0CI01(01712560): Information Security Engineering(Fall 2016)

Time: Thursdays 8:30-11:30 am

Location: 3305, Teaching Building, DaXing

Class web site: https://huipingsun.github.io/ise2016

Instructor: Huiping Sun (sunhp(at)ss.pku.edu.cn)

TA: No

Textbook: Ross Anderson. Security Engineering. Second Edition. Wiely. 2008.

Course Description

Although most of traditional cryptography and security techology are relatively well understood, the knowledge and practice of how to apply user's economical, psychological and social factor into security is insufficient.

The course covers the basics of economics, psychology and socialology of security, and introduces password, biometrics, CAPTCHA, physical protection, reputation and others technology, in the meantime, analyses how to implement information security engineering in some critical information systems and applications such as crowdsource, payment, smartphone, social network.

Course Schedule

Date	Topics	Readings
September 22	01. Course Overview [Slides]	Ross Anderson. Security Engineering (Second Edition). Chapter 1: What Is Security Engineering?
September 22	02. Economics of Information Security [Slides]	Ross Anderson. Security Engineering (Second Edition). Chapter 7: Economics Ross Anderson. Why Information Security is Hard - An Emconmics Perspective. In Proc. ACSAC'2001. Tyler Moore and Ross Anderson. Economics and Internet Security - a Survey of Recent Analytical, Empirical and Behavioral Research. Technical Report 2011. Ross Anderson. Security Economics - A Personal Perspective. In Proc. ACSAC'2012.
September 29	03. Usable Security [Slides]	Ross Anderson. Security Engineering (Second Edition). Chapter 2: Usability and Psychology Alma Whitten and J.D.Tygar. Why Johnny Can't Encrypt: A Usability Evaluation of PGP 5.0. In Proc. USENIX Security'1999. Anne Adams and Martina Angela Sasses. Users Are Not The Enemy. In Communications of ACM. 1999. Lorrie Faith Cranor. A Framework for Reasoning About the Human in the Loop. In Proc. UPSEC'2008. Bruce Schneier. The Psychology of Security. 2008.
October 6	04. Graphical Password [Slides][PassApp-Slides]	Robert Biddle et al. Graphical Passwords: Learning from the First Twelve Years. In ACM Computing Surveys. 2012. Florian Schaub et al. Exploring the Design Space of Graphical Passwords on Smartphones. In Proc. SOUPS'2013. Huiping Sun et al. PassApp: My App is My Password! In Proc. MobileHCI'2015.
October 13	05. Password Manager [Jun Zhang, Kai Wang, Zhilai Mao]	Zhiwei Li et al. The Emperor's New Password Manager: Security Analysis of Web-based Password Managers. In Proc. USENIX Security'2014. David Silver et al. Password Managers: Attacks and Defenses. In Proc. USENIX Security'2014. Nora Alkaldi and Karen Renaud. Why Do People Adopt, or Reject, Smartphone Password Managers? In Proc. EuroUSEC'2016.
October 13	06. Text Password [Slides]	Ross Anderson. Security Engineering (Second Edition). Chapter 2.4: Passwords Cormac Herley and Paul van Oorschot. A Research Agenda Acknowledging the Persistence of Passwords. In IEEE Security & Pricacy Magazine. 2012. Joseph Bonneau et al. Passwords and The Evolution of Imperfect Authentication. In Communications of ACM. 2015.
October 20	07. Biometrics [Slides]	Ross Anderson. Security Engineering (Second Edition). Chapter 15: Biometrics Weizhi Meng et al. Surveying the Development of Biometric User Authentication on Mobile Phones. In IEEE Communication Survey & Tutorials. 2014. Addulaziz Alzubaidi and Jugal Kalita. Authentication of Smartphone Users Using Behavioral Biometrics. In IEEE Communication Survey & Tutorials. 2015.
October 27	08. Human Computation [Slides] [Xiaolin Qin, Haotian Hao, Xiaolong Liu, Meiyouyou Yuan]	Edith law and Luis von Ahn. Human Computation. Synthesis Lectures on Artificial Intelligence and Machine Learning 2011. Alexander J. Quinn and Benjamin B. Bederson Human Computation: A Survey and Taxonomy of a Growing Field. In Proc. CHI'2011.
