Unit INFORMATION SECURITY
- Course
- Computer engineering and robotics
- Study-unit Code
- 70A00053
- Curriculum
- In all curricula
- Teacher
- Luca Grilli
- Teachers
-
- Luca Grilli
- Hours
- 48 ore - Luca Grilli
- CFU
- 6
- Course Regulation
- Coorte 2021
- Offered
- 2022/23
- Learning activities
- Caratterizzante
- Area
- Ingegneria informatica
- Academic discipline
- ING-INF/05
- Type of study-unit
- Opzionale (Optional)
- Type of learning activities
- Attività formativa monodisciplinare
- Language of instruction
- ITALIAN
- Contents
- Fundamental concepts: confidentiality, integrity and availability. Access control models. Main cryptographic primitives. Authentication of systems and of people. Operating systems security. Application program security. Sensitive data protection. Main vulnerabilities of computer networks. Web application security.
- Reference texts
- Slides by the teacher.
Recommended books.
Michael Goodrich, Roberto Tamassia. Introduction to Computer Security, Addison-Wesley, 2013.
Charlie Kaufman, Radia Perlman, Mike Speciner. Network Security: Private Communication in a Public World, 3rd edition, Addison-Wesley, 2022.
William Stallings. Lawrie Brown. Computer Security: Principles and Practice, 4th edition. Pearson, 2017.
William Stallings. Cryptography and Network Security: Principles and Practice, 8th edition. Pearson, 2019. - Educational objectives
- The main aim of this course is twofold: (i) to provide students with a global view of the information security and of the security mechanisms typically used in applications; (ii) to make students to be able to design software systems that offer a certain level of security.
Main knowledge acquired will be:
• main cryptographic primitives;
• secret-key and public-key authentication protocols;
• access control models;
• operating system security management;
• software vulnerabilities, computer virus and other malicious code;
• inferential attacks and strategies for the protection of sensitive data;
• basic concepts of network security and management;
• firewalls and intrusion detection systems;
• basic concepts of Web application security.
The main abilities that the students will acquire are:
• capability to recognize and to classify vulnerabilities and attacks to software systems;
• secure programming techniques;
• capability to design software system architectures and communication protocols while ensuring a specific level of security;
• capability to manage information systems while ensuring predefined security requirements. - Prerequisites
- For a full comprehension of all course topics, it is important to be familiar with the C programming language, and the most important Web programming technologies. Furthermore, it is helpful to be familiar with algorithms and data structures, operating systems, SQL language, and basic concepts of computer networks, including Internet protocols.
- Teaching methods
- The teaching activities follow two main modalities:
• Lessons in the classroom (90% of total time): they will consist of face-to-face lessons in the classroom. In each lesson, the teacher illustrates specific information security topics, through the projection of slides.
• Seminars held by students (10% of total time): each student may decide to hold a seminar (lasting 30-40 minutes) on a relevant topic, related to the course program, and to be agreed with the teacher. The seminar replaces the oral test and some questions of the written test. - Other information
- In addition to the weekly consultation hours, the teacher is available to receive students individually, or in group, on dates and times to be agreed with them.
- Learning verification modality
- Aims of the assessment. Evaluating (i) the knowledge of the theoretical concepts given by the teacher; (ii) the ability to analyze the security of a software system; and (iii) the capability to design protocols and systems that offer a determined level of security and meet certain design constraints.
The standard exam consists of a written test and of an optional oral test as described hereunder.
Written test
• Duration: 120 minutes.
• Score: 30/30.
• Composition: 5 questions, one for each of the following main topics: applied secret key cryptography, applied public key cryptography, authentication protocols, operating system security and software security, Internet and Web security.
A question consists of an exercise or an open-ended question.
The correction of the written test is presented to the student during a brief interview; the student can comment and discuss the result with the teacher to figure out whether or not to do the oral test.
Optional oral test
• Duration: 15 minutes.
• Score: ± 3 punti.
• Composition: 3 open-ended questions.
Besides to the standard exam, there is also an innovative verification modality for students who attend the lessons. More specifically, each student may decide to hold a seminar (lasting 30-40 minutes) on a relevant topic, related to the course program, and to be agreed with the teacher. The seminar replaces the oral test and some questions of the written test. - Extended program
- Teaching unit: Module 1 - Introduction, encryption and authentication
Fundamental concepts: confidentiality, integrity, availability, threats and attacks.
Access control models: access control matrices, access control lists, capability lists.
Role-based access control.
Fundamental concepts of secret key cryptography.
Basic concepts of block ciphers.
Outlines of some block ciphers: DES and AES.
Stream ciphers: algorithm RC4.
Modes of operation of block ciphers: ECB, CBC e OFB.
Cryptographic hash functions.
Cryptographic techniques for message integrity: CBC-MAC and HMAC.
Public-key cryptography: algorithms RSA and Diffie-Hellman.
Digital signature.
Authentication of systems and of people.
Challenge-response authentication protocols.
Zero-knowledge authentication protocols.
Teaching unit: Module 2 - Software security, network security and Web security
Operating systems security.
Process security: monitoring, management and logging.
Memory and file-system security.
Buffer overflow attacks.
Application program security.
Vulnerabilities and non-malicious program errors.
Viruses and other malicious code.
Inference attacks on sensitive data.
Security and vulnerability of networks.
Firewall and tunneling.
Intrusion detection systems.
Web and browser security.
Cross-site scripting attacks and SQL-injection.