T. Andrew Yang: CSCI5234 Web Security

T. Andrew Yang

Tel.: (281) 283-3835

Last updated:

April 30, 2009

CSCI 5234 Web Security

Spring 2009 (1/20 - 5/4 + final)


Lecture Notes & Schedule - Print and bring the lecture notes to the class.	Assignments / Projects Office Hours
Check the discussion board for the recent announcements & reminders. If you have not joined the discussion board yet, you may join at http://groups.google.com/group/csci5234WebSecuritySpring2009/. Important! To be accepted into the discussion group, make sure you use your full name as your yahoo id.
Installation of JCE security provider for unlimited strength security NOTE: For JDK1.4 or higher, JCE is an integrated component. If for some reason you need to use JDK older than v1.4, JCE needs to be separately downloaded and installed. See http://java.sun.com/products/jce/index-14.html for more details. Java source programs from the Professional Java Security book

Time (Classroom):

Thur. 4-6:50pm (Delta241)

Prerequisite: Web Applications Development (csci/cinf4230) and Computer Security (csci/cinf4233 or csci5233), or instructor's approval.
Note: If you do not have either of the prerequisites, you MUST talk to the instructor. It is assumed that students enrolled in this class are familiar with fundamental topics such as cryptography (symmetric vs asymmetric encryptions/decryptions), security protocols (RSA, DES, Triple-DES, digital signatures, digital certificates, etc.), and n-tier web applications development.

Course Objectives: The primary objective of this course is to study and practice fundamental techniques in developing secure web based applications, including vulnerability of web based applications and how to protect those applications from attacks. In addition, advanced topics related to Web, such as E-commerce security, Web 2.0, collaborative Web-based applications, etc., will also be studied. Students are encouraged to complete a publishable research paper in one of the related topics.

Class Format: Lectures are combined with discussions and, if applicable, presentations and discussions of advanced topics. Students are expected to be active participants in this class, by studying the relevant chapters and/or research papers, and actively participating at in-class and online discussions. Programming projects employing the various security techniques and n-tier web based architecture are part of the course. Students are expected to engage in a research project of topics related to Internet security, and make both written and oral presentations of the project.

Instructor: Dr. T. A. Yang

(office) Delta 106
Office hours (NOTE: If the suite office is locked, you may use the phone outside the office to call me, by entering the extension 3835).

You are highly encouraged to send your questions to me by e-mails or by posting the question at the discussion board . You, however, are responsible for describing the problem(s) you have encountered, the solution(s) you have tried, and the outcome you have got from these solution(s).

(phone#) (281) 283-3835 (Please leave a message if not available.)
(email address) yang@uhcl.edu (Note: Emails without a proper subject line and your full name will be discarded. Here is a sample subject line: "CSCI 5234 project #1, question 1".
(web site) http://sce.uhcl.edu/yang/

Teaching assistant info and office hours

Textbooks:

Required		O: Oppliger, Rolf. Security Technologies for the World Wide Web, Second Edition. Artech House Publishers. 2003. (ISBN: 1580533485).
Recommended		GS: Garms, Jess and Daniel Somerfield. Professional Java Security. Wrox. 2001. (ISBN: 1861004257) Note: You may purchase an electronic copy of the Java Security book from its current owner, APress.com, by clicking here. Or alternatively, you may check out the Amazon.com used book sale to find a used copy.
+ Instructor's handout in the class and/or on the Web

Supplemental Materials:

Oracle related links:

Architecture of Oracle Net Services
Listener Architecture
Transparent Network Substrate (TNS)
Listener Control Utility
Sample use of the lsnrctl command (Oracle's Listner Control Utility)
Oracle9iAS Security : Collection of samples illustrating implementation of various security technologies in Oracle9i Application Server and Oracle9i Database
Integrated Security Demo - Single Sign-On in Oracle9iAS using JAAS Provider, PKI and Web Services Security Download (JAR, 265KB) Readme
Current Oracle Documentation & Search the Oracle documentation for a specific feature, option, or error

JDBC Security:

Oracle's secure JDBC
Oracle Java Roadmap - JDBC (http://otn.oracle.com/tech/java/jroadmap/jdbc/listing.htm#998338)
Secure JDBC connection for Java applets

SSH:

SSH (or Secure SHell) is a protocol for creating a secure connection between two systems. In the SSH protocol, the client machine initiates a connection with a server machine ...

