Overview Information Security and Cryptography are of vital
importance today, with applications in communication and information
systems, electronic commerce and, more generally, in the emerging
Information Society. A basic knowledge of these topics is essential for
every professional who wishes to better understand, develop, or use
systems employing modern security technologies.
This
seminar provides an in-depth coverage of Information Security and
Cryptography from both a conceptual and application-oriented viewpoint.
At the same time, the mathematical, algorithmic, protocol-specific, and
system-oriented aspects are explained in a way understandable to a wide
audience. This includes the foundations needed to understand the
different approaches, a critical look at the state-of-the-art, and a
perspective on future security technologies.
The material is presented at three different levels. At the highest level,
the basic concepts are presented in detail, but abstractly (e.g., as
black boxes), without mathematics. No background is required to follow
at this level. At an intermediate level, the most important
concrete schemes, models, algorithms, and protocols are presented as
well as their applications. Here some minimal mathematical and systems
background is assumed. At the deepest level, which is not
required to understand the higher levels, different special topics,
requiring some mathematical background, are discussed.
Who should attend The
seminar is aimed at all professionals who need up-to-date knowledge and
expertise in Information Security and Cryptography. This includes
system designers and engineers, security experts, IT-professionals,
instructors, project managers, consultants, law enforcement
professionals, and professional cryptographers.
Introduction Information at Risk: Threats, Security Objectives, and
Security Measures
Classification of the Fundamental Information Security
Problems
Cryptography: Basic Concepts and Terminology Types
and Models of Cryptographic Systems Cryptographic Functions, Hash Functions Secrecy, Authenticity, and their Duality and Independence
Symmetric
Cryptography: Block Ciphers, Stream Cipher, MACs, Pseudo-Randomness
Attacks,
Assumptions, Security Definitions Public-Key Cryptosystems, Public-Key Agreement, Digital Signatures
Cryptography: Important Schemes and Protocols We introduce various must-know cryptographic
schemes, including DES, AES, relevant hash functions, the RSA system, the Diffie-Hellman key agreement protocol, the
basics of elliptic-curve cryptography, and modes of operation of cryptographic
schemes.
System and Network Security Review
of Networking Essentials
Trade-offs
in Securing Layers Security Protocols including Kerberos, SSL, IPsec Security Architectures Firewalls and Intrusion Detection
PKI
and Key Management Key Management Problems PKI Certificates, Architectures, and Standards Key Revocation and Recovery Trust Models (Direct, Cross, Hierarchical, Web of trust) X.509 and PGP, Naming and Identity Certificate Handling in Web Browsers
Nonrepudiation
and Digital Evidence The Digital Evidence Dilemma, Types of Digital Evidence Semantics of Digital Signatures, Certificates, Time-stamps Revalidation, Revocation Digital Signatures vs. Handwritten Signatures Digital Signature Legislation
Authentication,
Authorization, and Access Control AAA Architectures: Authentication, Authorization, and Access
Control Authentication: Passwords, Biometrics, and Token-based Policies and Models, Access Control Matrix Model DAC and MAC Models, RBAC, XACML BLP, Biba, and Chinese Wall models Single Sign-on and Identity Management
Privacy
and Usage Control Data Protection and Control of Intellectual Property Anonymity and Privacy-enhancing Technologies Proxies, Mix Networks, and other Anonymity Technologies Usage Control Architectures, Digital Rights Management, Trusted Computing
Overview Cryptography, a crucial science and basis for
building secure systems, is undergoing substantial changes as a scientific
discipline, with profound impact on how cryptographic systems and protocols are
and should be used in practice. Compared to 20 or even only 10 years ago, the
foundations of cryptography have become much better understood.
The goal of this seminar is to present modern
cryptography, with its many facets, in a unique and coherent manner, with an
emphasis on simplicity and on explaining things at the right level of
abstraction. Connections between subfields are highlighted and the most
relevant research developments of the past years are covered and placed into
context.
The seminar assumes a certain level of familiarity
with basic cryptography at a conceptual level (including symmetric
cryptosystems, hash functions, public-key encryption, and digital signatures)
and with some basic cryptographic algorithm (such as RSA and the Diffie-Hellman
protocol). These basics are covered in the seminar "Information Security
Basics" which serves as an ideal basis for the seminar "Modern
Cryptography".
Who should attend: The seminar is aimed at all professionals who
develop or analyze cryptographic systems or build security systems based on
cryptographic building primitives. This includes professional cryptographers,
both in industry and in government organisations, as well as security experts
and instructors in business or academia.
The seminar is also well-suited for those who
previously attended an ATG seminar on cryptography as this new seminar goes
substantially deeper.
