Security

CmpE 297

Software Security Technologies

Spring 2004

Instructor

Richard Sinn
Email: sinn@openloop.com
Office Hours: Before / After class, by appointment or email only

Richard Sinn has been in the pure software industry for over 10 years both as manager and lead developer for projects ranging from IBM operating systems, kernel file system, network computer, Java desktop, IT secure development framework, IBM DB2 database, security and provisioning services.

In 2001, Richard led the development of the first dynamic workflow enabled PKI Certificate Management System (CMS) in the industry. It is a joint project between VeriSign and a Silicon Valley security startup company. There are currently eight patents (six in security technologies, and two in database technologies) pending under Richard’s name.

Richard has also been a part-time professor for the past five years teaching at San Jose State University (both Computer Science and Computer Engineering departments) and University of Minnesota.

Announcements

Class time:

Thursday, 7:30pm to 9:15pm

Class room:

This is Section 2.

ENG 341

American Language (SAL) building at 384 S. Second Street, Room 104.
Best to park on the street or in the parking facility at 3rd and San Carlos.

Dec 26, 2003: Initial creation.

Environment

Please consider how you set up your evaluation environments - be it homework, on-campus quizzes and exams, to minimize chances of (temptations to) cheating.

In particular:

During tests:

- Make sure there is plenty of space between students.

- Always proctor exams and tests, and preferably by sitting at the back of the room rather than at the front. Do not leave the testing room during the test. If you cannot proctor the class yourself, contact me and I will endeavor to find a proctor for you.

- If the test is closed-book, require all backpacks to be zipped shut, all PDAs, computers and phones to be handed in, and any access to either without explicit proctor permission should be an immediate F in the class.

For homework: We have started using on-line support systems to catch cheaters. So I would very strongly urge you:

- For code assignments: Run them all through MOSS

- For essays etc: Run them all through turnitin.com (SJSU has a site subscription, I have been told.)

- Make sure individual contributions are ensured in team projects. This can be done through various means: Sign-offs, quizzes on the content of common work, etc.

Remember: A grade reflects an evaluation of the individual student's achievements. Your evaluation system has to reflect that objective.

Registration

Registration is at the Computer Engineering Department office, Room ENG-284. Register as off-campus CMPE-297E. Class will be held in SAL-108 (384 South Second Street, Downtown SJ). Lab will be discussed on forum: cmpe297e-fall2003. Class restricted to 25 students, sign-up is on a first-come/first-serve basis.

Students must be present on first night of class and be prepared to pay a course fee of $750. To be assured of getting in the course it is advised that students stop by the department office a fill out the form ahead of time. Off campus courses need a minimum of 20 students to be held.

Add/Drop to do for instructor:

1) For all classes, count the number of students that intend to enroll in the class or who are already enrolled.

2) If the number is smaller than the class size, hand out permission codes immediately to the students writing themselves into the add-list (which you get at the department office). If it is larger then tell them we'll hand out permission codes from the waiting list within a day or two.

3) If you hand out codes in class then tell the students they have to use the permission code to register within two days, or the night before the next class meeting (whichever comes first, as determined by you).

4) Immediately after class, report the number from (1) above to Sharolene.

Course Information

Objectives

Latest corporation challenge is managing software security threats on high speed, high volume mission critical software infrastructure. Building secure software in both the Internet and enterprise network becomes a must in today's world. The objective of this course is to teach you the essentials to build and deploy secure software. Learn how to design and administrate a complete, consistent, correct, and adequate security program.

Topics include:

Public Key Infrastructure Overview
Certificate lifecycle
CRL and CRL DP
OCSP
SSL
XKMS
Using LDAP for security
Access Control
Trust Model
Internet AAA (Authentication, Authorization, Audit)
Java Security Programming Model
Web Service Security
Various Security Model in Application Servers

Grading

Apart from big term project(s) and presentation, there are homework assignments, a mid-term exam and a final exam. Some exams might be take-home. The weightings for grading are: Term Project(s) 40%, Homework 20%, Midterm 10%, Final Exam 20%, and Term Presentation 10%.

No Late Assignment Submission

Class Material

Lecture Notes

Reading material will be online on this web site before every lecture. Please email sinn@openloop.com if you experience any download problem.

Reference

RSA Security's Official Guide to Cryptography by Steve Burnett, Stephen Paine (Paperback)
PKI: Implementing & Managing E-Security by Andrew Nash, Bill Duane, Derek Brink, Celia Joseph. McGraw-Hill Osborne Media; ISBN: 0072131233; (March 27, 2001).
IPSec: Securing VPNs by Carlton Davis (Paperback)
Security Architecture: Design, Deployment and Operations by Christopher King, et al (Paperback)
Understanding the Public-Key Infrastructure: Concepts, Standards, and Deployment Considerations by Carlisle Adams, et al (Hardcover)
Planning for PKI: Best Practices Guide for Deploying Public Key Infrastructure by Russ Housley, Tim Polk (Hardcover)
Openloop.com (http://www.openloop.com)

More will be added as the semester goes

Schedule

Introduction

Jan 29, 2004-Thu

Add/Drop
1) For all classes, count the number of students that intend to enroll in the class or who are already enrolled.

2) If the number is smaller than the class size, hand out permission codes immediately to the students writing themselves into the add-list (which you get at the department office). If it is larger then tell them we'll hand out permission codes from the waiting list within a day or two.

