CS 413 Home Page

 

*****************

Fall of 2011:  This course is subject to major revision this semester.  It will not be possible to complete the revision of the Web page up front.

This page will be modified and grow over the course of the semester as new and revised materials are posted.

At any given time, only the materials above the RED LINE (see below) will be current.

You will need to check back off and on for changes.

*****************


The syllabus, lab exercises, and other information are posted here.  These are links to Word documents which you should be able to download and print.

cs413syllabusfall2011.doc  Syllabus


Some links that might be of interest.

http://sectools.org/  Top 100 Network Security Tools.  "After the tremendously successful 2000 and 2003 security tools surveys, Insecure.Org is delighted to release this 2006 survey. I (Fyodor) asked users from the nmap-hackers mailing list to share their favorite tools, and 3,243 people responded. This allowed me to expand the list to 100 tools, and even subdivide them into categories. Anyone in the security field would be well advised to go over the list and investigate tools they are unfamiliar with. I discovered several powerful new tools this way. I also point newbies to this site whenever they write me saying “I don't know where to start”."

If you explore the site, you will find that the following sites are related to it:  Insecure.Org, Nmap.Org, SecLists.Org, and Nmap Security Scanner.

http://www.w3schools.com  w3schools.com  "The world's largest web development site.  At w3schools.com you will learn how to make a website. We offer free tutorials in all web development technologies."

http://www.owasp.org/index.php/Main_Page  "The Open Web Application Security Project (OWASP) is a 501c3 not-for-profit worldwide charitable organization focused on improving the security of application software. Our mission is to make application security visible, so that people and organizations can make informed decisions about true application security risks. Everyone is free to participate in OWASP and all of our materials are available under a free and open software license."

http://www.nsa.gov/  The National Security Agency. "The NSA/CSS core missions are to protect U.S. national security systems and to produce foreign signals intelligence information."

http://epic.org/  Electronic Privacy Information Center.  "EPIC is a public interest research center in Washington, D.C. It was established in 1994 to focus public attention on emerging civil liberties issues and to protect privacy, the First Amendment, and constitutional values."

http://www.cybercrime.gov/index.html  Computer Crime & Intellectual Property Section, United States Department of Justice.

http://www.eff.org/  The Electronic Frontier Foundation.  "From the Internet to the iPod, technologies are transforming our society and empowering us as speakers, citizens, creators, and consumers. When our freedoms in the networked world come under attack, the Electronic Frontier Foundation (EFF) is the first line of defense. EFF broke new ground when it was founded in 1990 — well before the Internet was on most people's radar — and continues to confront cutting-edge issues defending free speech, privacy, innovation, and consumer rights today. From the beginning, EFF has championed the public interest in every critical battle affecting digital rights."

http://csrc.nist.gov/  The National Institute of Standards and Technology of the Commerce Department, Computer Security Division, Computer Security Resource Center.  "The CSD mission is to provide standards and technology to protect information systems against threats to the confidentiality of information, integrity of information and processes, and availability of information and services in order to build trust and confidence in Information Technology (IT) systems."

http://eprint.iacr.org/  Cryptology ePrint Archive.  "The Cryptology ePrint Archive provides rapid access to recent research in cryptology. Papers have been placed here by the authors and did not undergo any refereeing process other than verifying that the work seems to be within the scope of cryptology and meets some minimal acceptance criteria and publishing conditions."

http://www.oxid.it/  This site doesn't appear to have a name other than oxid.it.  It also doesn't have a stated mission.  Take a look at the projects on the site to get an idea of what it's about.  This is a description of one of them:  "Cain & Abel is a password recovery tool for Microsoft Operating Systems. It allows easy recovery of various kind of passwords by sniffing the network, cracking encrypted passwords using Dictionary, Brute-Force and Cryptanalysis attacks, recording VoIP conversations, decoding scrambled passwords, recovering wireless network keys, revealing password boxes, uncovering cached passwords and analyzing routing protocols. The program does not exploit any software vulnerabilities or bugs that could not be fixed with little effort. It covers some security aspects/weakness present in protocol's standards, authentication methods and caching mechanisms; its main purpose is the simplified recovery of passwords and credentials from various sources, however it also ships some "non standard" utilities for Microsoft Windows users."


