Information Security Curriculum Proposal

Richard E. Newman

Joseph N. Wilson

15 January 2014

Introduction

Given the increasing importance of the information security as an area, the emphasis on it at the state and federal level, as well as within the corporate world, and the fact that several of the proposed courses have been taught as special topics one or more times, we propose that the courses in the information security area be restructured to reflect a more complete offering, and include a certificate program.

Existing Situation

Our current permanent course listing in the cybersecurity area includes only the venerable CNT 5410 Computer and Network Security, although a proposed course, Penetration Testing -- Ethical Hacking, has passed College of Engineering approval. Aside from these, we have offered several special topics courses, including versions of all of the proposed courses below as well as more esoteric topics that will not be proposed as regular courses (e.g., anonymity and information hiding, computer security theory, secure coding, cryptographic protocols, etc.).

Originally positioned as the single security course offering, the current CNT 5410 Computer and Network Security course covers material from traditional computer security, cryptography, and network security. There is simply too much material to give reasonable coverage in the time available, and the three parts, while related, each have a significant amount of material distinct from the other parts.

Plan

To remedy this problem and give students a solid understanding of each of these areas, the Computer and Network Security course will be obsoleted and replaced by three courses that address the content it attempted to cover, only in more depth. This arrangement not only allows for greater depth in a very large area, but also allows for students in other courses who need specific background (e.g., in cryptography) to obtain it more thoroughly without having to spend significant time on less relevant areas for their needs.

To address the needs of both undergraduate and graduate students, these three courses will be offered at both level, perhaps sharing a common lecture and text, but requiring graduate students to read original papers, derive theoretical results, and produce more sophisticated projects.

The undergraduate Cybersecurity course is proposed in response to the warm response the special topics class in that area received in fall 2012. A large number of beginning computer majors and a fair number of non-computer majors took the course. Hence the courses is proposed as to introduce the area for those with minimal background (it does not have prerequisites), to raise awareness and knowlege of the pervasiveness of computing and communication security concerns in the modern world, and to attract new students to the security and computing curriculum.

Proposed Permanent Courses

1. Undergrad cybersecurity

2. Grad and undergrad computer security

3. Grad and undergrad cryptology

4. Grad and undergrad network security

5. Penetration Testing -- Ethical Hacking

6. Malware Reverse Engineering

The Computer and Network Security class would be obsoleted. All courses are stand-alone courses, relative to each other. Cryptographic components are largely taken as black boxes in the other courses, while their algorithms and implementations are revealed in detail in the cryptology course. Overlap between the courses is pretty minimal (1-2 weeks typically), and the last two courses emphasis laboratory work, while the first four emphasize theory, case studies, and projects.

UCC1: New Course Transmittal FormDepartment Name and Number

Recommended SCNS Course Identi�cation

Transcript Title (please limit to 21 characters)

Pre�x Level Course Number Lab Code

Amount of Credit

Repeatable Credit

Contact Hour: Base or Headcount

Course Description (50 words or less)

Prerequisites Co-requisites

Degree Type (mark all that apply) Baccalaureate Graduate Other

Introductory Intermediate Advanced

Department Contact

College Contact

Name

Phone Email

Name

Phone Email

Rev. 7/13

Rationale and place in curriculum

Category of Instruction

E�ective Term and Year Rotating Topic yes no

S/U Only yes no

yes no If yes, total repeatable credit allowed

Variable Credit yes no If yes, minimum and maximum credits per semester

Professional

Full Course Title

Standardized Syllabus for the College of Engineering

COT 5xxx Introduction to Cryptology 1. Catalog Description - Credits: 3;

This course introduces classical and modern cryptography and cryptanalysis, including symmetric and asymmetric (public key) ciphers. It covers cryptographic hash functions, block and stream ciphers, as well as differential and linear cryptanalysis. It reviews BAN logic, applications of cryptography, cryptographic standards and protocols, and analyzes case studies of failed implementations.

2. Pre-requisites and Co-requisites: COT 3100 Applications of Discrete Structures or equivalent is required, COT 5405 Analysis of Algorithms is corequisite.

3. Course Objectives Students will study the history, design, implementation, and analysis of cryptographic ciphers. Graduate students are expected to prove results in cryptography and analyze protocols using BAN logic. Successful students will be able to distinguish public key from private key cryptosystems, know where and how to use these in larger systems, and analyze a given cipher for security. They will be able to apply their knowledge of data structures, algorithms, performance analysis, and protocols to real-life problems in cryptographic systems.

