[CNS 2019] Cryptography and Network Security
Course Info | Syllabus | Teaching Team | Sample Reading | Past Projects
Course Info
Syllabus
1 |
Feb 19 |
Course Introduction |
2 |
Feb 26 |
Security and Crypto Overview |
3 |
Mar 05 |
Cryptographic Hash Functions |
4 |
Mar 12 |
Symmetric Cryptography |
5 |
Mar 19 |
Asymmetric Cryptography and Public Key Infrastructure |
6 |
Mar 26 |
Authentication |
7 |
Apr 02 |
No Class (Spring Break) |
8 |
Apr 09 |
Anonymity and Privacy |
9 |
Apr 16 |
1st Midterm Exam |
10 |
Apr 23 |
Insecurity of TCP/IP, BGP, DNS, WiFi |
11 |
Apr 30 |
(D)DoS |
12 |
May 07 |
Transport Layer Security |
13 |
May 14 |
Selected Topics: Software, Web, Systems Security |
14 |
May 21 |
Selected Topics: Guest Lecture |
15 |
May 28 |
Selected Topics: Blockchain, cryptocurrencies, secure voting |
16 |
Jun 04 |
2nd Midterm Exam |
17 |
Jun 11 |
Group Presentation - I |
18 |
Jun 18 |
Group presentation - II |
Teaching Team
- Email: cns@csie.ntu.edu.tw
毛偉倫 |
Tue 10:00-11:00 |
R307 |
蕭乙蓁 |
Tue 17:20-18:20 |
R217 |
江緯璿 |
Wed 10:30-11:30 |
R217 |
Sample Reading
- Cryptography
- MD5 considered harmful today
- A. Perrig, R. Canetti, J. D. Tygar, and D. Song, “The TESLA broadcast authentication protocol,” in RSA CryptoBytes, 2005.
- Laurent Eschenauer and Virgil D. Gligor. “A key-management scheme for distributed sensor networks,” in ACM CCS, 2002.
- Egele, Manuel, et al. “An empirical study of cryptographic misuse in android applications.” Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security. ACM, 2013.
- PKI
- L. S. Huang, A. Rice, E. Ellingsen and C. Jackson, “Analyzing Forged SSL Certificates in the Wild,” 2014 IEEE Symposium on Security and Privacy, San Jose, CA, 2014, pp. 83-97.
- Secure voting
- M. R. Clarkson, S. Chong and A. C. Myers, “Civitas: Toward a Secure Voting System,” 2008 IEEE Symposium on Security and Privacy (sp 2008), Oakland, CA, 2008, pp. 354-368. doi: 10.1109/SP.2008.32
- Authentication and Password
- A. Juels and R. Rivest. “Honeywords: Making password-cracking detectable,” in ACM CCS, 2013.
- A. Das, J. Bonneau, M. Caesar, N. Borisov, and X. Wang. “The Tangled Web of Password Reuse,” in NDSS, 2014.
- K. C. Wang and M. K. Reiter, “How to End Password Reuse on the Web,” in NDSS, 2019.
- D. Silver, S. Jana, E. Chen, C. Jackson, and D. Boneh, “Password managers: Attacks and defenses,” in Proceedings of USENIX Security, 2014.
- J. Bonneau and C. Herley, “The quest to replace passwords: A framework for comparative evaluation of web authentication schemes,” in IEEE S&P, 2012.
- N. Gelernter, S. Kalma, B. Magnezi, and H. Porcilan, “The Password Reset MitM Attack,” in IEEE Symposium on Security and Privacy, 2017.
- Brainard, John, et al. “Fourth-factor authentication: somebody you know.” Proceedings of the 13th ACM conference on Computer and communications security. ACM, 2006.
- Anonymity and Privacy
- R. Dingledine, N. Mathewson, and P. Syverson, “Tor: The Second-Generation Onion Router,” in USENIX Security, 2004.
- D. Fifield, C. Lan, R. Hynes, P. Wegmann, and V. Paxson, “Blocking-resistant communication through domain fronting,” in Privacy Enhancing Technologies, 2015.
- Tschantz, Michael Carl, Sadia Afroz, and Vern Paxson. “Sok: Towards grounding censorship circumvention in empiricism.” 2016 IEEE Symposium on Security and Privacy (SP). IEEE, 2016.
- TCP/IP
- S. Savage, D. Wetherall, A. Karlin, and T. Anderson, “Practical network support for IP traceback,” ACM SIGCOMM Comput. Commun. Rev., vol. 30, no. 4, pp. 295–306, 2000.
