Royal Holloway - University of London
Postgraduate
MSc and Postgraduate Diploma in Information Security - Optional Units
Second term, optional
module.
Aims
This module aims to put
the role of security into perspective and demonstrate how it forms part
of a security system within an application. The aim is to illustrate,
usually by the use of case studies, how a particular situation may make
certain aspects of security important and how an entire system might
fit together.
Objectives
On completion of the
module the students should be able to:
- recognise the security issues that
arise in a variety of applications
- appreciate how and why particular
applications can address various security concerns
- review how the various security
issues in a particular application relate to one another
- analyse how the security aims are
met in a particular application.
Provisional syllabus
The lectures in this
module are given by visiting experts in several security application
areas who discuss their own specialist topic. There is opportunity for
questions and discussion.
Case Studies are likely
to include: Protocols for electronic commerce; Banking Applications;
Electronic Cash; Baseline protection of IT systems; Electronic Security
and Access Controls; Secure mobile communications.
The partial programme
of lectures for 2002/2003 is now available.
Method of examination
Written examination
Second term, optional
module.
Teaching Material
Teaching material for
the 2002/2003 academic year is available now.
Aims
Over the last few years,
a variety of security-related standards have been produced by international
standards bodies. This module examines some of the most important of
these standards in detail. In doing so it illustrates how international
standards now cover many aspects of the analysis and design of secure
systems. The material covered also puts certain other aspects of the
degree course in a more structured setting.
The emerging international
standards for general-purpose security mechanisms and services are described
in some detail. They are presented within the context of the OSI security
architecture. The module also covers existing security evaluation criteria,
the current process for evaluating secure systems, and guidelines for
managing IT security.
Objectives
At the end of the module
the student should have gained an appreciation of the scope and some
of the technical content of existing and emerging security standards.
This will have relevance both in the development of security policies,
and in the procurement and configuration of systems to meet security
policy needs. The topics covered within the module are also of fundamental
importance in the specification and development of new security products.
Provisional syllabus
Network Security
Architecture: The OSI Security Architecture (ISO 7498-2). A very
brief look at the ISO security framework standard (ISO/IEC 10181).
Security mechanism
standards: Encryption algorithms (ISO/IEC 18033 Parts 1-4, NIST
FIPS PUB 46-3, AES, and ISO/IEC 9979). Block cipher modes of operation
(ISO/IEC 10116). MAC algorithms (ISO/IEC 9797, Parts 1/2). Digital signature
techniques (ISO/IEC 9796, Parts 2/3 and ISO/IEC 14888, Parts 1-3). Cryptographic
hash-functions (ISO/IEC 10118, Parts 1-4). Non-repudiation mechanisms
(ISO/IEC 13888, Parts 1-3). Elliptic curve techniques (ISO/IEC 15946,
Parts 1-4).
Key management:
Key management techniques (ISO/IEC 11770, Parts 1-3). PKI standards
(ITU-T X.509, IETF PKIX RFCs). Random bit generation (ISO/IEC 18031).
Prime number generation (ISO/IEC 18032).
Trusted Third Parties:
Guidelines on the use and management of TTPs (ISO/IEC TR 14516). Specification
of TTP services to support the application of digital signatures (ISO/IEC
15945). Time-stamping services (ISO/IEC 18014 Parts 1-3).
Evaluation Criteria:
TCSEC (Orange Book); TNI (Red Book); ITSEC; Common Criteria (ISO/IEC
15408).
Management Guidelines:
DTI Code of Practice (BS 7799); other codes of practice; the ISO/IEC
Guidelines for the Management of IT Security (ISO/IEC TR 13335, Parts
1-5).
Method of Examination
Two-hour written examination.
Second term, optional
module.
Aims
This module follows on
from the introductory cryptography module (IC2) and provides the basic
mathematical background to cryptography. The emphasis of the module
is very much focussed on the most widely used cryptographic processes
and algorithms.
Objectives
On completion of this
module, students should be able to understand the role of cryptographic
systems and to understand how different cryptographic primitives relate
to one another in terms of role, performance, and security.
Provisional syllabus
Block Ciphers:
Design criteria, Testing, DES, AES and other algorithms; Assessment
of block ciphers; Linear and differential cryptanalysis.
Stream Ciphers:
System-theoretic and other approaches, LFSRs, Linear equivalence and
other measures of complexity; Combining functions; Nonlinear generators;
Correlation attacks.
Asymmetric Cryptosystems:
Finite fields, Factoring and discrete logarithms, Prime generation and
testing, ElGamal, RSA, Digital signatures, DSS, Elliptic curve cryptography.
Quantum cryptography
and quantum computing.
Course materials for
2001-02 are available now.
Course materials and
resources for 2002-03 are available now.
Method of examination
Written examination
Second term, optional
module.
Aims
This module covers several
aspects of database security and the related subject of concurrency
control in distributed databases. The University will discuss methods
for concurrency control and failure recovery in distributed databases
and the interaction between those methods and security requirements.
The University will also examine how access control policies can be
adapted to relational and object-oriented databases.
Objectives
At the end of the module
the student should
- understand how multi-level security
can be preserved within a database whilst still permitting the concurrent
execution of transactions.
- understand why confidentiality is
so difficult to achieve within a statistical database.
- understand the implications that
security and its administration have in the context of commercial
databases such as Informix and Oracle.
Provisional syllabus
Introduction:
concurrency, fault tolerance and security.
Concurrency control
and failure recovery: locking strategy and deadlock detection.
Transaction theory:
serializability and recoverability.
Distributed Database:
data replication and commit protocols.
Database Security:
data confidentiality and data integrity, inference and aggregation,
security in object-oriented database systems.