 

Below are links to question files with answers included. The question files are not assignments.  They consist of short answer questions on various chapters in the book.  These questions should be representative of some questions that will be on tests.  You may find it useful to read through them as part of studying for tests.  You are not supposed to hand in your answers and there are no points associated with these question sets.

 

QuestionFile1Cryptography.docx  Chapter 2, Elementary Cryptography

 

QuestionFile2Cryptography.docx  Chapter 12 topics:  AES/DES type encryption, NP-completeness, Merkle-Hellman knapsacks, modular fields and inverses

 

QuestionFile3Cryptography.docx  Chapter 12 topics:  Prime numbers, Euler's totient, RSA encryption

 

QuestionFile4Cryptography.docx  Chapter 3, Program Security

 

QuestionFile5Cryptography.docx  Chapter 7, Security in Networks

 

 


 

            Below are links to the homework files for the course.  These are the assignments that you earn points for.  The first two assignments are programming assignments—but keep in mind that there will be no programming on tests.  The second two assignments consist of short answer questions and problems.  In general, homework 3 covers chapters 1, 2, and 12.  Homework 4 covers chapters 3 and 7.  However, neither of these assignments should be considered a comprehensive treatment of the topics in those chapters.  Like the questions above, they are simply representative of a selection of test questions on the chapters.  Neither assignment includes questions on chapters 10 or 11, but those chapters will be included on the tests in this course.  Also, neither assignment covers the book by Luke and Welling.  The way the syllabus is set up, it is conceivable that there might be one or two test questions on the general topic of what Luke and Welling cover, but there will be no in depth treatment of that material on a test.

 

hw1.docx

 

            These are the additional files for hw1:

            LetterCount.java

            cryptfile1.txt

            cryptfile2.txt

            cryptfile3.txt

 

hw2.docx

 

hw3.docx

 

hw4.docx

 

 


 

Here are the links to the individual folders for the chapters covered in the course.  They are given in the order in which they appear in the syllabus.  As usual with my course Web pages, these folders are a dumping ground for various files related to the chapters.  If there were PowerPoint overheads for a chapter, they should be found in the respective folder.  There may also be Word documents containing full text descriptions of some or all of what was covered in the overheads.  There may also be a Word document with the word "overheads" in its name.  This is just a holdover from the bygone days when overheads were made by printing out documents on plastic transparencies.  Other things may also appear in the directories.

 

Chapter1

 

Chapter2

 

Chapter12

 

Chapter3

 

Chapter7

 

LukeAndWellingIntro  If there is anything of significance in my introduction to the material in this book, anything related to choosing topics and presentation order for students, and so on, it will be in here.

 

Note that in the current syllabus chapters 10 and 11 are not covered in the course.

 

Chapter10

 

Chapter11

 

LukeAndWellingStudentContributions  If there is any desire, I can collect student presentations from the end of the semester and make them available here for everybody to access.

 

FinalProject

 

 


*****************

This is the RED LINE.  Anything above this line is current.  Anything below this line is not current.

As time passes, new materials will appear above this line, and old materials will be revised and will migrate above this line.

Pay no attention to anything posted below this line.

*****************


            Project/demonstration information.  You can start thinking about this at any time, so it is posted here at the beginning.

softwarelist.doc  This document lists the open source software that can be used for a demonstration.  There will be a simple sheet of paper on my door where you can put your name and list the piece of software you will be doing your presentation on.

signupsheet.doc  This document lists the time slots for doing your presentation in class.  There are few enough students this semester that there is no need to sign up for a time.  Everyone will simply take a turn during the final test period.


 


cs413securitynotesoverheads.doc  This is the non-book material presented in class between chapters 2 and 3.

          The following files were the basis for the overheads.  It may or may not be helpful to look at them for further detail on some of the topics covered in the overheads.

          cs413symmetric.doc

          cs413merklehellman.doc

cs413HW1part1general.doc  The first part of the assignment includes general questions on encryption.

cs413HW1part2aesdes.doc  The second part of the assignment includes questions on symmetric encryption.

cs413HW1part3merklehellman  The third part of the assignment includes questions on asymmetric encryption.


cs413test1sp2007key.doc  This is the key to the first test for 2007.


