[CNS 2019] Cryptography and Network Security

Course Info | Syllabus | Teaching Team | Sample Reading | Past Projects

Course Info

Course number: CSIE 7190
Location: R102
Time: 14:20-17:10 (Tue.)
Website: NTU CEIBA
Readings: readings by week

Syllabus

Wk.	Date	Topic
1	Feb 19	Course Introduction
2	Feb 26	Security and Crypto Overview
3	Mar 05	Cryptographic Hash Functions
4	Mar 12	Symmetric Cryptography
5	Mar 19	Asymmetric Cryptography and Public Key Infrastructure
6	Mar 26	Authentication
7	Apr 02	No Class (Spring Break)
8	Apr 09	Anonymity and Privacy
9	Apr 16	1st Midterm Exam
10	Apr 23	Insecurity of TCP/IP, BGP, DNS, WiFi
11	Apr 30	(D)DoS
12	May 07	Transport Layer Security
13	May 14	Selected Topics: Software, Web, Systems Security
14	May 21	Selected Topics: Guest Lecture
15	May 28	Selected Topics: Blockchain, cryptocurrencies, secure voting
16	Jun 04	2nd Midterm Exam
17	Jun 11	Group Presentation - I
18	Jun 18	Group presentation - II

Teaching Team

Email: cns@csie.ntu.edu.tw

TA	Office Hour	Location
毛偉倫	Tue 10:00-11:00	R307
蕭乙蓁	Tue 17:20-18:20	R217
江緯璿	Wed 10:30-11:30	R217

