Security

CmpE 297

Software Security Technologies

Fall 2003

Instructor

Richard Sinn
Email: sinn@openloop.com
Office Hours: Before / After class, by appointment or email only

Richard Sinn has been in the pure software industry for over 10 years both as manager and lead developer for projects ranging from IBM operating systems, kernel file system, network computer, Java desktop, IT secure development framework, IBM DB2 database, security and provisioning services.

In 2001, Richard led the development of the first dynamic workflow enabled PKI Certificate Management System (CMS) in the industry. It is a joint project between VeriSign and a Silicon Valley security startup company. There are currently eight patents (six in security technologies, and two in database technologies) pending under Richard’s name.

Richard has also been a part-time professor for the past five years teaching at San Jose State University (both Computer Science and Computer Engineering departments) and University of Minnesota.

Announcements

Class time:

Thursday, 7:30pm to 9:15pm

Class room:

This is Section 2.

SAL 104

American Language (SAL) building at 384 S. Second Street, Room 104.
Best to park on the street or in the parking facility at 3rd and San Carlos.

Aug 3, 2003: Initial creation.

Aug 14, 2003:

Please consider how you set up your evaluation environments - be it homework, on-campus quizzes and exams, to minimize chances of (temptations to) cheating.

In particular:

During tests:

- Make sure there is plenty of space between students.

- Always proctor exams and tests, and preferably by sitting at the back of the room rather than at the front. Do not leave the testing room during the test. If you cannot proctor the class yourself, contact me and I will endeavor to find a proctor for you.

- If the test is closed-book, require all backpacks to be zipped shut, all PDAs, computers and phones to be handed in, and any access to either without explicit proctor permission should be an immediate F in the class.

For homework: We have started using on-line support systems to catch cheaters. So I would very strongly urge you:

- For code assignments: Run them all through MOSS

- For essays etc: Run them all through turnitin.com (SJSU has a site subscription, I have been told.)

- Make sure individual contributions are ensured in team projects. This can be done through various means: Sign-offs, quizzes on the content of common work, etc.

Remember: A grade reflects an evaluation of the individual student's achievements. Your evaluation system has to reflect that objective.

Aug 24, 2003:

Registration is at the Computer Engineering Department office, Room ENG-284. Register as off-campus CMPE-297E. Class will be held in SAL-108 (384 South Second Street, Downtown SJ). Lab will be discussed on forum: cmpe297e-fall2003. Class restricted to 25 students, sign-up is on a first-come/first-serve basis.

Students must be present on first night of class and be prepared to pay a course fee of $750. To be assured of getting in the course it is advised that students stop by the department office a fill out the form ahead of time. Off campus courses need a minimum of 20 students to be held.

Aug 25, 2003:

Add/Drop to do for instructor:

1) For all classes, count the number of students that intend to enroll in the class or who are already enrolled.

2) If the number is smaller than the class size, hand out permission codes immediately to the students writing themselves into the add-list (which you get at the department office). If it is larger then tell them we'll hand out permission codes from the waiting list within a day or two.

3) If you hand out codes in class then tell the students they have to use the permission code to register within two days, or the night before the next class meeting (whichever comes first, as determined by you).

4) Immediately after class, report the number from (1) above to Sharolene.

Course Information

Objectives

Latest corporation challenge is managing software security threats on high speed, high volume mission critical software infrastructure. Building secure software in both the Internet and enterprise network becomes a must in today's world. The objective of this course is to teach you the essentials to build and deploy secure software. Learn how to design and administrate a complete, consistent, correct, and adequate security program.

Topics include:

Public Key Infrastructure Overview
Certificate lifecycle
CRL and CRL DP
OCSP
SSL
XKMS
Using LDAP for security
Access Control
Trust Model
Internet AAA (Authentication, Authorization, Audit)
Java Security Programming Model
Web Service Security
Various Security Model in Application Servers

You must be proficient with Java and J2EE architecture, preferably that you have already taken CMPE 275 or taking concurrently.

Grading

Apart from big term project(s) and presentation, there are homework assignments, a mid-term exam and a final exam. Some exams might be take-home. The weightings for grading are: Term Project(s) 40%, Homework 10%, Midterm 10%, Final Exam 20%, Term Presentation 10%, and Research Paper on selected topics (10%).

No Late Assignment Submission

Class Material

Lecture Notes

Reading material will be online on this web site before every lecture. Please email sinn@openloop.com if you experience any download problem.

Required Textbook

PKI: Implementing & Managing E-Security by Andrew Nash, Bill Duane, Derek Brink, Celia Joseph. McGraw-Hill Osborne Media; ISBN: 0072131233; (March 27, 2001).

Reference

RSA Security's Official Guide to Cryptography by Steve Burnett, Stephen Paine (Paperback)
IPSec: Securing VPNs by Carlton Davis (Paperback)
Security Architecture: Design, Deployment and Operations by Christopher King, et al (Paperback)
Understanding the Public-Key Infrastructure: Concepts, Standards, and Deployment Considerations by Carlisle Adams, et al (Hardcover)
Planning for PKI: Best Practices Guide for Deploying Public Key Infrastructure by Russ Housley, Tim Polk (Hardcover)
Openloop.com (http://www.openloop.com)

More will be added as the semester goes

Schedule

Introduction

Aug 28, 2003-

Add/Drop
1) For all classes, count the number of students that intend to enroll in the class or who are already enrolled.

