IY2760 - Introduction to Information Security

This is a second year undergraduate course provided by the Information Security Group. This course shares lectures with the Computer Science third year course, CS3760. However, it is important to note that the examinations for these two courses will be different.

Copies of the lecture presentations for the 2011/12 academic year are available below. Please note that the handouts are subject to minor modifications during and after delivery of the course to correct any discovered errors and/or add additional clarifications.

• Part 0: Preliminaries.
• Part 1: Introduction.
• Part 2: Elements of Cryptography.
• Information security management (the presentation of Dr Lizzie Coles-Kemp will only be available in printed form).
• Introduction to smart cards (presentation of Dr Keith Mayes).
• Part 3: Identity verification.
• Case Study 1: EMV.
• Part 4: Access control.
• Part 5: Personal Computer security.
• Part 6: Network security concepts.
• Part 7: Authentication and key establishment protocols.
• Case Study 2: Web security.
• Part 8: Software security.

This course has the following associated mandatory (non-assessed) coursework.

• Coursework 1: to be submitted by 14/10/11. Worked solutions are available here.
• Coursework 2: to be submitted by 28/10/11. Worked solutions are available here.
• Coursework 3: to be submitted by 15/11/11. Worked solutions are available here.
• Coursework 4: to be submitted by 29/11/11. Worked solutions are available here.

Please submit all coursework by email, as a pdf attachment, to me@chrismitchell.net.

Links of potential use for this course are as follows

• Cryptography:
• The Cryptool software is really rather neat, and provides implementations of a wide range of cryptographic and cryptanalytic techniques, many of which are animated. If you don't want to download and install the software, there is also an online version. [Thanks to Keith Martin for the pointer].
• The Practical Cryptography site contains a host of useful information about the subject. I am also happy to recommend the Stick figure guide to AES, which is both informative and entertaining. [Thanks to Alex Borisov for the pointers].
• The online Computer Science degree pages, provide a straightforward introduction to basic cryptographic principles. [Thanks to Lauren Ross for the pointer].
• Identity verification:
• ENISA (the European Network and Information Security Agency) has published reports on mobile identity management and  behavioural biometrics.
• Payment system security:
• Copies of the EMV standards, and related documentation, are available from the EMVCo site.
• The European Network and Information Security Agency (ENISA) has published an interesting Report on ATM Crime.
• The Payment Card Industry (PCI) security standards are available here.
• Security standards:
• The Internet (IETF) documents, including current drafts, are all available at the IETF home page.
• For information regarding published ISO standards, see the ISO web site. Note that those ISO standards that are publicly available (only a small number I'm afraid) are available here.
• Secure software development:
• The Microsoft Security Development Lifecycle (SDL) web page is highly recommended. As stated on the page 'The SDL is ... [a] software security assurance process. A Microsoft-wide initiative and a mandatory policy since 2004, the SDL introduces security and privacy throughout the development process'. Of particular interest to all developers are the wide range of development tools provided for free download.
• Vulnerabilities:
• Some classic papers on computer security are available here and here.
• The Microsoft Security Intelligence Report (SIR) provides analyses of the changing threat landscape, including software vulnerability disclosures and exploits, malicious software (malware), and potentially unwanted software.
• Foundstone provides a nice range of free tools to test your understanding of penetration testing and finding vulnerabilities.
• This site provides a fascinating insight into how Microsoft manages software vulnerabilities.
• I am also happy to recommend this Penetration Testing and Vulnerability Analysis site [thanks again to Alex Borisov for the pointer].
• There is a really neat animated explanation of buffer overflow attacks here [thanks to Daan Stakenburg for this one].
• General:
• The European Network and Information Security Agency (ENISA) publishes a wide variety of reports on security topics.

Further security links (including a range of links to security standards pages) are available from Chris Mitchell's home page.