HomeSeminarsLecturersRegistrationConsultancyAbout us
Past events
 

Seminars for 2010


June 14-17, 2010
Starting 9 AM on Monday June 14th and ending at 5 PM on Thursday June 17th

1.  Information Security Basics
2.  Modern Advanced Cryptography
3.  Building Secure Software Systems

-------------------------------------------------------------------------------------------


Lecturers: David Basin and Ueli Maurer

Overview
Information Security and Cryptography are of vital importance today, with applications in communication and information systems, electronic commerce and, more generally, in the emerging Information Society. A basic knowledge of these topics is essential for every professional who wishes to better understand, develop, or use systems employing modern security technologies.

This seminar provides an in-depth coverage of Information Security and Cryptography from both a conceptual and application-oriented viewpoint. At the same time, the mathematical, algorithmic, protocol-specific, and system-oriented aspects are explained in a way understandable to a wide audience. This includes the foundations needed to understand the different approaches, a critical look at the state-of-the-art, and a perspective on future security technologies.

The material is presented at three different levels. At the highest level, the basic concepts are presented in detail, but abstractly (e.g., as black boxes), without mathematics. No background is required to follow at this level. At an intermediate level, the most important concrete schemes, models, algorithms, and protocols are presented as well as their applications. Here some minimal mathematical and systems background is assumed. At the deepest level, which is not required to understand the higher levels, different special topics, requiring some mathematical background, are discussed.

Who should attend
The seminar is aimed at all professionals who need up-to-date knowledge and expertise in Information Security and Cryptography. This includes system designers and engineers, security experts, IT-professionals, instructors, project managers, consultants, law enforcement professionals, and professional cryptographers.

Introduction
Information at Risk: Threats, Security Objectives, and Security Measures
Classification of the Fundamental Information Security Problems  

Cryptography: Basic Concepts and Terminology

Types and Models of Cryptographic Systems
Cryptographic Functions, Hash Functions
Secrecy, Authenticity, and their Duality and Independence
Symmetric Cryptography: Block Ciphers, Stream Cipher, MACs, Pseudo-Randomness
Attacks, Assumptions, Security Definitions
Public-Key Cryptosystems, Public-Key Agreement, Digital Signatures

Cryptography: Important Schemes and Protocols
We introduce various must-know cryptographic schemes, including DES, AES, relevant hash functions, the RSA system, the Diffie-Hellman key agreement protocol, the basics of elliptic-curve cryptography, and modes of operation of cryptographic schemes.

System and Network Security
Review of Networking Essentials
Trade-offs in Securing Layers
Security Protocols including Kerberos, SSL, IPsec
Security Architectures
Firewalls and Intrusion Detection

PKI and Key Management
Key Management Problems
PKI Certificates, Architectures, and Standards
Key Revocation and Recovery
Trust Models (Direct, Cross, Hierarchical, Web of trust)
X.509 and PGP, Naming and Identity
Certificate Handling in Web Browsers

Nonrepudiation and Digital Evidence
The Digital Evidence Dilemma, Types of Digital Evidence
Semantics of Digital Signatures, Certificates, Time-stamps
Revalidation, Revocation
Digital Signatures vs. Handwritten Signatures
Digital Signature Legislation

Authentication, Authorization, and Access Control
AAA Architectures: Authentication, Authorization, and Access Control
Authentication: Passwords, Biometrics, and Token-based
Policies and Models, Access Control Matrix Model
DAC and MAC Models, RBAC, XACML
BLP, Biba, and Chinese Wall models
Single Sign-on and Identity Management

Privacy and Usage Control
Data Protection and Control of Intellectual Property
Anonymity and Privacy-enhancing Technologies
Proxies, Mix Networks, and other Anonymity Technologies
Usage Control Architectures, Digital Rights Management, Trusted Computing


-----------------------------------------------------------------------------------------


Lecturer: Ueli Maurer

Overview
Cryptography, a crucial science and basis for building secure systems, is undergoing substantial changes as a scientific discipline, with profound impact on how cryptographic systems and protocols are and should be used in practice. Compared to 20 or even only 10 years ago, the foundations of cryptography have become much better understood.  

The goal of this seminar is to present modern cryptography, with its many facets, in a unique and coherent manner, with an emphasis on simplicity and on explaining things at the right level of abstraction. Connections between subfields are highlighted and the most relevant research developments of the past years are covered and placed into context.  

The seminar assumes a certain level of familiarity with basic cryptography at a conceptual level (including symmetric cryptosystems, hash functions, public-key encryption, and digital signatures) and with some basic cryptographic algorithm (such as RSA and the Diffie-Hellman protocol). These basics are covered in the seminar "Information Security Basics" which serves as an ideal basis for the seminar "Modern Cryptography".  

Who should attend:
The seminar is aimed at all professionals who develop or analyze cryptographic systems or build security systems based on cryptographic building primitives. This includes professional cryptographers, both in industry and in government organisations, as well as security experts and instructors in business or academia. The seminar is also well-suited for those who previously attended an ATG seminar on cryptography as this new seminar goes substantially deeper.  

