Link to websubmit for submitting assignments.

Privacy assignments: HW1     HW1 with bug in ex7 fixed     HW1 partial solution     Lab1      Error propogation formulae that are helpful for Lab1

Crypto assignments: HW2     Optional Extra Practice Problems     HW2 solution    

Network Security assignments: HW3     HW3 partial solution    HW4     HW4 solution    

Class is held Mondays and Wednesdays 1:00-2:30PM in CAS 221

Important dates:

• Monday March 19, 9AM. If you plan to submit original work as your poster, please email Prof. Goldberg with a description of your topic and research plan by this day.
• Wednesday March 28, 1:00-2:30PM. Midterm. The midterm will cover material from the first two-thirds of the course.
• Friday March 30. Last day to drop course with a W. Midterm will be graded and returned by Thursday March 29; if you are considering dropping the course, please make sure to see Prof. Goldberg during her (extra) office hours on Thursday March 29.
• Monday April 9, 9AM. Poster check in. Please email Prof. Goldberg with your poster topic by this day.
• Friday May 4, 1:00-4:00 PM. CS558 open poster session; the CS department will be invited, and you are welcome to invite colleagues and friends.

Week 1 (Wednesday only).

Welcome, adminstrivia, signup for presentations.

Week 2. Attacks on Data Privacy.

Monday Presenter: Dimitris Papadopoulos. RSA secur ID breach   slides
Wednesday Presenter: Harry Mavroforakis. DuQu worm   slides

Read for Monday: Narayanan and Shmatikov on PII CACM 2010

Topics:

• Personally identifiable information. NIST Definition 2010, see section 2. See also Narayanan and Shmatikov CACM 2010.
• Latayna Sweeny's famous attack on HMO data. Read the subsection entitled "Data and anoymity" pg 100-102.
• Uniqueness of Simple Demographics in the US Population WPES'06. We cover Table 1 and Figure 1-2 in class.
• AOL query log fiasco
• Deanonymizing the Netflicks dataset Narayanan and Shmatikov '08. Focus on Section 5. See also the author's FAQ and the result of this research.
• Attacks on social network datasets Narayanan and Shmatikov '09 (section 5 and 6) and Backstrom, Dwork, Kleinberg '07 (intro to section 2.1 inclusive)

Week 3. Privacy notions of k-anonymity, l-diversity. Attacks on these notions.

Monday Presenter: None
Wednesday Presenter: Larissa Spinelli For sale, your data by you slides

Reference: Lectures will be based on Li, Li, Venkatasubramanian Section 1-3 (inclusive) and Ganta, Kasiviswanathan, Smith '08 Sections 1-3 (inclusive). See also these Slides from class, borrowed with permission from V. Shmatikov. In class we also discussed Shannon entropy (read page 2 of these notes) and Kerckhoff's principle, i.e. "The enemy knows the system" (see e.g. Leo Reyzin's lecture nodes on this (3rd paragraph).)

Topics:

• k-anonymity. Original paper by Sweeny'05.
• l-diversity
• t-closeness
• Composition attacks on these notions of privacy.

Optional.At very end of class Wednesday, we discussed Dwork's proof that (a formalization) of the following statement is impossible. "Anything that can be learned about a respondent from the statistical database can be learned without access to the database." See Dwork, Section 3

Week 4. Intro to Differential Privacy: Definition, c-stable transformations, sequential composition

Monday Presenter: Jonathan

Reference: Lectures will cover Section 2 of McSherry'09

Week 5. More Differential Privacy: Examples (CDF, counting search queries) and parallel composition.

Homework 1 and Lab 1 released!

Monday Presenter: Stirling  Khelios botnet slides
Wednesday Presenter: Jarad   ACTA slides

Reference: We continue with Section 2 of McSherry'09. We will also cover material (particularly algorithms for the CDF) from Section 4.1, 5.3.1 of McSherry Mahajan'10.

Optional: In class I mention a paper called differential privacy under fire, which looks at side-channel attacks on differential privacy query languages like PINQ.

Week 6. Even more Differential Privacy: Exponential mechanism, the median mechanism, and the join operator.

Wednesday Presenter: Nur secure boot slides.

Reference: References on the exponential mechanism are very messy, so here are some rough notes I wrote about the material we discuss in lecture. The original references I used to make these notes are as follows:

• The exponential mechanism was first proposed in this paper: McSherry and Talwar.
• I also used Aaron Roth's lecture as a reference Roth Lecture 3, as well as Moni Naor's lecture notes.
• An additional reference that discusses the median mechanism is in this paper on smooth sensistivity.

Weeks 7 and 8. Crypto. Class taught by Adam ONeill.

Monday Presenter: Kyle Attack on RSA slides.
Wednesday Presenter: Danny DNS bit squatting slides.
Monday Presenter: Ian Andriod OS security slides.