Sample Reading

Cryptography
- MD5 considered harmful today
- A. Perrig, R. Canetti, J. D. Tygar, and D. Song, “The TESLA broadcast authentication protocol,” in RSA CryptoBytes, 2005.
- Laurent Eschenauer and Virgil D. Gligor. “A key-management scheme for distributed sensor networks,” in ACM CCS, 2002.
- Egele, Manuel, et al. “An empirical study of cryptographic misuse in android applications.” Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security. ACM, 2013.
PKI
- L. S. Huang, A. Rice, E. Ellingsen and C. Jackson, “Analyzing Forged SSL Certificates in the Wild,” 2014 IEEE Symposium on Security and Privacy, San Jose, CA, 2014, pp. 83-97.
Secure voting
- M. R. Clarkson, S. Chong and A. C. Myers, “Civitas: Toward a Secure Voting System,” 2008 IEEE Symposium on Security and Privacy (sp 2008), Oakland, CA, 2008, pp. 354-368. doi: 10.1109/SP.2008.32
Authentication and Password
- A. Juels and R. Rivest. “Honeywords: Making password-cracking detectable,” in ACM CCS, 2013.
- A. Das, J. Bonneau, M. Caesar, N. Borisov, and X. Wang. “The Tangled Web of Password Reuse,” in NDSS, 2014.
- K. C. Wang and M. K. Reiter, “How to End Password Reuse on the Web,” in NDSS, 2019.
- D. Silver, S. Jana, E. Chen, C. Jackson, and D. Boneh, “Password managers: Attacks and defenses,” in Proceedings of USENIX Security, 2014.
- J. Bonneau and C. Herley, “The quest to replace passwords: A framework for comparative evaluation of web authentication schemes,” in IEEE S&P, 2012.
- N. Gelernter, S. Kalma, B. Magnezi, and H. Porcilan, “The Password Reset MitM Attack,” in IEEE Symposium on Security and Privacy, 2017.
- Brainard, John, et al. “Fourth-factor authentication: somebody you know.” Proceedings of the 13th ACM conference on Computer and communications security. ACM, 2006.
Anonymity and Privacy
- R. Dingledine, N. Mathewson, and P. Syverson, “Tor: The Second-Generation Onion Router,” in USENIX Security, 2004.
- D. Fifield, C. Lan, R. Hynes, P. Wegmann, and V. Paxson, “Blocking-resistant communication through domain fronting,” in Privacy Enhancing Technologies, 2015.
- Tschantz, Michael Carl, Sadia Afroz, and Vern Paxson. “Sok: Towards grounding censorship circumvention in empiricism.” 2016 IEEE Symposium on Security and Privacy (SP). IEEE, 2016.
TCP/IP
- S. Savage, D. Wetherall, A. Karlin, and T. Anderson, “Practical network support for IP traceback,” ACM SIGCOMM Comput. Commun. Rev., vol. 30, no. 4, pp. 295–306, 2000.
- Bellovin, Steven M. “A look back at” security problems in the tcp/ip protocol suite." 20th Annual Computer Security Applications Conference. IEEE, 2004.
DDoS attack and defense
- A. Juels and J. Brainard, “Client puzzles: A cryptographic countermeasure against connection depletion attacks,” in NDSS, 1999.
- A. Yaar, A. Perrig, and D. Song, “SIFF: A Stateless Internet Flow Filter to Mitigate DDoS Flooding Attacks,” in IEEE S&P, 2004.
- M. S. Kang, S. B. Lee, and V. D. Gligor, “The Crossfire Attack,” in IEEE S&P, 2013.
- C. Rossow, “Amplification Hell: Revisiting Network Protocols for DDoS Abuse,” in NDSS, 2014.
- R. Rasti, M. Murthy, and V. Paxson, “Temporal Lensing and its Application in Pulsing Denial of Service Attacks,” in IEEE S&P, 2015.
- Crosby, Scott A., and Dan S. Wallach. “Denial of Service via Algorithmic Complexity Attacks.” Usenix Security. Vol. 2. 2003.
Transport Layer Security
- Jeremy Clark and Paul C. van Oorschot. SoK: SSL and HTTPS: Revisiting Past Challenges and Evaluating Certificate Trust Model Enhancements, in IEEE S&P, 2013.
- Adrian, David, et al. “Imperfect forward secrecy: How Diffie-Hellman fails in practice.” Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security. ACM, 2015.
BGP
- K. Butler, T. R. Farley, P. McDaniel, and J. Rexford, “A survey of BGP security issues and solutions,” in Proceedings of the IEEE, 2010.
- O. Nordström and C. Dovrolis, “Beware of BGP attacks,” ACM SIGCOMM Comput. Commun. Rev., vol. 34, no. 2, p. 1, 2004.
- M. Apostolaki, A. Zohar, and L. Vanbever, “Hijacking Bitcoin: Routing Attacks on Cryptocurrencies,” in IEEE Symposium on Security and Privacy, 2017.
- Lychev, Robert, Sharon Goldberg, and Michael Schapira. “BGP security in partial deployment: Is the juice worth the squeeze?.” ACM SIGCOMM Computer Communication Review. Vol. 43. No. 4. ACM, 2013.
Web security
- Barth, Adam, Collin Jackson, and John C. Mitchell. “Robust defenses for cross-site request forgery,” in ACM CCS, 2008.
- Jackson and A. Barth, “ForceHTTPS: Protecting High-Security Web Sites from Network Attacks,” in WWW, 2008.
- Englehardt, Steven, and Arvind Narayanan. “Online tracking: A 1-million-site measurement and analysis.” Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security. ACM, 2016.
Software security
- C. Cowan, C. Pu, D. Maier, H. Hintony, J. Walpole, P. Bakke, S. Beattie, A. Grier, P. Wagle, and Q. Zhang, “StackGuard: Automatic adaptive detection and prevention of buffer-overflow attacks,” in USENIX Security, 1998.
- Hovav Shacham, Matthew Page, Ben Pfaff, Eu-Jin Goh, Nagendra Modadugu, and Dan Boneh. 2004. On the effectiveness of address-space randomization. In Proceedings of the 11th ACM conference on Computer and communications security (CCS ’04). ACM, New York, NY, USA, 298-307.
- Smashing The Stack For Fun And Profit
IoT security
- M. Surbatovich, J. Aljuraidan, L. Bauer, A. Das, and L. Jia, “Some Recipes Can Do More Than Spoil Your Appetite: Analyzing the Security and Privacy Risks of IFTTT Recipes,” in WWW, 2017.
- E. Fernandes, J. Jung, and A. Parkash, “Security Analysis of Emerging Smart Home Applications,” in IEEE Symposium on Security and Privacy, 2016.
- Antonakakis, Manos, et al. “Understanding the mirai botnet.” 26th {USENIX} Security Symposium ({USENIX} Security 17). 2017.
Usability and security
- Whitten, Alma, and J. Doug Tygar. “Why Johnny Can’t Encrypt: A Usability Evaluation of PGP 5.0.” USENIX Security Symposium. Vol. 348. 1999.
- G. Wurster and P. C. van Oorschot, “The developer is the enemy,” in workshop on New security paradigms, 2008.
- M. Green and M. Smith, “Developers are Not the Enemy! The Need for Usable Security APIs,” IEEE Secur. Priv., vol. 14, no. 5, pp. 40–46, 2016.
- Ross J. Anderson. 1994. Why cryptosystems fail. Commun. ACM 37, 11 (November 1994), 32-40.
Cloud Security
- Ristenpart, Thomas, et al. “Hey, you, get off of my cloud: exploring information leakage in third-party compute clouds.” Proceedings of the 16th ACM conference on Computer and communications security. ACM, 2009.
- T. Vissers, T. Van Goethem, W. Joosen, and N. Nikiforakis, “Maneuvering Around Clouds: Bypassing Cloud-based Security Providers,” in ACM CCS 2015.
Wireless Security
- Vanhoef, Mathy, and Frank Piessens, “Key reinstallation attacks: Forcing nonce reuse in WPA2,” in ACM CCS, 2017. KRACK attack
DNS Security
- Bau, Jason, and John C. Mitchell. “A Security Evaluation of DNSSEC with NSEC3.” NDSS. 2010.
- An Illustrated Guide to the Kaminsky DNS Vulnerability
- A. Klein and B. Pinkas, “DNS Cache-Based User Tracking,” in NDSS, 2019.
System Security
- Yarom, Yuval, and Katrina Falkner, “FLUSH+ RELOAD: a high resolution, low noise, L3 cache side-channel attack,” in USENIX Security Symposium, 2014.
- Spectre and Meltdown
ML and security
- Sommer, Robin, and Vern Paxson. “Outside the closed world: On using machine learning for network intrusion detection.” 2010 IEEE symposium on security and privacy. IEEE, 2010.
- Sharif, Mahmood, et al. “Accessorize to a crime: Real and stealthy attacks on state-of-the-art face recognition.” Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security. ACM, 2016.
- Carlini, Nicholas, and David Wagner. “Towards evaluating the robustness of neural networks.” 2017 IEEE Symposium on Security and Privacy (SP). IEEE, 2017.
Cryptocurrencies
- J. Bonneau, A. Miller, J. Clark, A. Narayanan, J. A. Kroll, and E. W. Felten, “SoK: Research perspectives and challenges for bitcoin and cryptocurrencies,” in Proceedings - IEEE Symposium on Security and Privacy, 2015.
Science of Security
- Herley, Cormac, and Paul C. Van Oorschot. “Sok: Science, security and the elusive goal of security as a scientific pursuit.” 2017 IEEE Symposium on Security and Privacy (SP). IEEE, 2017.
Intro
- Thompson, Ken. “Reflections on trusting trust.” Commun. ACM 27.8 (1984): 761-763.
- Anderson, Ross. “Why information security is hard-an economic perspective.” Seventeenth Annual Computer Security Applications Conference. IEEE, 2001.
Ethics
- Abelson, Harold, et al. “Keys under doormats: mandating insecurity by requiring government access to all data and communications.” Journal of Cybersecurity 1.1 (2015): 69-79.