- Bellovin, Steven M. “A look back at” security problems in the tcp/ip protocol suite." 20th Annual Computer Security Applications Conference. IEEE, 2004.
- DDoS attack and defense
- A. Juels and J. Brainard, “Client puzzles: A cryptographic countermeasure against connection depletion attacks,” in NDSS, 1999.
- A. Yaar, A. Perrig, and D. Song, “SIFF: A Stateless Internet Flow Filter to Mitigate DDoS Flooding Attacks,” in IEEE S&P, 2004.
- M. S. Kang, S. B. Lee, and V. D. Gligor, “The Crossfire Attack,” in IEEE S&P, 2013.
- C. Rossow, “Amplification Hell: Revisiting Network Protocols for DDoS Abuse,” in NDSS, 2014.
- R. Rasti, M. Murthy, and V. Paxson, “Temporal Lensing and its Application in Pulsing Denial of Service Attacks,” in IEEE S&P, 2015.
- Crosby, Scott A., and Dan S. Wallach. “Denial of Service via Algorithmic Complexity Attacks.” Usenix Security. Vol. 2. 2003.
- Transport Layer Security
- Jeremy Clark and Paul C. van Oorschot. SoK: SSL and HTTPS: Revisiting Past Challenges and Evaluating Certificate Trust Model Enhancements, in IEEE S&P, 2013.
- Adrian, David, et al. “Imperfect forward secrecy: How Diffie-Hellman fails in practice.” Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security. ACM, 2015.
- BGP
- K. Butler, T. R. Farley, P. McDaniel, and J. Rexford, “A survey of BGP security issues and solutions,” in Proceedings of the IEEE, 2010.
- O. Nordström and C. Dovrolis, “Beware of BGP attacks,” ACM SIGCOMM Comput. Commun. Rev., vol. 34, no. 2, p. 1, 2004.
- M. Apostolaki, A. Zohar, and L. Vanbever, “Hijacking Bitcoin: Routing Attacks on Cryptocurrencies,” in IEEE Symposium on Security and Privacy, 2017.
- Lychev, Robert, Sharon Goldberg, and Michael Schapira. “BGP security in partial deployment: Is the juice worth the squeeze?.” ACM SIGCOMM Computer Communication Review. Vol. 43. No. 4. ACM, 2013.
- Web security
- Barth, Adam, Collin Jackson, and John C. Mitchell. “Robust defenses for cross-site request forgery,” in ACM CCS, 2008.
- Jackson and A. Barth, “ForceHTTPS: Protecting High-Security Web Sites from Network Attacks,” in WWW, 2008.
- Englehardt, Steven, and Arvind Narayanan. “Online tracking: A 1-million-site measurement and analysis.” Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security. ACM, 2016.
- Software security
- C. Cowan, C. Pu, D. Maier, H. Hintony, J. Walpole, P. Bakke, S. Beattie, A. Grier, P. Wagle, and Q. Zhang, “StackGuard: Automatic adaptive detection and prevention of buffer-overflow attacks,” in USENIX Security, 1998.
- Hovav Shacham, Matthew Page, Ben Pfaff, Eu-Jin Goh, Nagendra Modadugu, and Dan Boneh. 2004. On the effectiveness of address-space randomization. In Proceedings of the 11th ACM conference on Computer and communications security (CCS ’04). ACM, New York, NY, USA, 298-307.
- Smashing The Stack For Fun And Profit
- IoT security
- M. Surbatovich, J. Aljuraidan, L. Bauer, A. Das, and L. Jia, “Some Recipes Can Do More Than Spoil Your Appetite: Analyzing the Security and Privacy Risks of IFTTT Recipes,” in WWW, 2017.
- E. Fernandes, J. Jung, and A. Parkash, “Security Analysis of Emerging Smart Home Applications,” in IEEE Symposium on Security and Privacy, 2016.
- Antonakakis, Manos, et al. “Understanding the mirai botnet.” 26th {USENIX} Security Symposium ({USENIX} Security 17). 2017.
- Usability and security
- Whitten, Alma, and J. Doug Tygar. “Why Johnny Can’t Encrypt: A Usability Evaluation of PGP 5.0.” USENIX Security Symposium. Vol. 348. 1999.
- G. Wurster and P. C. van Oorschot, “The developer is the enemy,” in workshop on New security paradigms, 2008.
- M. Green and M. Smith, “Developers are Not the Enemy! The Need for Usable Security APIs,” IEEE Secur. Priv., vol. 14, no. 5, pp. 40–46, 2016.