4. Contribution of course to meeting the professional component (ABET only – undergraduate courses)

N/A 5. Relationship of course to program outcomes: Skills student will develop in this

course (ABET only undergraduate courses) N/A 6. Instructor: R. Newman

a. Office location: CSE-E346 b. Telephone: 352-505-1579 c. E-mail address: nemo-at-cise-dot-ufl-dot-edu d. Class Web sites: http://www.cise.ufl.edu/~nemo/crypto/ e. Office hours: MWF 10:30-11:30 and 1:00-2:00

7. Teaching Assistants: TBD a. Office location: CSE-E309 b. Telephone: TBD c. E-mail address: TBD d. Office hours: TBD

8. Meeting Times: TBD 9. Class/laboratory schedule, i.e., number of sessions each week and duration of each

session: 3 50-minute lectures 10. Meeting Location: TBD 11. Material and Supply Fees: N/A 12. Textbooks and Software Required

a. Title: "Cryptography and Network Security," b. Author: Stallings c. Publication date and edition: Prentice Hall, Upper Saddle River, NY,2011, 5/e d. ISBN: 0-13-609704-9

13. Recommended Reading: N/A 14. Course Outline (provide topics covered by week or by class period)

a. Introduction and Historical Ciphers – 3 wks i. Codes, ciphers, and information hiding ii. Monoalphabetic ciphers iii. Polyalphabetic ciphers iv. Block ciphers v. Rotor machines vi. Information theory in cryptography

b. Modern Block Ciphers – 4 wks i. DES and the Feistel structure ii. Triple-DES iii. AES iv. Block Cipher modes: ECB, CBC, modes for disk storage

c. Modern Stream Ciphers – 2 wks i. RC4 ii. Block Cipher stream modes: OFB, CFB, CTR

d. Pubic Key Cryptosystems – 3 wks i. RSA ii. Diffie-Hellman iii. ECC iv. Digital Signatures

e. Cryptographic Hashes – 2 wks i. One-way functions ii. Uses for cryptographic hashes iii. Birthday attack iv. Early hash functions v. MD4 vi. MD5 vii. SHA-1 viii. SHA-2 ix. SHA-3

f. Cryptographic Protocols – 2 wks i. Key distribution and authentication ii. BAN logic iii. Standards – SSL, TSL, RSNA

15. Attendance and Expectations (is attendance required, penalties for absence, tardiness, cell phone policy, etc.)

Requirements for class attendance and make-up exams, assignments, and other work are consistent with university policies that can be found at http://catalog.ufl.edu/ugrad/current/regulations/info/attendance.aspx. Pop quizzes may be given on assigned reading and on material covered in classes. Cell phones and pagers must be silent during class. Reading emails, facebook, etc. is appropriate at some other time and place. Questions are encouraged - raise your hand to be recognized. Try to formulate the question before asking it, and wait to see if it is answered in a few minutes so we can maintain flow. Lengthy discussions will be deferred to office hours. Students are required to check the class web pages at least three times a week (MWF) for announcements/updates. You are responsible for all assignments posted on the web page or announced in class.

16. Grading – methods of evaluation: a. Quizzes and Homeworks: 20% b. Exams: 40% (midterm and final)

c. Projects: 40% Project grades include scoring for documentation and good programming practice in addition to correct functionality. Projects shall focus on cryoptology. Examples include cryptographic functions, cryptanalysis, cryptographic protocols, applications of cryptography to authentication, etc.

17. Grading Scale: A >= 90%, 90% > A- >= 87%, 87 %> B+ >= 85%, 85% > B >= 80%, 80% > B- >= 77%, 77% > C+ >= 75%, 75% > C >= 70% Obligatory Statements “A C- will not be a qualifying grade for critical tracking courses. In order to graduate, students must have an overall GPA and an upper-division GPA of 2.0 or better (C or better). Note: a C- average is equivalent to a GPA of 1.67, and therefore, it does not satisfy this graduation requirement. For more information on grades and grading policies, please visit: https://catalog.ufl.edu/ugrad/current/regulations/info/grades.aspx

“Undergraduate students, in order to graduate, must have an overall GPA and an upper-division GPA of 2.0 or better (C or better). Note: a C- average is equivalent to a GPA of 1.67, and therefore, it does not satisfy this graduation requirement. Graduate students, in order to graduate, must have an overall GPA of 3.0 or better (B or better). Note: a B- average is equivalent to a GPA of 2.67, and therefore, it does not satisfy this graduation requirement. For more information on grades and grading policies, please visit: https://catalog.ufl.edu/ugrad/current/regulations/info/grades.aspx

18. Make-up Exam Policy Requirements for make-up exams, assignments, and other work are consistent with university policies that can be found at http://catalog.ufl.edu/ugrad/current/regulations/info/attendance.aspx.

19. Honesty Policy – All students admitted to the University of Florida have signed a statement of academic honesty committing themselves to be honest in all academic work and understanding that failure to comply with this commitment will result in disciplinary action. This statement is a reminder to uphold your obligation as a UF student and to be honest in all work submitted and exams taken in this course and all others.

