T. Andrew Yang: CSCI5234 Web Security

T. Andrew Yang

Tel.: (281) 283-3835

Last updated:

03/2008

CSCI 5234 Web Security

Spring 2008 (1/14 - 4/28 + final)


Lecture Notes & Schedule - Print and bring the lecture notes to the class.	Assignments / Projects Office Hours
Check the discussion board for the recent announcements & reminders. If you have not joined the discussion board yet, you may join at http://groups.google.com/group/WebSecuritySpring2008/. Important! To be accepted into the discussion group, make sure you use your full name as your yahoo id.
Installation of JCE security provider for unlimited strength security NOTE: For JDK1.4 or higher, JCE is an integrated component. If for some reason you need to use JDK older than v1.4, JCE needs to be separately downloaded and installed. See http://java.sun.com/products/jce/index-14.html for more details. Java source programs from the Professional Java Security book

Time (Classroom):

Tues. & Thur. 10-11:20pm (Delta237)

Prerequisite: Web Applications Development (csci/cinf4230) and Computer Security (csci/cinf4233 or csci5233), or instructor's approval.
Note: If you do not have either of the prerequisites, you MUST talk to the instructor. It is assumed that students enrolled in this class are familiar with fundamental topics such as cryptography (symmetric vs asymmetric encryptions/decryptions), security protocols (RSA, DES, Triple-DES, digital signatures, digital certificates, etc.), and n-tier web applications development.

Course Objectives: The primary objective of this course is to study and practice fundamental techniques in developing secure web based applications, including vulnerability of web based applications and how to protect those applications from attacks. In addition, advanced topics related to Web, such as E-commerce security, Web 2.0, collaborative Web-based applications, etc., will also studied. Students are encouraged to complete a publishable research paper in one of the related topics.

Class Format: Lectures are combined with discussions and, if applicable, presentations and discussions of advanced topics. Students are expected to be active participants in this class, by studying the relevant chapters and/or research papers, and actively participating at in-class and online discussions. Programming projects employing the various security techniques and n-tier web based architecture are part of the course. Students are expected to engage in a research project of topics related to Internet security, and make both written and oral presentations of the project.

Instructor: Dr. T. A. Yang

(office) Delta 106
Office hours (NOTE: If the suite office is locked, you may use the phone outside the office to call me, by entering the extension 3835).

You are highly encouraged to send your questions to me by e-mails or by posting the question at the discussion board . You, however, are responsible for describing the problem(s) you have encountered, the solution(s) you have tried, and the outcome you have got from these solution(s).

(phone#) (281) 283-3835 (Please leave a message if not available.)
(email address) yang@uhcl.edu (Note: Emails without a proper subject line and your full name will be discarded. Here is a sample subject line: "CSCI 5234 project #1, question 1".
(web site) http://sce.uhcl.edu/yang/

Teaching Assistant:

Name: TBA

Location: PC LAB / NT LAB

Office Hours:

Textbooks:

Required		O: Oppliger, Rolf. Security Technologies for the World Wide Web, Second Edition. Artech House Publishers. 2003. (ISBN: 1580533485).
Recommended		GS: Garms, Jess and Daniel Somerfield. Professional Java Security. Wrox. 2001. (ISBN: 1861004257) Note: You may purchase an electronic copy of the Java Security book from its current owner, APress.com, by clicking here. Or alternatively, you may check out the Amazon.com used book sale to find a used copy.
+ Instructor's handout in the class and/or on the Web

Supplemental Materials:

Oracle related links:

Architecture of Oracle Net Services
Listener Architecture
Transparent Network Substrate (TNS)
Listener Control Utility
Sample use of the lsnrctl command (Oracle's Listner Control Utility)
Oracle9iAS Security : Collection of samples illustrating implementation of various security technologies in Oracle9i Application Server and Oracle9i Database
Integrated Security Demo - Single Sign-On in Oracle9iAS using JAAS Provider, PKI and Web Services Security Download (JAR, 265KB) Readme
Current Oracle Documentation & Search the Oracle documentation for a specific feature, option, or error

JDBC Security:

Oracle's secure JDBC
Oracle Java Roadmap - JDBC (http://otn.oracle.com/tech/java/jroadmap/jdbc/listing.htm#998338)
Secure JDBC connection for Java applets

SSH:

SSH (or Secure SHell) is a protocol for creating a secure connection between two systems. In the SSH protocol, the client machine initiates a connection with a server machine ...

