Skip to main content

Computer Security:  2022-2023

Lecturer

Degrees

Schedule A2(CS&P)Computer Science and Philosophy

Schedule B1 (CS&P)Computer Science and Philosophy

Schedule A2Computer Science

Schedule B1Computer Science

Schedule A2(M&CS)Mathematics and Computer Science

Schedule B1(M&CS)Mathematics and Computer Science

Michaelmas TermMSc in Advanced Computer Science

Term

Overview

Computer security pervades every aspect of the modern online experience, now reaching into mobile phones and games consoles as well as conventional computers and cybersecurity for enterprises. This course covers some of the fundamental principles of computer security and in detail information security. 

After identifying some core concepts of cybersecurity and computer systems security, a number of practical challenges to information security will be presented. The aim is to specify the requirements of a solution, explain an appropriate (mathematics-based) tool, and then discuss pitfalls, attacks, and countermeasures. Topics covered include access control, symmetric and asymmetric block ciphers, keyed hashes, digital signatures, and simple key exchange protocols. We end the course by considering wider security architectures and risk controls that form the wider operational security environment for the concepts studied in the course.

Learning outcomes

An understanding of the differences between various requirements of cybersecurity, where they arise as computer and information security, and appropriate tools to achieve them; an appreciation of some common security pitfalls.

This is a course for computer scientists, not system administrators. Don't expect to learn how to build "secure" websites, nor how to install firewalls.

Prerequisites

  • Basic aspects of how a computer works (as covered by Digital Systems).
  • Basic modular arithmetic (as amply covered by the Discrete Mathematics course).
  • Elementary discrete probability (as amply covered by the first-year Probability course).

Assessment

The MSc assessment and undergraduate Part B exmination will be alligned and take place in Trinity. For both MSc and Part B this is planned to be a timed closed-book paper.

 

Synopsis

Number of lectures for each course component is an estimate and not fixed.

Introduction [1 lecture, 1st]. Key concepts and definitions. 

Access control [1.5 lectures, 1st]. Models of security and the example of Unix permissions, access control for integrity protection models.

Attacks [1.5 lectures, 1st & 2nd]. Overview of common forms of cyberattacks and models for understanding them.

Symmetric key ciphers [2 lectures, 2nd]. Block ciphers and stream ciphers, Kerckhoffs' Principle, attack models, examples of attacks (including meet-in-the-middle). Perfect security, Shannon's conditions, Vernam cipher and the one-time pad.

Cryptographic hash functions [2 lectures, 3rd]. One-way and cryptographic hash functions, relationships with other security properties; attacks on iterative algorithms. Hashes for password storage and key generation: offline attacks, strengthening by salting and stretching, examples in practice. Hashes for message integrity, collision resistance. The Merkle-Damgård construction, padding, and classical examples as time allows.

Asymmetric key ciphers [2 lectures, 3rd and 5th]. The RSA cryptosystem: proof of correctness, discussion of efficiency. The RSA security assumption, relationship with integer factorization. Discussion of appropriate key size. Homomorphic property, number theoretic attacks, PKCS v1.5 padding. Brief survey of alternative public key ciphers.

Message authentication & digital signatures [2 lectures, 5th]. The Dolev-Yao model. Message authentication codes, HMAC. Digital signatures, attack models. RSA signatures, textbook weaknesses, and PKCS v1.5 padding. Combining signatures and encryption. Brief survey of alternative signature schemes.

Protocols [2 lectures, 6th]. Entity-entity authentication protocols given shared secret or public keys, weaknesses and attacks. Key distribution and certification, chains of trust, PKI. Mediated authentication protocols, weaknesses and attacks. The SSL/TLS application layer protocol.

Security architectures and standards intro [2 lectures, 7th]. Aspects of security architectures, context for information security and crypto techniques. Issues for security operations. Key standards and views on most essential security controls.

Syllabus

Aspects of computer security, common attacks and security models. Tools and countermeasures for achieving particular security goals: one-way functions, symmetric and asymmetric block ciphers including key generation and block modes, keyed hashes, digital signatures, simple key exchange protocols. Introduction to cybersecurity architectures, standards and key risk controls.

Reading list

We do not follow a specific text but the following are good choices for further reading:

  • Dieter Gollmann. Computer Security, third edition (any edition is fine)Wiley, 2010. Has more material on computer security concepts, and models of security, than any of the other books, and less on ciphers and hashes. A good complement.

 

  • Charlie Kaufman, Radia Perlman & Mike Speciner. Network Security: Private Communication in a Public World, second edition. Prentice-Hall, 2002. Covers nearly everything in the course in a very readable style. Good detail, but sometimes lacks formality.

 

  • Andrew Ker. Computer Security Lecture Notes. 2013 (or 2014, as linked from the Course Materials page). 

 

  • Niels Ferguson, Bruce Schneier & Tadayoshi Kohno. Cryptography Engineering - Design Principles and Practical Applications. Wiley, 2010.  Alternates between chatty prose and detailed implementations of security primitives, but good on the common pitfalls.

 

  • Martín Abadi & Roger Needham, Prudent Engineering Practice for Cryptographic Protocols, IEEE Transactions on Software Engineering, 22(1), 1996; PDF

Related research

Themes

Taking our courses

This form is not to be used by students studying for a degree in the Department of Computer Science, or for Visiting Students who are registered for Computer Science courses

Other matriculated University of Oxford students who are interested in taking this, or other, courses in the Department of Computer Science, must complete this online form by 17.00 on Friday of 0th week of term in which the course is taught. Late requests, and requests sent by email, will not be considered. All requests must be approved by the relevant Computer Science departmental committee and can only be submitted using this form.