Introduction
Seminar Overview
Examples of Modern Cryptographic Thinking
Summary of Basic Concepts
Classification of Topics in Cryptography

Foundations
Discrete Mathematics, Complexity, Probability Theory
Cryptographic Reductions

Defining and Proving Cryptographic Security
Approaches to Defining Cryptographic Security
Constructive Cryptography: a New Paradigm
Case Study: A New Look at the One-Time Pad
Layers of Abstraction in Cryptography
Discrete Systems and Distinguishers
Distinguishing Advantage, Indistinguishabilty, Hybrid Argument
Game-Based Definitions, Games as Systems
Simulation-based Security Definitions, Universal Composability

Pseudo-Randomness
Computational Indistinguishability
Pseudo-random Generators, Pseudo-random Functions and Permutations
Construction and Application of Pseudo-random Systems, Buffer Paradigm
Case Studies: CBC-MAC, Luby-Rackoff, Counter Mode, etc.
Security Amplification

Hash Function Design and Random Oracle Model
Security Proofs in the ROM
Indifferentiability, Impossibility of Realizing a RO
A Perspective on the RO Controversy

Topics in Symmetric Cryptography
Block Cipher Design, Meet-in-the-middle Attack, Differential Cryptanalysis, Linear   
   Cryptanalysis
Stream Cipher Design, Linear Feedback Shift Registers, Correlation Attacks
Message Authentication Codes
Secure Encryption from Weak Assumptions

Topics in Public-Key Cryptography
Discrete Logarithms and Factoring, Generic Algorithms and Lower Bound Proofs
Relation Between RSA and Factoring
Relation Between Diffie-Hellman and Discrete Logarithms
Generation of Prime Numbers and Cryptographic Parameters
Chosen-Ciphertext Security (CCA), OAEP, Cramer-Shoup Public-Key Cryptosystem
Elliptic Curve Cryptography
Other Topics

Cryptographic Protocols and Zero-Knowledge
Identification Protocols: Schnorr, Fiat-Shamir, etc.
Commitment Schemes, Oblivious Transfer
Zero-knowledge Protocols, Simulators, Proofs of Knowledge
Secure Multi-party Computation, Case Study in E-Voting
Digital Payment Systems and Digital Cash
Quantum Cryptography



---------------------------------------------------------------------------------------------


Lecturer: David Basin and Torsten Lodderstedt

Overview
Most software systems built today have security-critical aspects, e.g., they must protect customer data in transit and storage or ensure the availability and integrity of critical services. Unfortunately, the integration of security into the system-design process is often poorly understood and security is integrated into most systems in a post-hoc way, which degrades the security and maintainability of the resulting systems.

The goal of this seminar is to present sound methods that can be used to build and evaluate security-critical software systems. Our focus is on the interplay between two areas: software engineering and information security. We examine all phases of the software-development process and explain how to build security into each phase. This includes the role of security in requirements analysis, risk analysis, design, implementation, and testing, as well as verification and certification. In each phase, we cover relevant concept, methods, and tools. Moreover, using a running example, we show how security can be engineered in, from the start.  

Who should attend

The seminar is aimed at all professionals who develop, analyze, or manage security-critical systems. This includes system designers and engineers, programmers, project managers and consultants, as well as instructors in this area. The material is presented in a self-contained way. However, a basic knowledge of both information security and software engineering are assumed.

Introduction
Overview of Security Engineering and its Principle Challenges
Software Engineering Activities and Where Security Fits In

Modeling Foundations
Role of Models in System Development
Unified Modeling Language (UML)
Modeling in Requirements Engineering: Use Case and Class Diagrams
Modeling in Security Design and Risk Analysis: Component, Deployment,
   and Sequence Diagrams

Requirements Engineering for Security-critical Systems
Structure and Goals of Requirements Documents
Functional and Non-functional Requirements
Safety and Security
Use and Misuse Cases
Authorization Policies based on Use Case Models
Information Security Policies based on Domain Models

Risk Analysis
Ingredients of Risk Analysis: Assets, Threats, and Vulnerabilities
FMEA, FTA, Attack Trees
Quantitative and Qualitative Approaches
Threat and Standard Vulnerabilities Catalogs
Data Pathways Approach to Systematic Risk Analysis

Security in the Design Process

General Security Design Options
Pattern Catalogs and Standard Counter-measures
Modeling and Automatically Generating Security Infrastructures
Security Design as an Iterative Process with Risk Re-evaluation

Implementation-level Security
Security Design Patterns for Vulnerabilities
Typical Vulnerabilities and their Countermeasures: Buffer Overflows
Format String Attacks, Injection Attacks, Cross Site Scripting
Timing Vulnerabilities, Session Handling Problems

Testing
Objectives and Limitations of Testing
Model-based Testing
Code-based Testing
Vulnerability Testing and other Security-specific Testing Methods

Evaluation Criteria
Role of Standards in Evaluation
NIST, Common Criteria, and ISO/IEC 27000-Series
IT Baseline Protection


----------------------------------------------------------------------------------------------

Here you will find information on registration and the lecturers

The 3 seminars are in collaboration with the Department of Computer Science, ETH Zurich

 
Top