Useful information about Java mail:

To implement the JavaMail in program, you need to go to Sun's website to download the APIs: http://java.sun.com/products/javamail/ and http://java.sun.com/products/javabeans/glasgow/jaf.html
Sample code fragment: sendMail.java

Servlet Security:

JavaScript + client-side session id + hidden fields : Check out the information at http://www.pseudonym.org/ssl/ssl_msclient_certs.html to see a demonstration of a client generating a unique session id, by running a JavaScript, and then sends the session id (along with other parameters) as hidden input value back to the server.

HTTP & History of the WWW:

[HTTP 1991] The Original HTTP as defined in 1991 .
[HTTP 1992] Basic HTTP as defined in 1992 .
[HTTP 1996] RFC1945 : Hypertext Transfer Protocol -- HTTP/1.0. T. Berners-Lee, R. Fielding, H. Frystyk. May 1996. Informational. (Note: This document also defines HTTP/0.9.) local copy
[HTTP 1999] RFC2616 : Hypertext Transfer Protocol -- HTTP/1.1. R. Fielding, J. Gettys, J. Mogul, H. Frystyk, L. Masinter, P. Leach, T. Berners-Lee. June 1999. DRAFT STANDARD. local copy
[irt.org 1998] WWW – How It All Began .
[isoc.org 2000] The Internet Society. A Brief History of the Internet . August 4, 2000.

Internet Glossaries

RFC2828: Internet Security Glossary. R. Shirey. May 2000.
http://www.netlingo.com: searchable online dictionary
http://www.sharpened.net/glossary/index.php: Try the 'Google' search over sharpened.net at this site.

RFCs related to HTTP:

RFC2585: Internet X.509 Public Key Infrastructure Operational Protocols: FTP and HTTP. R. Housley, P. Hoffman. May 1999. PROPOSED STANDARD. local copy of rfc2585

RFC2616: Hypertext Transfer Protocol -- HTTP/1.1. R. Fielding, J. Gettys, J. Mogul, H. Frystyk, L. Masinter, P. Leach, T. Berners-Lee June. June 1999. DRAFT STANDARD. local copy of rfc2616

RFC2617: HTTP Authentication: Basic and Digest Access Authentication. J. Franks, P. Hallam-Baker, J. Hostetler, S. Lawrence, P. Leach, A. Luotonen, L. Stewart. June 1999. DRAFT STANDARD. local copy of rfc2617

RFC2965: HTTP State Management Mechanism. D. Kristol, L. Montulli. October 2000. PROPOSED STANDARD. local copy of rfc2965

RFCs related to TLS:

RFC2246: The TLS Protocol Version 1.0. T. Dierks, C. Allen. January 1999. PROPOSED STANDARD. local copy of rfc2246

RFC2712: Addition of Kerberos Cipher Suites to Transport Layer Security (TLS). A. Medvinsky, M. Hur. October 1999. PROPOSED STANDARD. local copy of rfc2712

RFC2817: Upgrading to TLS within HTTP/1.1. R. Khare, S. Lawrence. May 2000. PROPOSED STANDARD (Updates RFC2616). local copy of rfc2817

RFC2818: HTTP over TLS. E. Rescorla. May 2000. INFORMATIONAL. local copy of rfc2818

RFC2830: Lightweight Directory Access Protocol (v3): Extension for Transport Layer Security. J. Hodges, R. Morgan, M. Wahl. May 2000. PROPOSED STANDARD (Updated by RFC3377). local copy of rfc2830

RFC3268: Advanced Encryption Standard (AES) Ciphersuites for Transport Layer Security (TLS). P. Chown. June 2002. PROPOSED STANDARD. local copy

Other Related RFCs:

RFC2827/BCP0038: Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing. P. Ferguson, D. Senie. May 2000. BEST CURRENT PRACTICE. local copy
RFC3377: Lightweight Directory Access Protocol (v3): Technical Specification. J. Hodges, R. Morgan. September 2002. PROPOSED STANDARD. local copy of rfc3377