    The following blocks of links have to do with topics covered in Chapter 3 of the book "The Java 2 Platform Security".  Figuring everything out also required referring to Chapter 9 of the book "Core Java 2:  Volume II" and the online tutorials at www.sun.com.  The blocks are set off with horizontal lines.  Each block is marked with a Roman numeral.  Within the blocks there are numbered points with links that are supposed to illustrate the points.


I.  Default security settings when using only the system supplied security policy files.

    1.  Applets run without problems if they do not do security critical things.

    javasecurity/ColorCubeApplet.java  Here is the code for a simple applet which produces some graphical output in the browser.  It doesn't try to do file I/O or any other security critical operation.

    javasecurity/ColorCubeApplet.html  If you click on this link, you should see the applet work.

    2.  Local applications run without problems even if they do security critical things.

    javasecurity/WriteAlphabetApplication.java  This is a link to a simple application which writes the alphabet in capital letters to this path/file:  C:\alphabet.txt.  The assumption is that you don't already have a file named C:\alphabet.txt on your machine.  If you do, you should remove it before going further.  If you download the code, compile it, and run it, it should give you no security problems and you should then find the file C:\alphabet.txt on your computer.  In preparation for the next step, delete the file.

    3.  Applets that do security critical things do not run successfully when run locally if there is no security policy file granting them the permissions they need.

    javasecurity/WriteAlphabetApplet.java  Here is the code for an applet which contains the same file I/O logic as the WriteAlphabetApplication.java application.  If you download the code, compile it, and try to run it locally on your own machine, it should throw a security exception due to the attempted file access.  If you deleted the file C:\alphabet.txt, you should find that trying to run the applet has not successfully replaced it with a new copy.

    4.  Applets that do security critical things also do not run successfully when run over the Web if there is no local security policy granting them the permissions they need.

    javasecurity/WriteAlphabetApplet.html  This is a link to the applet.  When it is run remotely it will do the same thing as it did when run locally.  An exception will be thrown and the file will not be written.


II.  Using a policy file to give a remote applet permission to access local resources.

    General note:  In this block you are given instructions for doing things where you will be working in the root directory of the C: drive of a Windows based system.  All of the things discussed are also possible on Unix based systems, but some of the paths, etc., may differ.  Unix specific instructions are not given on this Web page.  The reason for using the C:\ is to keep path lengths to a minimum.  This is helpful both when navigating in the command prompt and when accessing folders through Windows.

    1.  Here is a security policy file which can be downloaded and put into C:\ on your system.  This policy file grants the codeBase of this Web page permission to write files into C:\ on the machine it is installed on--provided other steps are taken.  (See the steps below.)

    javasecurity/mypolicy

    If you follow the link, you will find that these are the contents of the file:
grant codeBase "http://math.uaa.alaska.edu/~afkas/cs413/javasecurity/"
{
  permission java.io.FilePermission "C:\\*", "write";
};

    2.  In order for the new policy file to be in effect along with the default ones, it is necessary to make an entry in the java.security file on your system.  The instructions are given under the assumption that you have a standard installation of Java on a Windows machine.  In other words, all Java related folders and files can be found in this folder:  C:\Program Files\Java.

    Find the java security file.  It should be located in this path:  C:\Program Files\Java\jre1.6.0\lib\security\java.security.  (Do not mistakenly work with the file of the same name found in this path:  C:\Program Files\Java\jdk1.6.0\jre\lib\security\java.security.  See point 5.B for information on this.)  Inside this file you should find two lines like these:

policy.url.1=file:${java.home}/lib/security/java.policy
policy.url.2=file:${user.home}/.java.policy

    Add this similar line to the file, following the ones shown above.

policy.url.3=file:/C:/mypolicy

    There are several options for giving local files as URL's.  I will consistently use the form shown above, where the word file is followed by a colon and a single forward slash.  This is followed by the path, which always uses forward slashes when given in URL form.

    3.  This is a detail, but it is given in a separate point so that you won't overlook it.  In order to make sure that the changes you have made are in effect, close your browser program and start it again.  For the runtime environment, it appears that the settings from the java.security file are put into effect when the browser program is started.  If changes are made midstream and the browser is not restarted, the changes will not be in effect.

    4.  After the mypolicy file has been downloaded, the java.security file has been changed, and the browser has been restarted, try running the applet again:

    javasecurity/WriteAlphabetApplet.html 

    If everything went as planned, the applet will display a message saying that the file was written and you will find the file C:\alphabet.txt on your computer.

