I taught Security 101 at Bristol in the 2019/2020 academic year. This was a
first-year computer science course, previously taught by Dr. Bernhard (from whom
these materials were heavily derived). The focus of the part of the course I
delivered was to provide an introduction to cryptography and cryptographic
concepts, as well as teaching general soft security behaviours.
Main course materials
01 Introduction outlines how the course was to
be delivered and assessed (with Dr. Rawat teaching Part B, on software and
network security).
04 Authentication re-introduces the CIA
trifecta of security and moves on from the confidentiality-focused crypto
questions to questions of integrity. This is tackled both at a technical level,
with a discussion of message authentication codes and how they interact with
ciphers, and at a behavioural level, with discussion of authentication as it
applies to real people, and from there to the topic of passwords and good
password management mechanisms.
05 Public-key cryptography highlights the key management
problem inherent in symmetric cryptography, and walks through the padlock
analogy for intuition. Then introduces public key cryptography from a high
level. This is followed by a walkthrough of how RSA works, and a toy example to
step through. We then return to key distribution, how public-key and symmetric
cryptography are combined, and how the Diffie-Hellman key exchange works. The
students are left with a puzzle about how we authenticate messages under
public-key cryptosystems.
06 Digital signatures answers the questions from the
end of the previous lecture, with reference to the previous discussion of MACs
under symmetric encryption. How digital signatures operate at a high level is
followed with a discussion of the key distribution infrastructure (web of trust,
etc.) and what this boils down to in terms of uses students will encounter. Much
of this feeds into the second lab, in which students work with
openssh and gpg.
07 Security protocols moves on to a new topic,
taking a broader view of system security, drawn heavily from Anderson's book
chapter on the topic of security protocols. The example of attacks against car
keyfob is used to work through several issues that arise in practical
implementation of security schemes, and then this and the 'planes in war'
scenario are used to introduce the concept of nonces, challenge-response
protocols, replay attacks, man-in-the-middle attacks, and reflection attacks.
The lecture ends with a discussion of the Needham-Schroeder protocol, and
vulnerability found in an early version and how it was fixed.
08 Social engineering reflects on social
engineering attacks, pointing out the incentives for attackers to target humans
(Jeremy vs. The Machine). A real-world example is shown to demonstrate the
effectiveness, and then Cialdini's principles for understanding how persuasion
works, with several examples. This then moves into discussions of internet fraud
and then how phishing works.
Coursework 1 builds on the material in the two lab
worksheets.
Other materials
Questions answered several questions that came up during the
course.
Block ciphers was a session requested by students,
going over previous material on symmetric encryption and delving into exactly how AES
and DES operate.