Syllabus

Topics of lectures [tentative, subject to changes!]

Course overview and brainstorming on cybersecurity

• Overview of the course (including administration, markings, projects, and so on)
• An introduction to the relevance and the basic notions of Cyber Security
• Additional material
  • https://www.weforum.org/reports/the-global-risks-report-2018
  • www.csoonline.com/article/2130877/data-breach/the-biggest-data-breaches-of-the-21st-century.html
  • https://www.darkreading.com/vulnerabilities---threats/why-information-integrity-attacks-pose-new-security-challenges/a/d-id/1331562
  • https://en.wikipedia.org/wiki/Mirai_(malware)
  • https://www.wired.com/2015/07/hackers-remotely-kill-jeep-highway/
  • https://www.itu.int/dms_pub/itu-d/opb/str/D-STR-GCI.01-2017-PDF-E.pdf
  • https://www.consorzio-cini.it/index.php/it/labcs-home/libro-bianco
  • https://ec.europa.eu/info/law/law-topic/data-protection_en
  • https://www.consultancy.uk/news/16068/majority-of-companies-now-hit-by-a-cybersecurity-skills-gap

Basic notions

• Overview of basic notions underlying Computer and Network security, CyberSecurity, and their relationships
• Additional material
  • https://www.nist.gov/topics/cybersecurity
  • https://research.cornell.edu/news-features/unique-eye-cybersecurity
  • https://www.consorzio-cini.it/index.php/en/lab-cyber-security

Authentication I

• Basic principles of authentication, passwords, assurance levels, contextual authentication
• Additional material
  • NIST Digital Identity Guidelines

Cryptography: Introduction

• A bit of history, Basic notions, Symmetric and Asymmetric key encryption, AES, DES, RSA, Diffie-Hellman
• Additional material
  • http://www.garykessler.net/library/crypto.html
  • https://w2.eff.org/Privacy/Crypto/Crypto_misc/DESCracker/HTML/19980716_eff_des_faq.html
  • http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57pt1r4.pdf
  • http://www.garykessler.net/library/crypto.html
  • https://engineering.purdue.edu/kak/compsec/NewLectures/Lecture12.pdf (RSA in detail)
  • https://engineering.purdue.edu/kak/compsec/NewLectures/Lecture13.pdf (DH in detail)
  • https://crocs.fi.muni.cz/public/papers/rsa_ccs17

Cryptography at work: PKI and TLS

• Digital signatures, Certificates, Public Key Infrastructure, SSL/TLS (Handshake), some security issues of TLS
• Additional material
  • http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-32.pdf
  • https://en.wikipedia.org/wiki/Digital_signature
  • https://en.wikipedia.org/wiki/Transport_Layer_Security
  • https://www.schneier.com/academic/archives/1996/11/analysis_of_the_ssl.html
  • https://www.usenix.net/legacy/publications/library/proceedings/sec98/full_papers/mitchell/mitchell.pdf
  • https://blog.cryptographyengineering.com/category/tlsssl/page/2/

Blockchain Technology

• Introduction to consensus and trust, with applications
• Links
  • NIST IR 8202: Blockchain technology overview. doi: 10.6028/NIST.IR.8202
  • https://www.enisa.europa.eu/publications/blockchain-security
  • https://bitcoin.org/bitcoin.pdf
  • https://lamport.azurewebsites.net/pubs/pubs.html#byz

Authentication II

• Single-Sign-On, SAML, SPID, eIDAS, CIE
• Additional material
  • http://saml.xml.org/saml-specifications
  • https://www.agid.gov.it/index.php/en/platforms/spid
  • https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=uriserv:OJ.L_.2014.257.01.0073.01.ENG
  • https://www.cryptomathic.com/news-events/blog/understanding-eidas
  • https://www.cartaidentita.interno.gov.it/ (in italian)

Access Control I

• Basic principles, classic models: Matrix model, Access Control Lists, Capabilities, Discretionary/Mandatory/Role-Based Access Control
• Additional material
  • https://cseweb.ucsd.edu/classes/fa01/cse221/papers/lampson-protection-osr74.pdf
  • http://spdp.di.unimi.it/papers/survey96.pdf
  • http://profsandhu.com/journals/tissec/p224-ferraiolo.pdf

Access Control II

• OAuth, Attribute-Based Access Control (ABAC), eXtensible Access Control Markup Language (XACML)
• Additional material
  • http://nvlpubs.nist.gov/nistpubs/specialpublications/NIST.SP.800-162.pdf
  • https://docs.oasis-open.org/xacml/2.0/access_control-xacml-2.0-core-spec-os.pdf
  • http://docs.oasis-open.org/xacml/2.0/access_control-xacml-2.0-rbac-profile1-spec-os.pdf
  • https://oauth.net/2/
  • http://openid.net/developers/specs/

Web application security

• Browser model, cookies, same-origin policy, client-side and server-side vulnerabilities (e.g., cross-site scripting, injection, fishing), MQTT and related security issues
• Reading list
  • http://grosskurth.ca/papers/browser-refarch.pdf
  • https://tools.ietf.org/html/rfc6265
  • https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies
  • https://www.owasp.org/images/0/0a/OWASP_Top_10_2017_GM_%28en%29.pdf
  • http://mqtt.org/
  • https://sites.google.com/fbk.eu/mqttsa/

Privacy and Data Protection

• General Data Protection Regulation
• Links
  • https://ec.europa.eu/info/law/law-topic/data-protection/data-protection-eu_en
  • https://linddun.org/

Wrap-up

• A quick overview of the main topics considered during the course