Instructor | Announcements | Course Info | Class Material | Schedule | Project | Grade | General Policy | Related Links

Instructor

Richard Sinn
Email: richardsinn@yahoo.com
Office Hours: After class, by appointment or email only

Richard Sinn has been teaching in the Computer Engineering and Computer Science departments at San Jose State University since 1998. He also served as Adjunct Professor at University of Minnesota. In addition to his teaching career, Richard is the Security Architect at the Real Time Communication group at Yahoo! Inc. Prior to this he held various senior positions at IBM, Oracle and different Silicon Valley startup companies. Richard is an inventor and has filed over ten invention disclosures (patents). He is also a frequent writer for various magazines and journals, and a frequent speaker at regional and national technology conferences.

Announcements

Check back every now and then for updates.

Add code:

Available when someone drops.

Class time:

Every Tuesday 6:30pm <-----

Class room:

ENG341

Initial creation.

Environment

Please consider how you set up your evaluation environments - be it homework, on-campus quizzes and exams, to minimize chances of (temptations to) cheating.

In particular:

During tests:

- Make sure there is plenty of space between students.

- Always proctor exams and tests, and preferably by sitting at the back of the room rather than at the front. Do not leave the testing room during the test. If you cannot proctor the class yourself, contact me and I will endeavor to find a proctor for you.

- If the test is closed-book, require all backpacks to be zipped shut, all PDAs, computers and phones to be handed in, and any access to either without explicit proctor permission should be an immediate F in the class.

For homework: We have started using on-line support systems to catch cheaters. So I would very strongly urge you:

- For code assignments: Run them all through MOSS

- For essays etc: Run them all through turnitin.com (SJSU has a site subscription, I have been told.)

- Make sure individual contributions are ensured in team projects. This can be done through various means: Sign-offs, quizzes on the content of common work, etc.

Remember: A grade reflects an evaluation of the individual student's achievements. Your evaluation system has to reflect that objective.

Course Information

Objectives

Network security protocols and applications, cryptography algorithms, authentication systems, intrusion detection, network attacks and defenses, system-level security issues, and how to build secure systems. Prerequisite: CmpE 206 and EE 281. This semester is programming oriented. Topics include:

• Security theories
• Thrust model
• Network programming with security- Java
• Network programming with security - C/C++
• Protocols info - SSL, LDAP, IPSec, etc.
• IDS
• Network Attack / Defense
• Security Level
• Building secure system

Grading

Apart from big term project(s) and presentation, there are homework assignments, a mid-term exam and a final exam. Some exams might be take-home. The weightings for grading are: Term Project(s) 40%, Homework 20%, Midterm 10%, Final Exam 10%, and Team Presentation 20%.

No Late Assignment Submission. Put everything in an envelop when submit any material.

Policy Info

University, College, or Department Policy Information

a. Academic integrity statement (from Office of Judicial Affairs): “Your own commitment to learning, as evidenced by your enrollment at San José State University, and the University’s Academic Integrity Policy requires you to be honest in all your academic course work. Faculty members are required to report all infractions to the Office of Judicial Affairs.

b. Campus policy in compliance with the Americans with Disabilities Act: “If you need course adaptations or accommodations because of a disability, or if you need special arrangements in case the building must be evacuated, please make an appointment with me as soon as possible, or see me during office hours. Presidential Directive 97-03 requires that students with disabilities requesting accommodations must register with DRC to establish a record of their disability.”

Class Material

Lecture Notes

Textbook:

Software Security Technologies, A Programmatic Approach. Course Technology, 496 pages. (Available at bookstore).

 

Non-Textbook: Reading material will be online on this web site before every lecture. Reading this semester:

• HTTP: http://www.w3.org/Protocols/, ftp://ftp.isi.edu/in-notes/rfc2616.txt
• FTP: http://www.ietf.org/rfc/rfc0959.txt
• BitTorrent: http://www.bittorrent.com/protocol.html
• DNS: http://www.faqs.org/rfcs/rfc1035.html, http://www.faqs.org/rfcs/dns-rfcs.html
• IKE: http://www.ietf.org/rfc/rfc2409.txt
• IPSEC Intro: http://www.cisco.com/univercd/cc/td/doc/product/ismg/policy/ver23f/ipsec/ch01.htm
• XKMS: http://www.w3.org/TR/2005/REC-xkms2-20050628/
• ICE: http://www.w3.org/TR/1998/NOTE-ice-19981026
• LDAP: http://www.faqs.org/rfcs/rfc2251.html
• OCSP: http://www.faqs.org/rfcs/rfc2560.html
• SSL/TLS: http://wp.netscape.com/eng/ssl3/draft302.txt
• DHCP: http://rfc.net/rfc2131.html
• NFS: http://www.faqs.org/rfcs/rfc1813.html
• Kerberos: http://web.mit.edu/kerberos/www/

Reference

Pick one of the references for term paper. Please spend the time to read and actually reseach (program) into the topics. The class expects a high quality research paper, not some collection of combined internet web pages ...