Method of examination
Written examination
Second term, optional
module.
Teaching material
Teaching material and
other information about the 2000/2001 academic year's lectures is available
now.
Aims
This
module complements other modules by examining the subject from the criminal
angle and presenting a study of computer crime and the computer criminal.
The University
will discuss its history, causes, development and repression through
studies of surveys, types of crime, legal measures, and system and human
vulnerabilities. The University will also examine the effects of computer
crime through the experiences of victims and law enforcement and look
at the motives and attitudes of hackers and other computer criminals.
Objectives
On completion of the
module students should be able to:
- follow trends in computer crime
- relate computer security methodologies
to criminal methods
- detect criminal activity in a computerised
environment
- apply the criminal and civil law
to computer criminality
- understand how viruses, logic bombs
and hacking are used by criminals
- appreciate the views of business,
governments, and the media to instances of computer crime.
Provisional syllabus
Introduction:
Types of computer crime, history, surveys, statistics, global connections.
Legal Measures:
Computer Misuse, Data Protection, Criminal Damage, Software Piracy,
Forgery, Investigative Powers.
Case Studies:
Investigations into hacking, PC misuse.
The Commercial View:
The experience of systems managers.
The Law Enforcement
View: The experience of investigators.
The Hacker's View:
The experience of cyber people.
Viruses: Types,
effects, and investigations.
Network Crimes:
The Internet and links to other networks.
The Future:
The expansion of the Internet, pornography and unsuitable material,
the corporate view.
Method of examination
Written examination
Project committee
P. Wild (Chair), Z. Ciechanowicz
and K. Martin..
Aims
A project is a major
individual piece of work. It can be of academic nature and aim at acquiring
and demonstrating understanding and the ability to reason about some
specific area of information security. Alternatively, the project work
may document the ability to deal with a practical aspect of information
security.
Objectives
The student will write
a comprehensive dissertation on the topic of the project. On completion
of the project students should have demonstrated their ability to:
- work independently on a security-related
project, for which they have defined the objectives and rationale,
- apply knowledge about aspects of
information security to a particular problem, which may be of an
engineering, analytical or academic nature, and
- produce a well-structured report,
including introduction, motivation, analysis, and appropriate references
to existing work.
Assignment
Each student will have
an academic project supervisor who may give advice on the choice of
the project and will monitor its progress. However, it is primarily
the responsibility of the student to define and plan the MSc project.
Students may do their projects off-site, but must maintain contact with
their academic supervisor, for example by having good Internet connectivity.
It is expected that,
for full-time students, the topic of the project will be agreed upon
at the end of the first semester and that students will concentrate
on their project after the module examinations in May. For part-time
students, this process may proceed at a slower pace or be delayed until
the second year.
Some projects may be
supported by industrial partners of the Information Security Group.
Students are encouraged to seek placements with industrial sponsors
of their projects and to collaborate with industry on them.
Assessment
Projects will be assessed
on the basis of the written report, and possibly also on the basis of
a demonstration or evaluation of some artefact such as a computer program.
An oral examination may take place at the discretion of the examiners.
Submission
The closing date for
submission of dissertations is in September (the Friday of week 50 of
the academic year). TWO COPIES of the dissertation must be submitted
by 4pm on this date. These should be handed to the ISG Office (Room
230 McCrea Building) and a receipt obtained. Candidates are encouraged
to submit upon completion of the dissertation.
Timetable for project
work
First term
During the first term
students should consider the topic area in which they wish to do their
project. Students are encouraged to discuss their ideas with prospective
supervisors, a list of whom will be provided at the beginning of the
module. By the beginning of the last week of term, every student should
inform the Chair of the MSc Project Committee in what area they intend
to work, and with whom, if this has been agreed with a prospective supervisor.
See the form
Second term
A list of assignments
of academic supervisors to students will be circulated at the beginning
of the semester; this list will be based on the preferences provided
at the end of the first term. Each student should meet their supervisor
to discuss the scope of the project; such meetings should normally continue
through the life of the project. Should the student be seeking an industrial
placement they should also meet prospective industrial collaborators.
Every student shall provide
the Chair of the MSc Project Committee with the working title and a
short outline of the scope of the project by the beginning of the third
term. Both the title and summary should be agreed with the project supervisor
before submission to the Project Committee. See the form
June to September
This the main period
during which work should be undertaken on the project, although some
students may wish to start their project work earlier in the year. Advice
should be sought from project supervisors, and any other appropriate
sources, at all stages, and the supervisor should also be kept informed
of progress. It is advised that students should show their supervisor
a draft of their project dissertation at least two weeks before the
submission deadline.
Guidance on structure
and content of project dissertation
There is no page limit
to the dissertation. Typically, the project dissertation will be a document
of about 50 pages. It must be the work of the candidate, and should
be a readable and coherent account of the chosen topic. It should provide
an outline of the scope of the project and describe the extent to which
the objectives of the project are met. It should also describe its relation
to any industrial placement with which it may be associated.
It is important that
the students show that they have extended their source material by including
a critical analysis of their chosen subject area. A student may do this,
for example, by elaborating the treatment as found in the sources, by
comparing different approaches to solving a problem, or by performing
practical experimentation to inform their analysis. The students should
also demonstrate that they appreciate how the topics discussed relate
to one another and to the rest of the subject area concerned.
For further guidance
and advice on all aspects of the project process, from topic selection
through to writing the report, the following are strongly recommended:
- Make sure you attend the tutorial
sessions given on the project process during the first semester.
- A comprehensive
list of DOs and DON'Ts concerning good (and bad) practice in
conducting MSc projects is is available.
- Consult closely with the supervisor
allocated to you at the start of the second semester.
