter: Technology and Early Warning
Chapter 10: Security, Terror and Liberty
Chapter 11: The War on Terror: Mobilizing for the Future

Topics: Access control mechanisms, cryptography and two different views. Kinds of E-Commerce, SET, SSH, COTS, SSO, authorization and interoperability. IPSec and applications, benefits, transport and tunnel modes; Competing public goals, International Issues, Export-BXA.

Other Topics: ANSI standards. Internet IFCs. NIST and FIPS. Secure Pipes-SSL, VPN, PKI. Kinds of e-Commerce and their enabling technologies. SET, SSH, COTS, SSO, authorization and interoperability.

Learning objectives (sessions 11 & 12): Students evaluate specific approaches to data protection, their technical strengths and weaknesses, and their potential social impact.

Multiple Bullets due.

TEAMS - In class project time; Research Discussions with teams

Multiple Bullets due.

TEAMS - In class project time; Research Discussions with teams

Module 14: (In-class version) Student Research Presentations

Students present their research to their classmates.

Module 14: (Distance Education version) Student PowerPoint Presentations

Students prepare and post PowerPoint presentations describing their research as part of an on-line conference, and review and discuss the presentations posted by their classmates

***TEAM RESEARCH PAPERS DUE***

(Both In Hardcopy and Softcopy forms)
Team PowerPoint Presentations Due

***FINAL GRADES***