Lectures are based on Mihir Bellare's lectures, with material from lectures 1,3,4,5,7,11,12. Topics:

• Intro to basic goals of secure communication, attack models, provable security vs ad-hoc protocol design
• Symmetric encryption: Syntax and usage, possible adversarial goals and IND-CPA security, blockciphers and their security as PRFs, example of IND-CPA secure encryption from a blockcipher (CTR$ mode).
• MACs: Syntax and usage, possible adversarial goals and UF-CMA security, hash functions and collision-resistance, example of UF-CMA secure MAC from a blockcipher (CBC-MAC) and UF-CMA secure MAC from a hash function (HMAC), why simply using Hash(K||M) is a bad idea due to length-extension attacks
• Public-key encryption: Syntax and usage, IND-CPA security Diffie-Hellman key exchange, hybrid encryption from DH key-exchange, RSA and why plain RSA encryption is bad, RSA key exchange, hybrid encryption from RSA key exchange
• Digital signatures: Syntax and usage, UF-CMA security, why plain RSA signatures are bad, full domain hash RSA signatures

March Break!

Week 9. Symmetric Encryption and Authentication : IPsec and TLS/SSL.

Monday Presenter: Jarib Attack on HBGary slides.
Wednesday Presenter: Colin Conficker slides.
Crypto Review Session: 4PM on Friday in MCS135

We discuss how IPsec and TLS/SSL are used, covering both the high-level issues about where in the Internet each protocol is used, as well as the underlying cryptographic issues related to encryption and authentication.

• We discussed the notion of CCA security and CPA security for encryption, and how, when we talk about encryption in practice, most schemes are ony CPA secure (i.e. AES, DES, blowfish, etc.). However, on the internet we almost always want CCA security, so we can defend against active attackers; to do this, we need to combine CPA secure encryption with a secure MAC. For a reference, see the Katz and Lindell textbook.
• Note on the order of encryption and authentications are based on Hugo Krawcyzk's amazing paper from 2001 (one of my favorites) that was rewritten as Chapter 4.9 of Katz and Lindell's "Introduction to Modern Cryptography" textbook.
• We cover IPsec in detail, using Steve Friedl's illustrated guide.
• We will also discuss practical attacks on encryption-only uses of IPsec from this EuroCrypt'2006 paper.
• Optional. I mentioned network address translation (NAT) in class, here is the animation and article.

Week 9. Midterm and review week.

We review material on Monday.

Midterm is on Wednesday. You are allowed to bring a two-sided handwritten aid sheet. Three-quarters of the midterm will be on privacy (k-anon and differential privacy and PINQ) and one quarter will be on basic crypto (CCA security, CPA security for encryption, and MAC security, the difference between symmetric encryption/authentication and public-key encryption/authentication.)

Week 10. IPsec and IKE (Internet Key Exchange)

Monday presenter: Tim Operation shady rat slides.
Wednesday presenter: Joe Medical device security slides.

We discuss SigMA protocols used in IPsec using Krawcyzk's slides.

Week 11.

Monday: "Buffer overflows for dummies" - class taught by Ran Canetti.

Wednesday: Availability and denial of service attacks on IP and TCP - guest lecture by Yossi Gilad.

Weeks 12-13. Public Key Infrastructures, RPKI . BGP security

Wednesday presenter: Robert Sony playstation attack
Monday presenter: Sanaz Dropbox security.
Wednesday presenter: Da Cheng slides.

• We start by discussing public key infrastructures. Here are Leo Reyzin's lecture notes that mention PKI.
• I mentioned secret sharing in class, as way to avoid having a single entity store the secret key that is the root of trust for the PKI. Here are some notes on secret sharing. Note that DNSsec actually did secret share its root key! See this this article!
• Please also read this Schneier and Ellison paper on PKI security.
• We will spend some time discussing RPKI - the PKI proposed for use in Internet routing (BGP). Here are some slides I've prepared.
• Here are some slides on BGP security. slides.
• The Pakistan Telecom / YouTube incident - a failed attempt at censorship renesys blog.
• The China Telecom traffic interception incident renesys blog.

Weeks 14. DNS security

Monday presenter: Valerie CISPA AND EINSTEIN slides.
Friday is the poster session!

• A gentle introduction to DNS is here http://www.isoc.org/briefings/016/index.shtml.
• A list of the DNS root zones is here: http://www.root-servers.org/
• A very interesting FAQ about root zone operations, (e.g. why there is diversity in the code used to operate the root zone servers), by Daniel Karrenberg, an operator of the K-root.
• We discuss Kaminsky's famous attack on DNS using this UnixWiz article.
• See also this figure explaining the Kaminsky attack.
• Defending your DNS in a post-Kaminsky world. slides from Paul Wouters at Blackhat'09.
• Slides on DNS security from Olaf M. Kolkman in 2004.
• Tracking the progress of DNSSEC deployment with UCLA's security spider.
• Paper on the security risks associated with DNSSEC and NSEC Bau-Mitchell'10.
• DNS and censorship - the china I-root incident. renesys blogpost 1 and blogpost 2.