CMSC 414
Computer (and Network) Security
Jonathan Katz
Introduction and overview
 What is computer/network security?
 Course philosophy and goals
 High-level overview of topics
 Course organization and information
“Security”
 Most of computer science is concerned with
achieving desired behavior
 In some sense, security is concerned with
preventing undesired behavior
– Different way of thinking!
– An enemy/opponent/hacker/adversary may be
actively and maliciously trying to circumvent
any protective measures you put in place
Computer vs. network security
 One view:
– Computer security: focuses on security aspects
of systems in isolation
– Network security: focuses on security of data as
it is transmitted between networked systems
 Not always a clear-cut dividing line…
Some examples…
 Computer security
– Viruses
– Secure data storage
– OS Security
 Network security
– Authentication protocols
– Encryption of transmitted data
– Firewalls
Broader impacts of security
 Explosive growth of interest in security
– Most often following notable security failures…
 Impact on/interest from all (?) areas of CS
– Theory (especially cryptography)
– Databases
– Operating systems
– AI/learning theory
– Networking
– Computer architecture/hardware
– Programming languages/compilers
– HCI
Philosophy
 We are not going to be able to cover everything
 Main goals
– Exposure to different aspects of security; meant mainly
to “pique” your interest
– The “mindset” of security: a new way of
thinking…about more than computer networks
– Become familiar with basic crypto, acronyms (RSA,
SSL, PGP, etc.), and “buzzwords”
– Security is a process, not a product
Student participation (I hope!)
 If something interests you, let me know
– Depending on time, may be able to cover in
more detail
– Can always suggest further references
 Monitor the media
– Email me relevant/interesting stories
 Class participation counts!
High-level overview
 Introduction…
– Including various classes of attacks
 Cryptography
– Cryptography is not the (whole) solution…
– …but is is an important part of the solution
– Along the way, we will see why cryptography
can’t solve all security problems
High-level overview II
 Security policies and analysis
– Attack trees
– Access control
– Confidentiality/integrity
– Key management
 Principles for secure design/implementation
High-level overview III
 Network security
– Identity
– Authentication
– Some real-world protocols
– Wireless security
High-level overview IV
 Miscellaneous (as time permits)
– Firewalls
– Intrusion detection
– Buffer overflows; secure programming
languages
– Viruses and malicious logic
– Etc…
Course Organization
Staff
 Me
 TAs (Introduce)
 Contact information, office hours, listed on
course webpage
Course webpage
http://www.cs.umd.edu/~jkatz/comp_sec
 Contains information about course
organization, updated syllabus, various
links, etc.
 No paper handouts; all handouts will be
distributed from the course webpage
 Check often for announcements
Textbooks
 I will primarily use two texts:
– “Computer Security” by Bishop
– “Network Security…” by Kaufman, Perlman,
and Speciner
 Neither is officially required, but both will
make it easier to follow the course
 Exams may rely on material in these books,
even if not covered in class
Other readings
 Will be linked from the course webpage
 Material from these readings is fair game
for the exams, even if not covered in class
(unless stated otherwise)
 Please suggest other readings or relevant
news articles!
Course requirements
 Homeworks
– About 5-6 throughout the semester
– Collaboration with one other student allowed;
answers must be written independently
– If you consult references, you must reference
 Project
– In three parts throughout the semester
– Will require implementation using JCE
– TAs will help with using JCE and Java…
Computer accounts
 Each student will receive a computer
account for homeworks and the project
 We are still looking into this…
Grading
 See course webpage
 Note: class participation counts!
– Suggest readings and references related to
course and/or project
– Speak up in class!
Security: an Introduction
Two papers linked from webpage
 “Reflections on trusting trust”
 “Managed security monitoring”
 Both leave a fairly negative impression of
security…
 …at the very least, they show that security
is not easy, and cannot just be applied as a
“magic bullet”
“Trusting trust”
 (summarize article)
 Does one really need to be this paranoid??
– Probably not
– Sometimes, yes
 Shows that security is complex…and
probably impossible (in theory?)
“Managed security monitoring”
 (Summarize article)
– Is the state of network security really this bad?
(Arguably, yes)
– Although network monitoring and risk
management are important, security is too
– Security is not an ends unto itself
• If you really want to be secure, disconnect yourself
from the Internet
An Overview of Computer
Security
Basic components
 Confidentiality
 Integrity
 Availability
Confidentiality
 Encryption
 Access control
Integrity
 Trustworthiness of data or resources
 Prevention vs. detection
 Blocking unauthorized attempts to change
data, or attempts to change data in
unauthorized ways
– The second is much harder…
 Correctness vs. trustworthiness of data
Availability
 Denial of service attacks
 Denying access can lead to more serious
attacks
– I.e., if credit card verification is down
Threats (or “attacks”)
 Snooping, eavesdropping
 Modification, alteration
 Masquerading, spoofing
 False repudiation/denial of receipt
 Network delay, denial of service
Policy vs. mechanism
 Security policy
– Statement of what is and is not allowed
 Security mechanism
– Method for enforcing a security policy
 One is meaningless without the other…
 Problems when combining security policies
of multiple organizations