3) If you hand out codes in class then tell the students they have to use the permission code to register within two days, or the night before the next class meeting (whichever comes first, as determined by you).

4) Immediately after class, report the number from (1) above to Sharolene.

Course discussion
Security Introduction
Preparation for project
- OpenSSL project
- Java PKI System: Use this as the basis of PKI system for your project
- Microsoft CA: Research this if your group want to use a Microsoft CA
- iPlanet LDAP: Download directory server for storing security info in LDAP
- IBM DB2: Download DB2 for storing security info in database
Homework 0: Class pulling information

PKI

Feb 5, 2004-Thu:

Homework Group: Form a team to work on project
Public-Key Cryptography
- Symmetric Versus Asymmetric Ciphers
- Algorithms: RSA, DSA, DH, ECDSA/ECDH and SHA-A

Feb 12, 2004-Thu:

PKI components:
- Concept of an Infrastructure
- CA,
- Certificate Repository,
- Cert Revocation,
- Key Backup and Recovery,
- Automatic Key update,
- Key history
- Cross-Certification
- Support for Non-Repudiation
- Time Stamping
- Client Software

Feb 17, 2004:

Last Day to Drop Courses Without an Entry on Student's Permanent Record

Feb 19, 2004-Thu:

PKI Services
- Core PKI Services: Authentication, Integrity, and Confidentiality
- PKI-Enabled Services
  - Notarization
  - Non-Repudiation
  - Privilege Management
  - Mechanisms Required
  - PKI Practice
Homework 1
Bring your receipt for enrollment, no audit this semester.

Feb 24, 2004:

Last Day to Add Courses & Register Late

Feb 26, 2004-:

The common problem: Certificate Revocation
- CRL / CRL DP
- OCSP
Homework 1 Due
Homework 2

Mar 4, 2004-Thu:

Java Security Introduction
- Language-Level Security
- Invalid Memory Access
- Garbage Collection
- Other Language Features
- JavaTM Virtual Machine-level Security1
- Java Byte Codes
- Byte Code Verification
- Class Loading
- Runtime Checking
- Managing Security
- Access Controller and Permissions
Homework 2 Due
Group discussion: http://groups.yahoo.com/group/cmpe297_security_sinn_sp04/
Sample Makefile
Homework 3

Java Security Programming Model

Mar 11, 2004-Thu:

Trust Model
Homework 3 Due
Homework 4 (Optional)
Project Part I

Mar 18, 2004-Thu:

Mid-term (Take home, no class)

Mar 25, 2004-Thu:

Mid-term Due
Project Part I Due
LDAP Introduction
Client/Server Introduction

March 29 - April 2: Spring Break

Apr 8, 2004-Thu:

E-Commerce with Web Services

Apr 15, 2004-Thu:

Homework 4 Due (Optional, Extra Credit)
Java signature generation and verification
- Signing
- Verifying
Web SSO (Notes cannot be posted)

Apr 22, 2004-Thu:

J2EE Overview
WebSphere Architecture Overview
E-Commerce Topology
Authentication (pdf from other source)
Cygwin and JNI on Windows

Apr 29, 2004-Thu:

Application Server Configuration
Security Issues in Web Services Model
Final Project Info (MUST READ)
E-Commerce Apps
- Development
- Packaging
- Deployment

Final and Presentation

May 6, 2004-Thu:

Group Presentation
Presentation Schedule
Project Final Part Due

May 13, 2004-Thu:

Students presenting !!!
Final Exam

May 18, 2004-:

Last Day of Instruction for the whole university.

Term Project

PKI Certificate and Encryption Service Center

Overflow Topic

PKI

Certificates and Certification
- Structure
- Validation
- Policies
- CA vs RA
Key and Certificate Management

Java

A Quick Look at policytool
API-Level Security Features
java.security
java.security.acl
java.security.interfaces
java.security.cert
java.security.spec
Using the Security Packages
Message Digests
Digital Signatures
Public Key Cryptography
Signing Data
Verifying Data
Authentication and Certificates
Browser-level Security
Executable Content

Applet Security Managers
Extending Browser Privileges
Extending HotJava Privileges
Extending JDK 1.2 Applet Privileges
Netscape Capabilities Classes
Using Internet Explorer's Permission Scoping
Signing Java Programs
Signing Applets for HotJava, Java Plug-in, and appletviewer
Signing Applets for Netscape Communicator
Signing Applets for Internet Explorer
Conclusion and Resources

Web Services

SOAP
UDDI
SOAP EAR
XML Support
XKMS
Security Model:
- Security Components
- Security Administration Model
- Authentication Model
- Authorization Model
- Delegation Model
- Security and Operating Systems

Grade

Email sinn@openloop.com to check your grade if necessary.

General Policy

The university and departmental policies and deadlines for course drop will be applied. Makeup exams cannot be offered, except under exceptional conditions, such as documented serious illness/accident, etc., and only at the professor's discretion.

Each student is responsible for his/her individual assignment, and must not copy anyone else's work. Students who borrow solutions from others will find themselves unable to pass the course. The minimum penalty for every student involved in the duplication of individual assignments or exams will be receiving a zero score on the submitted work.

For group project, all the work has to be done by your OWN group. Do not try to download "free code" from the Internet and hand in as a project. WE WILL FIND OUT. Do not share your work with others. So DO YOUR OWN WORK and EARN your grade.