20. Accommodation for Students with Disabilities – Students Requesting classroom accommodation must first register with the Dean of Students Office. That office will provide the student with documentation that he/she must provide to the course instructor when requesting accommodation.

21. UF Counseling Services – Resources are available on-campus for students having personal problems or lacking clear career and academic goals. The resources include: · UF Counseling & Wellness Center, 3190 Radio Rd, 392-1575, psychological and

psychiatric services. · Career Resource Center, Reitz Union, 392-1601, career and job search services.

22. Software Use – All faculty, staff and student of the University are required and expected to obey the laws and legal agreements governing software use. Failure to do so can lead to monetary damages and/or criminal penalties for the individual violator. Because such violations are also against University policies and rules, disciplinary action will be taken as appropriate. We, the members of the University of

Florida community, pledge to uphold ourselves and our peers to the highest standards of honesty and integrity.

23. Students are expected to provide feedback on the quality of instruction in this course by completing online evaluations at https://evaluations.ufl.edu. Evaluations are typically open during the last two or three weeks of the semester, but students will be given specific times when they are open. Summary results of these assessments are available to students at https://evaluations.ufl.edu/results/.

Grading Rubric for Term Papers

Characteristic Outstanding Above Average Average Below Average Failing Topical

Requirements The paper is tightly focused on the assigned topic and highlights its significance

The paper is focused on the assigned topic and mentions its significance

The paper is mostly focused on the assigned topic but does not explain its significance

The paper is marginally related to the assigned topic

The paper is not related to the assigned topic

Organization The paper is well organized and flows well, with segues between paragraphs and sections

The paper is reasonably well organized and has good flow

The paper has decent organization and some segues

The paper has inadequate organization and few segues

The paper has poor organization and is very choppy

Grammar, spelling, and punctuation

Grammar is correct, there are no spelling or punctuation errors

Grammar is mostly correct, there are no spelling or punctuation errors

Grammar is mostly correct, there are few spelling and/or punctuation errors

There are several grammatical errors,and there are spelling or punctuation errors

There are significant grammatical errors,and there are many spelling and punctuation errors

Clarity The paper is clear and easy to follow; difficult concepts are well explained

The paper is mostly clear and easy to follow; difficult concepts are adequately explained

The paper is mostly clear and easy to follow; difficult concepts are not explained

The paper is sometimes unclear or hard to follow; difficult concepts are ignored or confused

The paper is mostly unclear and hard to follow; difficult concepts are ignored or confused

Completeness The paper covers all of the relevant material

The paper covers all of the critical and some additional relevant material

The paper covers all of the critical material but little more

The paper lacks some of the critical material

The paper lacks most or all of the critical material

Depth The paper The paper The paper The paper The paper

Characteristic Outstanding Above Average Average Below Average Failing demonstrates deep and nuanced understanding of the material

demonstrates some depth of understanding of the material

demonstrates good basic understanding of the material

demonstrates shallow understanding of the material

demonstrates no real or incorrect understanding of the material

Rigor Mathematical models are complete and proofs of claims are correct and clear

Mathematical models are mostly complete and proofs of claims are correct but some are awkward or unclear

Mathematical models are mostly complete and most proofs of claims are correct but some are awkward or unclear

Mathematical models are mostly incomplete or missing, proofs of claims are incomplete, some are incorrect

No mathematical models are given and there are no proofs of claims or they are incorrect

Citations Work of others is cited often and correctly

A fair amount of others' work of is cited correctly

Some work of others is cited, mostly correctly

Work of others is cited infrequently or incorrectly

No work of others is cited

References There are many relevant and correct references to prior work

There are many relevant and mostly correct references to prior work

There are adequate references, mostly complete and correct

There are few relevant references or most are incomplete or incorrect

There are few or no relevant references, or they are incomplete or incorrect

Delivery The paper was turned in ahead of schedule

The paper was turned in on schedule

The paper was turned within one day of the due date

The paper was turned in within a week of the due date

The paper was turned in more than one week late

Grading Rubric for Graduate Software Projects

Characteristic Outstanding Above Average Average Below Average Failing Meets

Computational Specifications

The program meets all of the computational specifications

The program produces the correct results and displays them correctly for almost all computational specifications

The program produces correct results for most computational specs, has a few bugs

The program is produces incorrect results, has several bugs

The program is does not work or has many bugs

Displays Output Correctly

The program displays results very clearly and intuitively, and meets all display specifications

The program displays results clearly and meets most of the display specifications

The program displays results clearly and meets many of the display specifications

The program does not display results clearly or does not meet most display specs

The program does not display results correctly and does not meet most display specs

Readability The code is well organized and very easy to understand, with clear comments both in-line and in headers

The code is pretty well organized, fairly easy to read, and has good comments

The code has some organization,is a challenge to read, and has minimal comments

The code is readable only by someone who knows what it is supposed to do, has few comments