    5.  Additional information related to this set of examples:

    A.  It is not evident from any of the items spelled out so far, but it is the case that the applet above was put into a jar file.  A jar file is the typical form for a codeSource because it is possible to digitally sign jar files.  In this example the code source is not signed, so it's a simple codeBase, but it is still made available as a jar file.  This is the form you expect to use when you are granting permissions.

 

    If you are rusty on making jar files and linking applets to Web pages, you can go to the notes for Unit 21 of the Web page for CS 202.  Those notes cover applications rather than applets, but the process of turning applets into jar files works the same way.  Those notes also do not specifically cover linking jar files to Web pages.  If you click on the link above for WriteAlphabetApplet.html and then in the menu do View/Source, you will see this simple example html code for linking to a jar file:

 

<applet code="WriteAlphabetApplet.class"
archive"WriteAlphabetApplet.jar"
width="500" height="500">
</applet>

    B.  The instructions given above work for granting permissions to remote code through a policy file on the local computer where it is run.  You will also find this file on the local system:  C:\Program Files\Java\jdk1.6.0\jre\lib\security\java.security.  This copy of the java.security file controls the policy files used when when running code locally, for example through the appletviewer, or when compiling and running from TextPad.  The next examples, under Roman numeral III, make use of this copy of the file.


III.  Using a security manager and a policy file to give a local application limited permission to access local resources.

    General note:  In this block you are again given instructions for doing things where you will be working in the root directory of the C: drive of a Windows based system.

    1.  Download this Java application and save it in a convenient location on your machine.  At this point it's not necessary for it to be in C:\.

    javasecurity/WriteAlphabetApplicationWithSM.java

    If you open the source code, you will see that this application tries to write to the file alphabet.txt, but at the beginning of the code there is an addition.  A security manager is constructed and set by a system call.  As a result, the application will no longer have access to the local system's resources by default.  If you compile and run the code, it will not write to alphabet.txt, and a security exception will be thrown.

    The code contains a second change.  Before the attempt to write, a call to a static method in the AccessController class is made, which checks for write permission.  This shows that rather than just relying on the security exception caused by an attempted write, the programmer can check for specific permissions in advance and write the code so that it can handle whatever security situation it might find itself in by handling the exceptions thrown.

    2.  From this point on, in order to keep path lengths short, the directions are given for working in C:\.  Download this policy file and save it in C:\.

    javasecurity/mypolicy2

    Here are the contents of the file:

grant codeBase "file:/C:/"
{
  permission java.io.FilePermission "C:\\*", "write";
};

    This policy file grants to any code in C:\ to write to any file in C:\.  Notice the form of the codeBase.  For a local code base the word file is used, followed by a colon, followed by a single forward slash, followed by the path, using forward slashes as separators.

    3.  In order for the new policy file to be in effect along with the default ones, it is necessary to make an entry in the java.security file on your system which affects local operation.  That means you want to work with the file found in this path:  C:\Program Files\Java\jdk1.6.0\jre\lib\security\java.security.  Inside this file you should find two lines like these:

policy.url.1=file:${java.home}/lib/security/java.policy
policy.url.2=file:${user.home}/.java.policy

    Add this similar line to the file, following the ones shown above.

policy.url.3=file:/C:/mypolicy2

    Whichever java.security file you are working in, you want the policy.url's numbered one after the other without skipping a value.  If you've followed all of the directions so far, you are now in a situation where the two java.security files in different paths have different policy.url.3 entries.  This is not a problem.  This is just a result of having two java.security files, one which affects the running of remote code and one of which affects the running of local code.

    4.  After the mypolicy2 file has been downloaded and the java.security file has been changed, download the application again--and make sure that you save it in C:\, the location of the codeBase which has been given write permission on alphabet.txt.  Compile and run the application from C:\.

    javasecurity/WriteAlphabetApplicationWithSM.java

    If everything went as planned, the applet will display a message saying that the file was written and you will find the file C:\alphabet.txt on your computer.


IV.  Using security managers and policy files at the command prompt.

    Preliminary note:  At this point I strongly recommend that at this time you do either one of the two following things:

    A.  Delete the policy.url.3 entries you made in both of the java.security files when following the steps above.

    B.  Comment out the policy.url.3 entries in both of the java.security files by putting a "#" at the beginning of the line.