Introduction Seminar Overview Examples of Modern Cryptographic
Thinking Summary of Basic Concepts Classification of Topics in
Cryptography
Foundations Discrete Mathematics, Complexity,
Probability Theory Cryptographic Reductions
Defining and Proving Cryptographic Security Approaches to Defining Cryptographic
Security Constructive Cryptography: a New
Paradigm Case Study: A New Look at the
One-Time Pad Layers of Abstraction in
Cryptography Discrete Systems and
Distinguishers Distinguishing Advantage,
Indistinguishabilty, Hybrid Argument Game-Based Definitions, Games as
Systems Simulation-based Security
Definitions, Universal Composability
Pseudo-Randomness Computational
Indistinguishability Pseudo-random Generators, Pseudo-random
Functions and Permutations Construction and Application of
Pseudo-random Systems, Buffer Paradigm Case Studies: CBC-MAC,
Luby-Rackoff, Counter Mode, etc. Security Amplification
Hash Function Design and Random Oracle Model Security Proofs in the ROM Indifferentiability, Impossibility
of Realizing a RO A Perspective on the RO
Controversy
Topics in Symmetric Cryptography Block Cipher Design, Meet-in-the-middle
Attack, Differential Cryptanalysis, Linear Cryptanalysis Stream Cipher Design, Linear
Feedback Shift Registers, Correlation Attacks Message Authentication Codes Secure Encryption from Weak
Assumptions
Topics in Public-Key Cryptography Discrete Logarithms and Factoring,
Generic Algorithms and Lower Bound Proofs Relation Between RSA and
Factoring Relation Between Diffie-Hellman
and Discrete Logarithms Generation of Prime Numbers and
Cryptographic Parameters Chosen-Ciphertext Security (CCA),
OAEP, Cramer-Shoup Public-Key Cryptosystem Elliptic Curve Cryptography Other Topics
Cryptographic Protocols and Zero-Knowledge Identification Protocols:
Schnorr, Fiat-Shamir, etc. Commitment Schemes, Oblivious
Transfer Zero-knowledge Protocols,
Simulators, Proofs of Knowledge Secure Multi-party Computation, Case
Study in E-Voting Digital Payment Systems and
Digital Cash Quantum Cryptography
Overview Most software systems built today have
security-critical aspects, e.g., they must protect customer data in transit and
storage or ensure the availability and integrity of critical services.
Unfortunately, the integration of security into the system-design process is
often poorly understood and security is integrated into most systems in a
post-hoc way, which degrades the security and maintainability of the resulting
systems.
The goal of this seminar is to present sound
methods that can be used to build and evaluate security-critical software
systems. Our focus is on the interplay between two areas: software engineering
and information security. We examine all phases of the software-development
process and explain how to build security into each phase. This includes the
role of security in requirements analysis, risk analysis, design,
implementation, and testing, as well as verification and certification. In each
phase, we cover relevant concept, methods, and tools. Moreover, using a running
example, we show how security can be engineered in, from the start.
Who
should attend The seminar is aimed at all professionals who
develop, analyze, or manage security-critical systems. This includes system
designers and engineers, programmers, project managers and consultants, as well
as instructors in this area.
The material is presented in a self-contained way.
However, a basic knowledge of both information security and software
engineering are assumed.
Introduction Overview of Security Engineering
and its Principle Challenges Software Engineering Activities
and Where Security Fits In
Modeling Foundations
Role of Models in System
Development Unified Modeling Language (UML) Modeling in Requirements
Engineering: Use Case and Class Diagrams Modeling in Security Design and
Risk Analysis: Component, Deployment, and Sequence Diagrams
Requirements Engineering for Security-critical Systems Structure and Goals of Requirements
Documents Functional and Non-functional
Requirements Safety and Security Use and Misuse Cases Authorization Policies based on
Use Case Models Information Security Policies
based on Domain Models
Risk Analysis Ingredients of Risk Analysis:
Assets, Threats, and Vulnerabilities FMEA, FTA, Attack Trees Quantitative and Qualitative
Approaches Threat and Standard
Vulnerabilities Catalogs Data Pathways Approach to
Systematic Risk Analysis
Security in the Design Process General Security Design Options Pattern Catalogs and Standard
Counter-measures Modeling and Automatically
Generating Security Infrastructures Security Design as an Iterative
Process with Risk Re-evaluation
Implementation-level Security Security Design Patterns for
Vulnerabilities Typical Vulnerabilities and their
Countermeasures: Buffer Overflows Format String Attacks, Injection Attacks,
Cross Site Scripting Timing Vulnerabilities, Session
Handling Problems
Testing Objectives and Limitations of
Testing Model-based Testing Code-based Testing Vulnerability Testing and other
Security-specific Testing Methods
Evaluation Criteria Role of Standards in Evaluation NIST, Common Criteria, and ISO/IEC
27000-Series IT Baseline Protection