Related Web Sites & Documents:

a case study of SSL and Man-in-the-Middle attack (or a local copy)
* Man in the middle attack as explained on Wikipedia, the free encyclopedia
Bejtlick, Richard. "Implementing Network Security Monitoring with Open Source Tools": Interesting discussions of net monitoring issues, including open source tools such as tcpdump, argus, snort, trafd/trafshow, sguil, etc.
veriSign Technical Brief. "Building an E-Commerce Trust Infrastructure: SSL Server Certificates and Online Payment Services"
www.cybercrime.gov Computer Crime and Intellectual Property Section (CCIPS) of the Criminal Division of the US Dept. of Justice
** Computer crime
*** 18 U.S.C. 2511: Interception and Disclosure of Wire, Oral, or Electronic Communications Prohibited
Value of Authentication: Authentication is critical to online security - free Thawte guide (user registration required), local copy
Two-factor authentication: RSAsecurity's white paper on SecureID (local copy)
WWW Links at Rolf Oppliger's home page: http://www.esecurity.ch/ (click the 'WWW Links' link)
Discussion about 'cross-site scripting' and the recently discovered ' cross-site tracing'
The World Wide Web Security FAQ: http://www.w3.org/Security/faq/
A group called OWASP (Open Web Application Security Project) has published a list of the ten most common security flaws found in scripts used to run Web sites...
RSASecurity's white paper on Web Access Management
An older (1998) article on ' Survey of Web Security '. IEEE Computer (1998).
Collection of Cryptography Web Sites, Publications, FAQs, and References: http://world.std.com/~franl/crypto.html
Cryptography FAQ Index: http://www.faqs.org/faqs/cryptography-faq/
CSCI 5939 Independent Study - Wireless Security
CSCI 5939 Independent Study - Wireless Application Protocols (WAP)
North American Cryptography Archives: http://www.cryptography.org/
FAQ: What is TLS/SSL? http://www.mail.nih.gov/user/faq/tlsssl.htm
The Open SSL Project (SDKs for free download): http://www.openssl.org/
Windows & .NET security updates Web site: http://www.ntsecurity.net/

News articles:

Gilligan urges agencies to push for safer software By William Jackson
Government Computer News (GCN.com), October 8, 2001; Vol. 20 No. 30a.
(in response to SANS-FBI Top 20 Internet security vulnerabilities, released Oct. 2001)
Aug. 1, 2002. "HP Wimps Cower Behind DMCA", by Brett Glass. ExtremeTech Security. http://www.extremetech.com/article2/0,3973,429551,00.asp
July 31, 2002. "Clarke Lambastes Software Industry", by Dennis Fisher. eWeek. http://www.eweek.com/article2/0,3959,428553,00.asp.
March 20, 2002. "What's a Chief Security Officer Make? Depends on Where You Look", by Jeff Moad. eWeek. http://www.eweek.com/article2/0,3959,35953,00.asp.
July 1, 2002. "What It Takes to Be a CSO (Chief Security Officer)?” eWeek. http://www.eweek.com/article2/0,3959,333429,00.asp
July 19, 2002. "Microsoft Shelled Out Millions on Security", by Dennis Fisher. eWeek. http://www.eweek.com/article2/0,3959,390409,00.asp.
July 19, 2002. "Army Research Web Site Hacked", by Dennis Fisher. eWeek. http://www.eweek.com/article2/0,3959,390542,00.asp.
Internet Explorer SSL Vulnerability (08/05/02)
The Twenty Most Critical Internet Security Vulnerabilities (Updated, as of Oct. 2003)
Windows 'Bagel' Worm Spreading Fast. By Larry Seltzer. eWeek. January 19, 2004. http://www.eweek.com/article2/0,4149,1443703,00.asp?kc=EWNWS012004DTX1K0000599