Past Projects

Crypto
- End to End Secured Realtime Chat Room
- NTU Vote: Attack and Defense
- Secure I-Voting System
- The Study of Batch Verification for Vehicular Communications
- Privacy-preserving data mining
- I-voting System Implementation
Password
- Website Security against Brute Force Attack
- I Want Your Password
Anonymity and Privacy
- Cyber Hunting System
- Deep web and darknet survey
- Location Anonymity
Web
- Malicious Mining Program in Browser Survey
- Security Issues of Short URLs
- 台大校園網站安全檢測
- AdvertiXmentsert: The Extreme Ad Terminator
- Clickjacking
- Internationalized Domain Names (IDN) phishing
- Shortened URLs
- Investigation and Study on Browser Hijacking
Wireless
- Common WiFi vulnerability investigation
- NFC: Potential Threats and Attacks
- Survey and Experiments on Wi-Fi Vulnerabilities
- WarWalking NTU: A Survey of NTU WiFi
- Evil-Twin Attack
DDoS
- Defending Against Browser-Based DDoS
- Flash Crowd Mimicking Attacks with Implementation and Analysis in Heterogeneous Network
- A Survey on DoS: Attack and Defence
IoT
- Mirai analysis and IoT Mitigation
- Juice Jacking Implementation using Embedded Device
mobile and apps
- WooTalk 安全性分析
- Android Malware Survey and Design
- A Practical Attack on EasyCard using Android Device
- 電子發票的安全性議題
- Sound Pay: A Better Choice for Mobile Payment
- Risk Analysis and Hack in Android Apps
- Hacking Android Apps!
ML
- Learning to Detect - From ML to Malware Family
- Learning to Defend – From ML to Security
Software and Systems
- Survey of Antivirus
- An Examination of Ways Against Ransomware
- When Ransomware Becomes Service
- Attacks on the Judge System
- Bash vulnerability - Shellshock
- Studying on VPN – NTU SSLVPN
Bitcoin
- Bitcoin Address Management
- 電子貨幣初探及相關資訊安全議題