2) If the number is smaller than the class size, hand out permission codes immediately to the students writing themselves into the add-list (which you get at the department office). If it is larger then tell them we'll hand out permission codes from the waiting list within a day or two.

3) If you hand out codes in class then tell the students they have to use the permission code to register within two days, or the night before the next class meeting (whichever comes first, as determined by you).

4) Immediately after class, report the number from (1) above to Sharolene.

Course discussion
Security Introduction
Preparation for project
- Java PKI System: Use this as the basis of PKI system for your project
- Microsoft CA: Research this if your group want to use a Microsoft CA
- iPlanet LDAP: Download directory server for storing security info in LDAP
- IBM DB2: Download DB2 for storing security info in database
Homework 0: Class pulling information

PKI

Sept 4, 2003-:

Homework Group: Form a team to work on project
Public-Key Cryptography
- Symmetric Versus Asymmetric Ciphers
- Algorithms: RSA, DSA, DH, ECDSA/ECDH and SHA-A

Sept 11, 2003-:

Resume "Side" Homework
PKI components:
- Concept of an Infrastructure
- CA,
- Certificate Repository,
- Cert Revocation,
- Key Backup and Recovery,
- Automatic Key update,
- Key history
- Cross-Certification
- Support for Non-Repudiation
- Time Stamping
- Client Software

September 12, 2003-:

Last Day to Drop Courses Without an Entry on Student's Permanent Record

Sept 18, 2003-:

PKI Services
- Core PKI Services: Authentication, Integrity, and Confidentiality
- PKI-Enabled Services
  - Notarization
  - Non-Repudiation
  - Privilege Management
  - Mechanisms Required
  - PKI Practice
Homework 1
Bring your receipt for enrollment, no audit this semester.

September 19, 2003-:

Last Day to Add Courses & Register Late

Sept 25, 2003-:

The common problem: Certificate Revocation
- CRL / CRL DP
- OCSP
Class starts at 8:00pm
Homework 2

Oct 2, 2003-:

Java Security Introduction
- Language-Level Security
- Invalid Memory Access
- Garbage Collection
- Other Language Features
- JavaTM Virtual Machine-level Security1
- Java Byte Codes
- Byte Code Verification
- Class Loading
- Runtime Checking
- Managing Security
- Access Controller and Permissions
Homework 1 Due

Java Security Programming Model

Oct 9, 2003-:

More Java Security
Homework 2 Due
Homework 3

Oct 16, 2003-:

Java Access Control

Oct 23, 2003-:

Trust Model
Project: PKI Security System
Mid evaluation
Homework 3 Due

Mid-Term

Oct 30, 2003-:

Mid-Term (Take home, no class)
Project Part I Due (Use email with one single MS-Word document)

E-Commerce with Web Services

Nov 6, 2003-:

Java signature generation and verification
- Signing
- Verifying
Mid-Term Due

Nov 13, 2003-:

Web SSO
J2EE Overview
WebSphere Architecture Overview
E-Commerce Topology

Nov 20, 2003-:

Application Server Configuration
Security Issues in Web Services Model
E-Commerce Apps
- Development
- Packaging
- Deployment
Project Part II Due

Nov 27, 2003-:

Thanksgiving Holiday

Final and Presentation

Dec 4, 2003-:

Final Project Info (MUST READ)
NO CLASS (Take Home)

Dec 9, 2003-:

Last Day of Instruction for the whole university.

Term Project

PKI Security System

Overflow Topic

PKI

Certificates and Certification
- Structure
- Validation
- Policies
- CA vs RA
Key and Certificate Management

Java

A Quick Look at policytool
API-Level Security Features
java.security
java.security.acl
java.security.interfaces
java.security.cert
java.security.spec
Using the Security Packages
Message Digests
Digital Signatures
Public Key Cryptography
Signing Data
Verifying Data
Authentication and Certificates
Browser-level Security
Executable Content

Applet Security Managers
Extending Browser Privileges
Extending HotJava Privileges
Extending JDK 1.2 Applet Privileges
Netscape Capabilities Classes
Using Internet Explorer's Permission Scoping
Signing Java Programs
Signing Applets for HotJava, Java Plug-in, and appletviewer
Signing Applets for Netscape Communicator
Signing Applets for Internet Explorer
Conclusion and Resources

Web Services

SOAP
UDDI
SOAP EAR
XML Support
XKMS
Security Model:
- Security Components
- Security Administration Model
- Authentication Model
- Authorization Model
- Delegation Model
- Security and Operating Systems

Grade

Email sinn@openloop.com to check your grade if necessary.

General Policy

The university and departmental policies and deadlines for course drop will be applied. Makeup exams cannot be offered, except under exceptional conditions, such as documented serious illness/accident, etc., and only at the professor's discretion.

Each student is responsible for his/her individual assignment, and must not copy anyone else's work. Students who borrow solutions from others will find themselves unable to pass the course. The minimum penalty for every student involved in the duplication of individual assignments or exams will be receiving a zero score on the submitted work.

For group project, all the work has to be done by your OWN group. Do not try to download "free code" from the Internet and hand in as a project. WE WILL FIND OUT. Do not share your work with others. So DO YOUR OWN WORK and EARN your grade.