    If you do either of these two things, this should reduce the confusion about which policy files are in effect and causing any of the results which you may see.

    The following examples illustrate the fact that you can use security managers and policy files without making any changes to the java.security files.  This is the only way to work if you are in a situation where you do not have authorization to change the security settings of the desktop.  Even if you do have authorization, this may be a more convenient way to do testing, because it frees you of the worry that you may be messing up the java.security files on your system.

    Working at the command prompt is also probably more realistic in the case where you have downloaded an application and wish to use it locally.  In the previous block it was shown that you can set a security manager from inside application code.  However, if you download source code and compile it locally, most likely you do not want to have to edit the source code and set a security manager inside it, as shown in the previous set of examples.  Instead, it would be more convenient to set a security manager and policy file and simply run from the command prompt.  The next examples illustrate this idea.

    As in the examples in the previous section, the following examples assume that everything needed is stored in C:\.  Both the policy file and the compiled application are assumed to be there.  This keeps the path names from being too long.

    1.  This example shows running the version of the application with the security manager in it, setting the policy file at the command prompt.  Executing the application in this way should work.

C:\>java -Djava.security.policy=mypolicy2 WriteAlphabetApplicationWithSM

    2.  This example shows setting the security manager at the command prompt for the version of the application that doesn't have one set inside.  Without a policy file, executing the application in this way will cause a security exception to be thrown.

C:\>java -Djava.security.manager WriteAlphabetApplication

    3.  This example combines the previous two.  It is possible to both set a security manager and set a policy file at the same time.  In this case the application will work.

C:\>java -Djava.security.manager -Djava.security.policy=mypolicy2 WriteAlphabetApplication

    4.  This is a final observation on the syntax shown in the examples above.  The single = sign causes the specified policy file to be added to any other (system) policy files that may be in effect.  If the single = sign is replaced by two = signs, then the specified policy file will be the only one in effect when the application runs.

    It seems somewhat less likely that you would want to test applets from the command prompt, but that is also possible.  Rather than setting this up a local applet, the following two examples run a remote applet, but the assumption still is that the the policy file is in C:\.

    1.  Trying to run a remote applet without a policy file which grants permission will cause a security exception to be thrown.

C:\>appletviewer http://math.uaa.alaska.edu/~afkas/cs413/javasecurity/WriteAlphabetApplet.html

    2.
  This is the syntax that can be used to set the security policy for the remote applet.  This should execute OK.

C:\>appletviewer -J-Djava.security.policy=mypolicy http://math.uaa.alaska.edu/~afkas/cs413/javasecurity/WriteAlphabetApplet.html

    Notice that this includes a "-J" option.  This is necessary when working with an applet, and there can be no space between the "-J" and the "-Djava".


cs413HW2.doc  Here is the second assignment.


MyKeytoolOverheads.doc  These are my notes on the aspects of the Java keytool needed in order to sign code.  Information on the keytool is also given in chapter 3 of the book Core Java Security Patterns, in chapter 9 of the book Core Java 2:  Volume II, and in the tutorials provided by Sun.  You can use whichever resource you find most helpful.

MyJarsignerOverheads.doc  These are my notes on the aspects of the Java jarsigner needed in order to sign code.  Information on the jarsigner is also given in chapter 3 of the book Core Java Security Patterns, in chapter 9 of the book Core Java 2:  Volume II, and in the tutorials provided by Sun.  You can use whichever resource you find most helpful. 


    3/30/2007:  Code signing examples will be put here if I find the time to create them.


    The following links have to do with topics covered in Chapter 4 of the book "The Java 2 Platform Security".  Figuring everything out also required referring to Chapter 9 of the book "Core Java 2:  Volume II" and the online tutorials at www.sun.com.  All of the sample code is in a subdirectory named chapter4stuff.

chapter4stuff/TestMessageDigests.java

chapter4stuff/TestKeysAndSignatures.java

chapter4stuff/TestKeysAndSignaturesNoPrinting.java

chapter4stuff/TestDES.java

chapter4stuff/TestDESNoPrinting.java


cs413HW3.doc  Here is the third assignment.