November 3	09. Password Vaults [Shihai Chen , Shinai Yang ]	Ari Juels and Ronald L. Rivest. Honeywords-Making Password-Cracking Detectable. In Proc. CCS'2013. Georgio Kontaxis et al. SAuth: Protecting User Accounts from Password Database Leaks. In Proc. CCS'2013.
November 3	10. CAPTCHA [Slides]	Gerardo Reynaga. The Usability of CAPTCHAs on Mobile Devices. Chapter 2: Backgrounds. PhD. Dissertation. Carleton University. 2015. Suphannee Sivakorn et al. I Am Robot- (Deep) Learning to Break Semantic Image CAPTCHAs. In Proc. EuroS&P'2016.
November 10	11. Reputation [Slides] [Dong Pan]	Paul Resnick et al. Reputation System. In Communications of the ACM. 2000. Lik Mui et al. A Computational Model of Trust and Reputation. In Proc. HICSS'2002. Audun Josang et al. A Survey of Trust and Reputation Systems for Online Service Provision. In Decision Support Systems. 2007. Steven Tadelis. The Economics of Reputation and Feedback Systems in E-Commerce Marketplaces. In IEEE Internet Computing Magazine. 2016.
November 17	12. Project Progress Presentation 13. Physical Protection [Slides]	Ross Anderson. Security Engineering (Second Edition). Chapter 11: Physical Protection Ross Anderson. Security Engineering (Second Edition). Chapter 14: Security Printing and Seals Ross Anderson. Security Engineering (Second Edition). Chapter 16: Physical Tamper Resistance
November 24	14. Fingerprinting [Haoran Hu, Bingyan Wang, Tengfei Chen]	Refael Veras et al. Fingerprinting Web Users through Font Metrics. In Proc. FC'2015. Saranga Komanduri et al. Device Fingerprinting for Augmenting Web Authentication: Classification and Analysis of Methods. In Proc. ACSAC'2016. Jeremiah Blocki et al. Beauty and the Beast: Diverting Modern Web Browsers to Build Unique Browser Fingerprints. In Proc. IEEE S&P'2016.
November 24	15. Privacy [Slides]	Ross Anderson. Security Engineering (Second Edition). Chapter 23: The Bleeding Edge
December 1	16. Password Policy [Menglin Li, Ruihua Xie, Chao Feng, Baichuan Li]	Refael Veras et al. On the Semantic Patterns of Passwords and their Security Impact. In Proc. NDSS'2014. Saranga Komanduri et al. Telepathwords-Preventing Weak Passwords by Reading Users' Minds. In Proc. USENIX Security'2014. Jeremiah Blocki et al. Spaced Repetition and Mnemonics Enable Recall of Multiple Strong Passwords. In Proc. NDSS'2015. Yue Li et al. A Study of Personal Information in Human-chosen Passwords and Its Security Implications. In Proc. Infocom'2016.
December 8	17. Social Authentication [Min Li, FangFang Yang, Yihong Liu]	Iasonas Polakis et al. All Your Face Are Belong to Us: Breaking Facebook's Social Authentication. In Proc. FC'2012. Hyoungshick Kim et al. Social Authentication: Harder than it Looks. In Proc. FC'2016. Iasonas Polakis et al. Faces in the Distorting Mirror- Revisiting Photo-based Social Authentication. In Proc. CCS'2014.
December 8	18. Social Networks Security [Slides]	Imrul Kayes and Adriana Iamnitchi A Survey on Privacy and Security in Online Social Network. In arXiv'2015.
December 15	19. Access Control [Slides]	Ross Anderson. Security Engineering (Second Edition). Chapter 4: Access Control Ross Anderson. Security Engineering (Second Edition). Chapter 8: Multilevel Security Ross Anderson. Security Engineering (Second Edition). Chapter 9: Multilateral Security
December 22	20. Bitcoin I [Slides]	Arvind Narayanan et al. Bitcoin and Cryptocurrency Technologies. 2016.
December 29	21. Bitcoin II [Slides]	Arvind Narayanan et al. Bitcoin and Cryptocurrency Technologies. 2016.
January 5	22. Final Project Presentations	TBD

Course Grading

The grading scheme is as follows:

60% Readings + Quizzers + Presentations
40% Project

Course Projects

Password Manger
Review Spam Detection
Honeyword without Checker
Graphical OTP
Multiple Word Password
Visual Password
Physical Unclonable Function

0CI01(01712560): Information Security Engineering(Fall 2016)

Course Description

Course Schedule

Date

Topics

Readings

Course Grading

Course Projects