The code is poorly organized and very difficult to read, with no comments

Reusability The code could be reused as a whole and each routine could be reused

Most of the code could be reused in other programs

Some parts of the code could be reused in other programs

A few parts of the code could be reused in other programs

The code is not organized for reusability

Documentation Documentation is clear and well written, and clearly explains what the code does and how. It includes

Documentation is reasonably clear and mostly complete, and is useful in understanding the

Documentation is adequate, but not well written or thorough; configuration and user information is

Documentation is does not explain the purpose or methods well, and does not help the reader understand

No separate documentation is provided

Characteristic Outstanding Above Average Average Below Average Failing how to configure the system and how to use it correctly

system and how to configure and use it correctly

minimal the program or system; configuration and user documentation is inadequate

Validation and Verification

Test cases are thorough and systematic, well documented; proof sketches of correctness are supplied or cited

Test cases are thorough and systematic, well documented with expected and actual output

Tests cover most representative cases, tests and known bugs are adequately documented

Test cases miss significant scenarios, and are poorly documented; bugs are poorly documented

Test cases are absent or very few, and are poorly documented or undocumented ; bugs not documented

Efficiency and Performance

The code is very efficient, system meets or exceeds all performance requirements, includes performance analysis

The code is fairly efficient, system meets performance requirements, includes performance analysis

The code is naïve or brute force, system meets most performance requirements, includes minimal performance analysis

The code is brute force and unnecessarily long, system meets some performance requirements, includes no performance analysis

The code is huge and grossly inefficient, system meets few or no performance requirements, includes no or incorrect performance analysis

References All relevant work is cited correctly

Most relevant work is cited correctly

Some work of others mentioned, mostly correctly

Relevant work is cited infrequently or incorrectly

No relevant work is cited

Delivery The code and documentation were turned in ahead of schedule

The code and documentation were turned in on schedule

The code and documentation were turned within one day of the due date

The code and documentation were turned in within a week of the due date

The code and documentation were turned in more than one week late

UCC: Syllabus ChecklistAll UCC1 forms and each UCC2 form that proposes a change in the course description or credit hours must include this checklist in addition to a complete syllabus. Check the box if the attached syllabus includes the indicated information.

Syllabus MUST contain the following information:Instructor contact information (and TA if applicable)Course objectives and/or goalsA weekly course schedule of topics and assignmentsRequired and recommended textbooksMethods by which students will be evaluated and their grades determinedA statement related to class attendance, make-up exams and other work such as: “Requirements for class attendance and make-up exams, assignments, and other work in this course are consistent with university policies that can be found in the online catalog at: https://catalog.ufl.edu/ugrad/current/regulations/info/attendance.aspx."A statement related to accommodations for students with disabilities such as: “Students requesting classroom accommodation must first register with the Dean of Student Office. The Dean of Students Office will provide documentation to the student who must then provide this documentation to the instructor when requesting accommodation.” Information on current UF grading policies for assigning grade points. This may be achieved by including a link to the appropriate undergraduate catalog web page:https://catalog.ufl.edu/ugrad/current/regulations/info/grades.aspxA statement informing students of the online course evaluation process such as: “Students are expected to provide feedback on the quality of instruction in this course based on 10 criteria. These evaluations are conducted online at https://evaluations.ufl.edu. Evaluations are typically open during the last two or three weeks of the semester, but students will be given specific times when they are open. Summary results of these assessments are available to students at https://evaluations.ufl.edu.

It is recommended that syllabi contain the following information:1. Critical dates for exams and other work2. Class demeanor expected by the professor (e.g., tardiness, cell phone usage)3. UF’s honesty policy regarding cheating, plagiarism, etc. Suggested wording: UF students are bound by The

Honor Pledge which states, “We, the members of the University of Florida community, pledge to hold ourselvesand our peers to the highest standards of honor and integrity by abiding by the Honor Code. On all worksubmitted for credit by students at the University of Florida, the following pledge is either required or implied:“On my honor, I have neither given nor received unauthorized aid in doing this assignment.” The Honor Code(http://www.dso.ufl.edu/sccr/process/student-conduct-honor-code/) specifies a number of behaviors that arein violation of this code and the possible sanctions. Furthermore, you are obliged to report any condition that facilitates academic misconduct to appropriate personnel. If you have any questions or concerns, please consultwith the instructor of TAs in this class.

4. Phone number and contact site for university counseling services and mental health services: 392-1575, http://www.counseling.ufl.edu/cwc/Default.aspxUniversity Police Department: 392-1111 or 9-1-1 for emergencies.

The University’s complete Syllabus Policy can be found at: http://www.aa.ufl.edu/Data/Sites/18/media/policies/syllabi_policy.pdf

Rev. 7/13