Useful information about Java mail:

To implement the JavaMail in program, you need to go to Sun's website to download the APIs: http://java.sun.com/products/javamail/ and http://java.sun.com/products/javabeans/glasgow/jaf.html
Sample code fragment: sendMail.java

Servlet Security:

JavaScript + client-side session id + hidden fields : Check out the information at http://www.pseudonym.org/ssl/ssl_msclient_certs.html to see a demonstration of a client generating a unique session id, by running a JavaScript, and then sends the session id (along with other parameters) as hidden input value back to the server.

HTTP & History of the WWW:

[HTTP 1991] The Original HTTP as defined in 1991 .
[HTTP 1992] Basic HTTP as defined in 1992 .
[HTTP 1996] RFC1945 : Hypertext Transfer Protocol -- HTTP/1.0. T. Berners-Lee, R. Fielding, H. Frystyk. May 1996. Informational. (Note: This document also defines HTTP/0.9.) local copy
[HTTP 1999] RFC2616 : Hypertext Transfer Protocol -- HTTP/1.1. R. Fielding, J. Gettys, J. Mogul, H. Frystyk, L. Masinter, P. Leach, T. Berners-Lee. June 1999. DRAFT STANDARD. local copy
[irt.org 1998] WWW – How It All Began .
[isoc.org 2000] The Internet Society. A Brief History of the Internet . August 4, 2000.

Internet Glossaries

RFC2828: Internet Security Glossary. R. Shirey. May 2000.
http://www.netlingo.com: searchable online dictionary
http://www.sharpened.net/glossary/index.php: Try the 'Google' search over sharpened.net at this site.

RFCs related to HTTP:

RFC2585: Internet X.509 Public Key Infrastructure Operational Protocols: FTP and HTTP. R. Housley, P. Hoffman. May 1999. PROPOSED STANDARD. local copy of rfc2585

RFC2616: Hypertext Transfer Protocol -- HTTP/1.1. R. Fielding, J. Gettys, J. Mogul, H. Frystyk, L. Masinter, P. Leach, T. Berners-Lee June. June 1999. DRAFT STANDARD. local copy of rfc2616

RFC2617: HTTP Authentication: Basic and Digest Access Authentication. J. Franks, P. Hallam-Baker, J. Hostetler, S. Lawrence, P. Leach, A. Luotonen, L. Stewart. June 1999. DRAFT STANDARD. local copy of rfc2617

RFC2965: HTTP State Management Mechanism. D. Kristol, L. Montulli. October 2000. PROPOSED STANDARD. local copy of rfc2965

RFCs related to TLS:

RFC2246: The TLS Protocol Version 1.0. T. Dierks, C. Allen. January 1999. PROPOSED STANDARD. local copy of rfc2246

RFC2712: Addition of Kerberos Cipher Suites to Transport Layer Security (TLS). A. Medvinsky, M. Hur. October 1999. PROPOSED STANDARD. local copy of rfc2712

RFC2817: Upgrading to TLS within HTTP/1.1. R. Khare, S. Lawrence. May 2000. PROPOSED STANDARD (Updates RFC2616). local copy of rfc2817

RFC2818: HTTP over TLS. E. Rescorla. May 2000. INFORMATIONAL. local copy of rfc2818

RFC2830: Lightweight Directory Access Protocol (v3): Extension for Transport Layer Security. J. Hodges, R. Morgan, M. Wahl. May 2000. PROPOSED STANDARD (Updated by RFC3377). local copy of rfc2830

RFC3268: Advanced Encryption Standard (AES) Ciphersuites for Transport Layer Security (TLS). P. Chown. June 2002. PROPOSED STANDARD. local copy

Other Related RFCs:

RFC2827/BCP0038: Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing. P. Ferguson, D. Senie. May 2000. BEST CURRENT PRACTICE. local copy
RFC3377: Lightweight Directory Access Protocol (v3): Technical Specification. J. Hodges, R. Morgan. September 2002. PROPOSED STANDARD. local copy of rfc3377

Related Web Sites & Documents:

a case study of SSL and Man-in-the-Middle attack (or a local copy)
* Man in the middle attack as explained on Wikipedia, the free encyclopedia
Bejtlick, Richard. "Implementing Network Security Monitoring with Open Source Tools": Interesting discussions of net monitoring issues, including open source tools such as tcpdump, argus, snort, trafd/trafshow, sguil, etc.
veriSign Technical Brief. "Building an E-Commerce Trust Infrastructure: SSL Server Certificates and Online Payment Services"
www.cybercrime.gov Computer Crime and Intellectual Property Section (CCIPS) of the Criminal Division of the US Dept. of Justice
** Computer crime
*** 18 U.S.C. 2511: Interception and Disclosure of Wire, Oral, or Electronic Communications Prohibited
Value of Authentication: Authentication is critical to online security - free Thawte guide (user registration required), local copy
Two-factor authentication: RSAsecurity's white paper on SecureID (local copy)
WWW Links at Rolf Oppliger's home page: http://www.esecurity.ch/ (click the 'WWW Links' link)
Discussion about 'cross-site scripting' and the recently discovered ' cross-site tracing'
The World Wide Web Security FAQ: http://www.w3.org/Security/faq/
A group called OWASP (Open Web Application Security Project) has published a list of the ten most common security flaws found in scripts used to run Web sites...
RSASecurity's white paper on Web Access Management
An older (1998) article on ' Survey of Web Security '. IEEE Computer (1998).
Collection of Cryptography Web Sites, Publications, FAQs, and References: http://world.std.com/~franl/crypto.html
Cryptography FAQ Index: http://www.faqs.org/faqs/cryptography-faq/
CSCI 5939 Independent Study - Wireless Security
CSCI 5939 Independent Study - Wireless Application Protocols (WAP)
North American Cryptography Archives: http://www.cryptography.org/
FAQ: What is TLS/SSL? http://www.mail.nih.gov/user/faq/tlsssl.htm
The Open SSL Project (SDKs for free download): http://www.openssl.org/
Windows & .NET security updates Web site: http://www.ntsecurity.net/

Topics, Notes & Schedule

The due dates are fixed and will not be extended, unless specifically announced. Start your work early!
The topics column is subject to change when the class moves on. Check with the instructor if you have doubt concerning the teaching schedule.
Rolf Oppliger's slides page: http://www.ifi.unizh.ch/~oppliger/Presentations/WWWSecurity2e/index.htm

wk (dates)	Topics (Chapter)	Due Dates
1 (1/22)	Syllabus, projects, presentations, etc. Overview of N-tier web applications Introduction of Internet, WWW, and Security (O: Ch 1) List of sample projects: discussion/selection of projects	All have joined the discussion group (see above). Project teams are formed.
2 (1/27)	Overview: security components and mechanisms On-line shopping & payment systems HTTP Security (O: Ch 2), IIS security	Team project title and team membership are due. Publish them in the discussion group.
3 (2/5)	Proxy Servers, Firewalls, NAT (O: Ch 3) + Firewalls (an older set of slides) + Pix firewall configuration + Design of Distributed Computer Security Lab, Journal of Computing Sciences in Colleges. 20(1). 10/2004. + Network Security Development Process (a working draft)
4 (2/12)	Internet Security Protocols (O: Ch 5, slides 75-100) + IP security (slides from the Stallings book)	Assignment 1
5 (2/19)	SSL & TLS Protocols (O: Ch 6, slides 101-114) + SSL (GS: Ch. 9) + a case study of SSL and Man-in-the-Middle attack (or local copy) + Man in the middle attack as explained on Wikipedia, the free encyclopedia + Internet Explorer SSL Vulnerability (08/05/02)	Preliminary design (ER model, UML class diagrams) of Programming project (Publish it in the class discussion board before the class.)
6 (2/26)	Certificates for the WWW (O: Ch 7, slides 115-135) + Ten Risks of PKI (by Ellison and Schneier, local copy)	Abstract of the research project (Publish it in the class discussion board.)
7 (3/5)	Midterm Exam	Midterm exam
8 (3/12)	Demonstration of project one NOTE: Each team's Power Point slides must be published 24 hours before the presentation. Prototype Demo (15~20 minutes per team)	Programming project · Detailed Design (Publish it in the discussion board.)
~~9 (3/19)~~	Spring break
10 (3/26)	Securing a Database (GS: Ch. 10) + supplemental Notes: TunnelServer.doc (for Oracle) + Tunnel Server Tutorial for MySQL + Oracle Roadmap: JDBC + Two sample applications using Oracle JDBC drivers: a) secure thin JDBC; b) secure OCI JDBC (thick client)
· last day to drop a class: 3/30
11 (4/2)	Electronic Payment Systems (O: Ch 9, slides 150-159) + VeriSign's Technical Brief "Building an E-Commerce Trust Infrastructure: SSL Server Certificates and Online Payment Services + questions & answers + electronic money (at Wikipedia.org) Server-side security (O: Ch 11, slides 189-216)	Assignment 2
12 (4/9)	Client-side security (O: Ch 10, slides 160-188) Securing Large Applications (GS: Ch. 11) Privacy Protection & Anonymity Services (O: Ch 12, slides 216-233) + privacy anonymity.ppt + Sample Privacy.net analysis + Privacy Analysis of your Internet Connection - How it works	Programming project Final Report (Publish the project reports in the discussion board.)
13 (4/16)	Slides: Adam_Vaughan_GradeBook_Slides.pdf HailSecondPresentation.ppt Nilsson_Claus_Presentation.pptx	Demo of programming projects
14 (4/23)	Slides: PNT_FINAL_PRESENTATION.pptx TeamCA Project Slides CSCI5234.pptx	Demo of programming projects Research Project DRAFT (Publish it in the class discussion board.)
15 (4/30)	Risk Management (O: Ch 15) - sample vulnerability analysis (developing a networked lab) - a refined network security development model System Security	Research Project Send it to yang@uhcl.edu
16 (5/7)	Final exam (open-book, comprehensive) Final exam questions can be downloaded from this page. Follow the instructions given in the exam to submit your answers.	Final exam