Schedule

Term Project

Description

Your 3 person team is a well known group of network security experts. As a result, the whole team is hired by company ABC to implement the Web Sharing Hub (WSH) web based data sharing application. The basic goal of the system is to enable exchange of data in the MOST secure fashion using a web browser. Here is a list of requirements:

• Your team must signup a real hosting solution to develop a real web site (with domain name, etc) to run this project.
  • You can use Yahoo! Web Hosting (what I used) or Rocket Hosting Link (cheap and other students used that)
    • Yahoo is the student prefer choice since you can easily get out after 3 months without any problem, and it has the most up time.
  • Using a real web site setting enable real web development experience (this ensure that you cannot get away with things that just run localhost, etc.)
  • You can optionally keep it running after the semester (it will be good reference for interview, etc.)
• All UI interface must be implemented using a web browser interface
• Multiple types of data can be shared using WSH. For example, text file, html file, word document, jpeg file, movie file, etc.
• Three types of users will use WSH
  • Normal user - a self registration interface will be provided to self create a normal user. A normal user can access all the files uploaded by him/herself.
  • Group Creator - A group creator is a normal user who creates a group for sharing. As a group creator, he/she can select other normal users to share data in the group. The group creator can also select the authentication methods (AM) for each normal user in the group. A share group creator can delete a group if necessary. Any user in the group can upload and share data within the group.
  • Administrator - adminstrator is the superuser of the WSH portal who can administrate any group or user creation in the system. Thus, an administrator can move any user to any group.
• At least four types of authentication methods must be implemented:
  • Your group must decided what types of AM will be implemented in the system.
  • Suggestion includes MD5 authentication, picture/soft token matching, htaccess implementation, etc, etc. ...
  • Your group must implement one of the authentication methods by designing and implementing your own protocol. (Anything goes, use this chance as perfect opportunity to practice).
• Data upload from the interface must be secure.
• Optionally, you can make the AM pluggable authentication module where a group creator can stack multiple authentication module for a normal user. (JAAS implements a Java version of the standard Pluggable Authentication Module (PAM) framework. JAAS authentication is performed in a pluggable fashion. This permits applications to remain independent from underlying authentication technologies. New or updated authentication technologies can be plugged under an application without requiring modifications to the application itself. Read chapter 1, 5, 6, 7 of the textbook. Read them in order to obtain the full picture. You don't need to use JAAS for this project, but the chapters illustrate the concept well.)

Extra credit

For team that finished early. You can get extra credit by working with another team to come up with an inter WSH sharing mechanism. In other words, how does a group creator of a WSH includes normal users from another site? How will the administrator role changes in inter site scenarios? (And etc.)

Grading

Project team has to decide on various issues such as:

• What domain name to signup?
• What is the development language to use? Php, Perl or something else.
• Do we use database such as MySQL? What is the database schema to use?
• How do we secure the interface with the backend WSH?
• What do we implement for each authentication method (AM)?
• Do we use pluggable authentication?
• Can we use web server authentication method to help out?
• How do we secure the content (for sharing) on the web server?
• Do we support nested group?

As the whole class will be working on similar projects, relative grading will be used. In other words, all the projects will be ranked within the class and points will be assigned accordingly. There are two parts in the project:

• Part I: Requirement Analysis and Design 33%
• Part II: Final report and/or Implementation 67%

Handin

Project Part I consists of a document includes the following:

• Detail project plan. The list of features and functions should be included in the project.
• Schedule and division of work among team members
• Prototype results

Project Final Part will be covered later in class

Final Word of Warning

This is not an "easy" class and the project is an essential part of the overall grade. People who did not deliver the project well enough could really hurt their grade as the project contains more than 40% of the overall grade.

Avoid:

• Forming group late
• Changing group in the middle of the semester
• Start late and rush any part of the project
• Form a group of less than 3 people
• Not enough extra features if the group is more than 3 people
• Did the final integration of the project late
• Do not do enough testing
• All but actually one person in the group does all the programming (No, people do not get lucky and teammate will complain...)

Team Research Presentation (Lab)

Each team will be given one topic to research and present during the semester. Mid-term and final will contain some questions related to the topics presented. The team needs to prepare the following:

• PowerPoint Presentantion of the topic
• A 5 short-paper with detail reference on the topic
• Perform face-to-face presentation in class (10 min)

The following are the possible topics:

• RFID network protoco
• SMTP
• SNMPl
• SSH
• SCP
• Kerberos
• Radius
• Network Intrusion Detection
• SOAP
• UDDI
• XKMS
• NAT
• EAP
• IPX/SPX
• POP3/IMAP4
• BGP
• EGP
• IGP
• RIP
• OSPF
• Socks
• More tables from TCP/IP suite:

Grade

Email sinn@openloop.com to check your grade if necessary.

General Policy

The university and departmental policies and deadlines for course drop will be applied. Makeup exams cannot be offered, except under exceptional conditions, such as documented serious illness/accident, etc., and only at the professor's discretion.

Each student is responsible for his/her individual assignment, and must not copy anyone else's work. Students who borrow solutions from others will find themselves unable to pass the course. The minimum penalty for every student involved in the duplication of individual assignments or exams will be receiving a zero score on the submitted work.

For group project, all the work has to be done by your OWN group. Do not try to download "free code" from the Internet and hand in as a project. WE WILL FIND OUT. Do not share your work with others. So DO YOUR OWN WORK and EARN your grade.

Related Links

Instructor | Announcements | Course Info | Class Material | Schedule | Project | Grade | General Policy | Related Links