- Ross J. Anderson. 1994. Why cryptosystems fail. Commun. ACM 37, 11 (November 1994), 32-40.
- Cloud Security
- Ristenpart, Thomas, et al. “Hey, you, get off of my cloud: exploring information leakage in third-party compute clouds.” Proceedings of the 16th ACM conference on Computer and communications security. ACM, 2009.
- T. Vissers, T. Van Goethem, W. Joosen, and N. Nikiforakis, “Maneuvering Around Clouds: Bypassing Cloud-based Security Providers,” in ACM CCS 2015.
- Wireless Security
- Vanhoef, Mathy, and Frank Piessens, “Key reinstallation attacks: Forcing nonce reuse in WPA2,” in ACM CCS, 2017. KRACK attack
- DNS Security
- System Security
- Yarom, Yuval, and Katrina Falkner, “FLUSH+ RELOAD: a high resolution, low noise, L3 cache side-channel attack,” in USENIX Security Symposium, 2014.
- Spectre and Meltdown
- ML and security
- Sommer, Robin, and Vern Paxson. “Outside the closed world: On using machine learning for network intrusion detection.” 2010 IEEE symposium on security and privacy. IEEE, 2010.
- Sharif, Mahmood, et al. “Accessorize to a crime: Real and stealthy attacks on state-of-the-art face recognition.” Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security. ACM, 2016.
- Carlini, Nicholas, and David Wagner. “Towards evaluating the robustness of neural networks.” 2017 IEEE Symposium on Security and Privacy (SP). IEEE, 2017.
- Cryptocurrencies
- J. Bonneau, A. Miller, J. Clark, A. Narayanan, J. A. Kroll, and E. W. Felten, “SoK: Research perspectives and challenges for bitcoin and cryptocurrencies,” in Proceedings - IEEE Symposium on Security and Privacy, 2015.
- Science of Security
- Herley, Cormac, and Paul C. Van Oorschot. “Sok: Science, security and the elusive goal of security as a scientific pursuit.” 2017 IEEE Symposium on Security and Privacy (SP). IEEE, 2017.
- Intro
- Thompson, Ken. “Reflections on trusting trust.” Commun. ACM 27.8 (1984): 761-763.
- Anderson, Ross. “Why information security is hard-an economic perspective.” Seventeenth Annual Computer Security Applications Conference. IEEE, 2001.
- Ethics
- Abelson, Harold, et al. “Keys under doormats: mandating insecurity by requiring government access to all data and communications.” Journal of Cybersecurity 1.1 (2015): 69-79.
Past Projects
- Crypto
- End to End Secured Realtime Chat Room
- NTU Vote: Attack and Defense
- Secure I-Voting System
- The Study of Batch Verification for Vehicular Communications
- Privacy-preserving data mining
- I-voting System Implementation
- Password
- Website Security against Brute Force Attack
- I Want Your Password
- Anonymity and Privacy
- Cyber Hunting System
- Deep web and darknet survey
- Location Anonymity
- Web
- Malicious Mining Program in Browser Survey
- Security Issues of Short URLs
- 台大校園網站安全檢測
- AdvertiXmentsert: The Extreme Ad Terminator
- Clickjacking
- Internationalized Domain Names (IDN) phishing
- Shortened URLs
- Investigation and Study on Browser Hijacking
- Wireless
- Common WiFi vulnerability investigation
- NFC: Potential Threats and Attacks
- Survey and Experiments on Wi-Fi Vulnerabilities
- WarWalking NTU: A Survey of NTU WiFi
- Evil-Twin Attack
- DDoS
- Defending Against Browser-Based DDoS
- Flash Crowd Mimicking Attacks with Implementation and Analysis in Heterogeneous Network
- A Survey on DoS: Attack and Defence
- IoT
- Mirai analysis and IoT Mitigation
- Juice Jacking Implementation using Embedded Device
- mobile and apps
- WooTalk 安全性分析
- Android Malware Survey and Design
- A Practical Attack on EasyCard using Android Device
- 電子發票的安全性議題
- Sound Pay: A Better Choice for Mobile Payment
- Risk Analysis and Hack in Android Apps
- Hacking Android Apps!
- ML
- Learning to Detect - From ML to Malware Family
- Learning to Defend – From ML to Security
- Software and Systems
- Survey of Antivirus
- An Examination of Ways Against Ransomware
- When Ransomware Becomes Service
- Attacks on the Judge System
- Bash vulnerability - Shellshock
- Studying on VPN – NTU SSLVPN
- Bitcoin
- Bitcoin Address Management
- 電子貨幣初探及相關資訊安全議題