Computer Labs & Hours

The NT Lab (Delta 119) is equipped with computers that have been properly configured to run Java applications requiring JCE and JDK.

Check http://sce.uhcl.edu/computing.asp for lab information, open hours, FAQs, etc.

NT account information at: http://sce.uhcl.edu/accountSearch.html
UNIX account information at: http://sce.uhcl.edu/UnixLabFAQ.asp
All the software that is available for use in the UNIX and NT labs can be found at the following web pages: http://sce.uhcl.edu/NTLabIntroduction.asp for the NT lab and http://sce.uhcl.edu/UnixLabSoftware.asp for the UNIX lab

Oracle online information
The Distributed Computer Security Lab at UHCL: DCSL User Information

Evaluation:


category	percentage
assignments	10%
projects	20%
midterm	20%
participation (in class and in the discussion board)	10%
research paper	15%
Final exam	25%

NOTE: The accumulated points from all the categories determine a person's final grade. There will be no extra-credit projects.

Grading Scale:


Percentile	Grade
93% or above	A
S90% - 92%	A-
87% - 89%	B+
84% - 86%	B
80% - 83%	B-
77% - 79%	C+
74% - 76%	C
70% - 73%	C-
60%-69%	D
59% or below	F

Tests:

Both analytic and synthetic abilities are emphasized. Being able to apply the learned knowledge toward problem solving is also highly emphasized in the tests.

Assignments/Projects and Late Penalty:

Assignments and projects will be posted at the class web site. Assignments & projects are due before the beginning of the class on the due day. See Topics and Notes for the due dates.

Points will be deducted from late assignments: 20% for the first 24 hours after the due time, 40% for the next 24 hours, 70% for the third 24 hours, and 100% after that. No extension will be granted except for documented emergency. Starting to work on the assignments as early as possible is always the best strategy.

NOTE: Unless otherwise specified, all assignments and projects are individual work. Students should take caution not to violate the academic honesty policies. See http://b3308-adm.uhcl.edu/PolicyProcedures/Policy.html for details of the University policies.

Assignments/Projects Guidelines:

Identification page: All assignments must have your name, and course name/number/section number (e.g., CSCI234-01 or CSCI5333-03) at the top of the first page.

Proper stapling: Staple all the pages together at the top-left corner. NOTE: Do not use paper clips.

Order! Order! Arrange the solutions following the sequence of the questions. Write the question number at the top-right corner of each page.

Word processing: It is required that you type your reports (e.g., print them using a printer). Use a word processor and appropriate typesetting and drawing tools to do the assignments.

Check the spelling and the grammar for the whole document before handing it in. You may loose points due to spelling or grammatical errors.

Use proper commenting and structure in your programs.

Projects:

The projects will involve the design and implementation of a secure N-tier web based application demonstrating the development of a secure Java online application using various technology. Students are expected to employ the theories and techniques learned in the class to design and implement the system.

Attendance Policy:

You are expected to attend all classes. If you ever miss a class, it is your responsibility to get hold of whatever may have been discussed in that class.

Instructor's Notes:

Unless due to unexpected, documented emergency, no make-up exams will be given. No make-up exams will be granted once the exams have been corrected and returned to the class.

Important: If you think you have lost some points due to grading errors, make sure you approach the instructor within a week after the assignment, project, or test is returned to you.

To get the most out of this class, you need to read the textbooks and spend time using computers regularly. Be prepared for a class by preview the material to be covered in that class and participate in discussions and problem-solving exercises, if applicable, in the class.

Due to the intensive nature of graduate classes, 15-20 hours per week are expected of students in studying the textbook/notes and working on the assignments, in addition to class attendance. Expect to spend more hours during summer sessions.

Go to the Index

Main Page

Biography

Teaching

o Office hours