XXXXXXX

Spring of 2007 notice:  This Web page is under revision.  Nothing below this notice is current.  Information for the current semester will be posted above this notice as it becomes available.

XXXXXXX


The assignments start here:

oldstuff/cs413ass1.doc  This is assignment 1.  It involves writing some programs to decrypt and encrypt data.  The following files are related to it.

oldstuff/LetterCount.java  This is the Java file that finds relative letter frequencies.

oldstuff/cryptfile1.txt  This is the first file you have to decrypt for the assignment.

oldstuff/cryptfile2.txt  This is the second file you have to decrypt for the assignment.

oldstuff/cryptfile3.txt  This is the third file, which you may decrypt for the assignment.

oldstuff/cs413ass2.doc  This is assignment 2.  It covers various topics from chapter 2.


oldstuff/cs413ch10outline.doc  This document shows how the material below relates to the contents of chapter 10 in the book.

Stage 1

oldstuff/cs413securitynotesoverheads.doc

          The following files were the basis for the overheads.  It may or may not be helpful to look at them for further detail on some of the topics covered in the overheads.

          oldstuff/cs413secretkey.doc

          oldstuff/cs413merklehellman.doc

oldstuff/cs413ass3.doc

Stage 2

          This is just a brief discussion of NP-Completeness as it relates to encyrption, as given in the book.

Stage 3

oldstuff/cs413encryptmathoverheads.doc

          The following file was the basis for the overheads.  It may or may not be helpful to look at it for further detail on some of the topics covered in the overheads.

          oldstuff/cs413encryptmath.doc

Stage 4

oldstuff/cs413fermatoverheads.doc

          The following file was the basis for the overheads.  It may or may not be helpful to look at it for further detail on some of the topics covered in the overheads.

          oldstuff/cs413proofsthms.doc

          The Merkle-Hellman file is posted again.  The idea is that you are now ready for Merkle-Hellman homework problems where you have to find the modular inverse yourself.

          oldstuff/cs413merklehellman.doc

oldstuff/cs413ass4.doc

Stage 5

oldstuff/cs413eulerrsaoverheads.doc

          The following file was the basis for the overheads.  It may or may not be helpful to look at it for further detail on some of the topics covered in the overheads.

          oldstuff/cs413eulerrsa.doc

oldstuff/cs413ass5.doc


Test 1 will cover chapters 1, 2, and 10.


oldstuff/cs413ass6.doc  This assignment is related to chapter 3.

oldstuff/cs413ass7.doc  This assignment is related to chapter 7.

Chapter 4 is also on the syllabus.  It is not clear at this time how much of chapter 4 will be covered.  Only 7 assignments are listed on the syllabus, so no assignment will be added for chapter 4.  It is possible that questions will be added to the assignments listed above and that their division between chapters will be modified.


Test 2 will cover chapter 3 through section 3.4, and section 7.2.  Here is an outline of the test:

oldstuff/cs413test2outlinesp2005.doc


oldstuff/cs413projectdemo  This document contains information about the written and oral components of the final project/demo.


Student papers:

    Attention:  Please submit a version of your paper as a Word document.  If that isn't possible, please submit a plain text file.  You may also submit a .pdf version and I will be glad to post it for the benefit of those who like using that format.  Not everyone can conveniently read .pdf files.  (Due to the worldwide Microsoft conspiracy, I am among those unlucky ones.)

cs413spring2005Hunt.doc

cs413spring2005Olson.doc

cs413spring2005Snelling.doc, cs413spring2005Snelling.pdf

cs413spring2005Sullivan.doc

cs413spring2005Wedge.doc

cs413spring2005Konovalov.pdf

cs413spring2005Becke.pdf

cs413spring2005Smith.doc

cs413spring2005Burnham.doc

cs413spring2005Barber.doc

cs413spring2005Scorup.doc

cs413spring2005Khavanskii.doc

cs413spring2005Weaver.doc

cs413spring2005Kohler.doc

cs413spring2005Norrish.doc

cs413spring2005Torrijos.doc

cs413spring2005Freeman.doc

cs413spring2005Kettell.doc

cs413spring2005Choe.doc

cs413spring2005DeKoker.doc

 


XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

This Web page is under revision.  Only stuff above this notice is valid for Spring Semester of 2005.