Syllabus

Topics of lectures [tentative, subject to changes!]

Introduction

• Overview of basic ideas underlying Computer and Network security, CyberSecurity, and their relationships
• Slides (pdf)
• Additional material
  • https://www.nist.gov/topics/cybersecurity
  • https://research.cornell.edu/news-features/unique-eye-cybersecurity
  • https://www.consorzio-cini.it/index.php/en/lab-cyber-security

Authentication (I)

• Basic principles, passwords, assurance levels, contextual authentication
• Slides (pdf)
• Additional material
  • NIST Digital Identity Guidelines

Authentication (II)

• Single-Sign-On, SAML, OpenID connect, SPID
• Slides (pdf)
• Additional material
  • http://saml.xml.org/saml-specifications
  • https://oauth.net/2/
  • http://openid.net/developers/specs/
  • https://www.spid.gov.it/

Access Control (I)

• Basic principles, classic models: Matrix model, Access Control Lists, Capabilities, Discretionary/Mandatory/Role-Based Access Control
• Slides (pdf)
• Additional material
  • https://cseweb.ucsd.edu/classes/fa01/cse221/papers/lampson-protection-osr74.pdf
  • http://spdp.di.unimi.it/papers/survey96.pdf
  • http://profsandhu.com/journals/tissec/p224-ferraiolo.pdf

Access Control (II)

• Attribute-Based Access Control (ABAC) and XACML
• Slides (pdf)
• Additional material
  • http://nvlpubs.nist.gov/nistpubs/specialpublications/NIST.SP.800-162.pdf
  • https://docs.oasis-open.org/xacml/2.0/access_control-xacml-2.0-core-spec-os.pdf
  • http://docs.oasis-open.org/xacml/2.0/access_control-xacml-2.0-rbac-profile1-spec-os.pdf

Wrap-up on Authentication and Authorization: TreC

• E-health solutions: security problems, TreC, Authentication and Access Control in TreC, Sample questions for exams
• Slides (pdf)
• Additional material
  • https://en.wikipedia.org/wiki/EHealth
  • https://trec.trentinosalute.net/home
  • https://www.enisa.europa.eu/publications/security-and-resilience-in-ehealth-infrastructures-and-services
  • https://www.researchgate.net/profile/Silvio_Ranise/publication/221406042_Automated_Analysis_of_Semantic-Aware_Access_Control_Policies_A_Logic-Based_Approach/links/00463515d9692562e9000000.pdf (first two sections only)

Cryptography I

• Basic notions, Symmetric key encryption, hints to key management
• Slides (pdf)
• Additional material
  • http://www.garykessler.net/library/crypto.html
  • https://w2.eff.org/Privacy/Crypto/Crypto_misc/DESCracker/HTML/19980716_eff_des_faq.html
  • http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57pt1r4.pdf

Cryptography II

• Public key Encryption, RSA, Diffie-Hellmann, Key exchange protocol
• Slides (pdf)
• Additional material
  • http://www.garykessler.net/library/crypto.html
  • https://engineering.purdue.edu/kak/compsec/NewLectures/Lecture12.pdf (RSA in detail)
  • https://engineering.purdue.edu/kak/compsec/NewLectures/Lecture13.pdf (DH in detail)
  • https://crocs.fi.muni.cz/public/papers/rsa_ccs17

Cryptography at work I

• Digital signatures, Certificates, Public Key Infrastructure
• Slides (pdf)
• Additional material
  • http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-32.pdf
  • https://en.wikipedia.org/wiki/Digital_signature

Cryptography at work II

• SSL/TLS, introduction to automated security analysis of TLS, some flaws of TLS
• Slides (pdf)
• Additional material
  • https://en.wikipedia.org/wiki/Transport_Layer_Security
  • https://www.schneier.com/academic/archives/1996/11/analysis_of_the_ssl.html
  • https://www.usenix.net/legacy/publications/library/proceedings/sec98/full_papers/mitchell/mitchell.pdf
  • https://blog.cryptographyengineering.com/category/tlsssl/page/2/

Guest Lecture by A. Zorer, President of Trentino Network

• Overview of the activities (especially those relevant for cybersecurity) of Trentino Network
• Slides (pdf)
• Reading list
  • https://en.wikipedia.org/wiki/Firewall_(computing)
  • https://en.wikipedia.org/wiki/Virtual_private_network
  • https://en.wikipedia.org/wiki/IPsec
  • https://en.wikipedia.org/wiki/Denial-of-service_attack
  • https://en.wikipedia.org/wiki/Computer_worm

Web security

• Browser model, cookies, client vulnerabilities (e.g., cross-site scripting, injection, fishing), server vulnerabilities (e.g., injection, scripting, users)
• Slides (pdf)
• Reading list
  • http://grosskurth.ca/papers/browser-refarch.pdf
  • https://tools.ietf.org/html/rfc6265
  • https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies
  • https://www.owasp.org/images/0/0a/OWASP_Top_10_2017_GM_%28en%29.pdf

Mobile security

• Mobile devices, possible attackers, mobile threats, Android
• Slides (pdf)
• Reading list
  • https://www.owasp.org/index.php/Mobile_Top_10_2016-Top_10
  • blog.checkpoint.com/2017/09/14/expensivewall-dangerous-packed-malware-google-play-will-hit-wallet
  • https://source.android.com/security/
  • https://www.usenix.org/legacy/event/sec11/tech/full_papers/Felt.pdf
  • http://www.ieee-security.org/TC/SPW2015/MoST/papers/s2p3.pdf

Lectures by Tal Melamed of the Security & Trust Research Unit, FBK: Penetration Testing of Web Applications

• Introduction and overview of main tools and techniques to penetration testing of web applications
• Slides (pdf)
• Reading list
  • https://portswigger.net/
  • https://www.microsoft.com/en-us/research/publication/how-to-shop-for-free-online-security-analysis-of-cashier-as-a-service-based-web-stores/

Cloud security

• Cloud computing, storage services, security issues
• Slides (pdf)
• Reading list
  • https://aws.amazon.com/products/security/?nc2=h_l3_db
  • https://aws.amazon.com/compliance/shared-responsibility-model/
  • https://aws.amazon.com/blogs/security/introducing-aws-single-sign-on/
  • https://docs.openstack.org/security-guide/

Guest Lecture by P. Sartori, CSO & SOC Manager of Informatica Trentina

• Overview of the cybersecurity issues in handling the data-center of Informatica Trentina
• Slides (pdf)
• Reading list
  • https://www.nist.gov/topics/cybersecurity
  • https://www.imperial.ac.uk/business-school/knowledge/technology/cybersecurity-cornerstone-of-the-digital-economy/
  • http://internetofthingsagenda.techtarget.com/definition/Internet-of-Things-IoT

Guest Lecture by P. Guarda, Lecturer in Information Technologies Law, Faculty of Law, University of Trento

• Security vs Privacy, Legal Compliance, European Data Protection Directive (EU DPD), Generalized Data Protection Regulation and compliance (GDPR)
• Slides (pdf)
• Reading list
  • http://ec.europa.eu/justice/data-protection/
  • https://www.eugdpr.org/
  • http://gdprcoalition.ie/