Topics, Notes & Schedule

The due dates are fixed and will not be extended, unless specifically announced. Start your work early!
The topics column is subject to change when the class moves on. Check with the instructor if you have doubt concerning the teaching schedule.
Rolf Oppliger's slides page: http://www.ifi.unizh.ch/~oppliger/Presentations/WWWSecurity2e/index.htm

wk (dates)	Topics (Chapter)	Due Dates
1 (1/15, 17)	Syllabus, projects, presentations, etc. Overview of N-tier web applications Introduction of Internet, WWW, and Security (O: Ch 1) List of sample projects: discussion/selection of projects	1/15: All have joined the discussion group (see above). 1/17: Project team is formed.
2 (1/22, 24)	On-line shopping & payment systems HTTP Security (O: Ch 2), IIS security	1/22: Team project title and team membership are due (via email to yang@uhcl.edu).
3 (1/29, 31)	Proxy Servers, Firewalls, NAT (O: Ch 3) + Firewalls (an older set of slides) + Pix firewall configuration + Design of Distributed Computer Security Lab, Journal of Computing Sciences in Colleges. 20(1). 10/2004. + Network Security Development Process (a working draft)
4 (2/5, 7)	Internet Security Protocols (O: Ch 5, slides 75-100) + IP security (slides from the Stallings book)	2/7: Assignment 1
5 (2/12, 14)	SSL & TLS Protocols (O: Ch 6, slides 101-114) + SSL (GS: Ch. 9) + a case study of SSL and Man-in-the-Middle attack (or local copy) + Man in the middle attack as explained on Wikipedia, the free encyclopedia + Internet Explorer SSL Vulnerability (08/05/02)	2/12: preliminary design (ER model, UML class diagrams) of Project 1 (Publish it in the class discussion board before the class) 2/14: Abstract of the research project (Publish it in the class discussion board)
6 (2/19, 21)	Certificates for the WWW (O: Ch 7, slides 115-135) + Ten Risks of PKI (by Ellison and Schneier, local copy)
7 (2/26, 28)	Demonstration of project one NOTE: Each team's Power Point slides must be sent to me 24 hours before the presentation. A Web-based Front End for Controlling a Wireless Sensor Network Lab	2/28: Project 1 Demo (20 minutes per project team)
8 (3/4, 6)	Midterm Discussion of project 2	3/4: Midterm exam
9 (3/11, 13)	Securing a Database (GS: Ch. 10) + supplemental Notes: TunnelServer.doc (for Oracle) + Tunnel Server Tutorial for MySQL + Oracle Roadmap: JDBC + Two sample applications using Oracle JDBC drivers: a) secure thin JDBC; b) secure OCI JDBC (thick client)	3/13: Design of Project 2 (SSL sessions)
~~10 (3/18, 20)~~	Spring break
last day to drop a class: 3/24
11 (3/25, 27)	Electronic Payment Systems (O: Ch 9, slides 150-159) + VeriSign's Technical Brief "Building an E-Commerce Trust Infrastructure: SSL Server Certificates and Online Payment Services + questions & answers + electronic money (at Wikipedia.org) Server-side security (O: Ch 11, slides 189-216)		3/25: Assignment 2
12 (4/1, 3)	Client-side security (O: Ch 10, slides 160-188) Securing Large Applications (GS: Ch. 11)
13 (4/8, 10)	Privacy Protection & Anonymity Services (O: Ch 12, slides 216-233) + privacy anonymity.ppt + Sample Privacy.net analysis + Privacy Analysis of your Internet Connection - How it works Intellectual Property Protection (O: Ch 13, slides 234-246		4/8: Project 2
14 (4/15, 17)	Censorship on the WWW (O: Ch 14, slides 247-255)		4/17: Research Project DRAFT (Publish it on the class discussion board)
15 (4/22, 24)	Risk Management (O: Ch 15, slides 256-261)
16 (4/29)	Research Project presentations		4/29: Research Project - oral report: in class - written report: Send to yang@uhcl.edu

Computer Labs & Hours

The NT Lab (Delta 119) is equipped with computers that have been properly configured to run Java applications requiring JCE and JDK.

Check http://sce.uhcl.edu/computing.asp for lab information, open hours, FAQs, etc.

NT account information at: http://sce.uhcl.edu/accountSearch.html
UNIX account information at: http://sce.uhcl.edu/UnixLabFAQ.asp
All the software that is available for use in the UNIX and NT labs can be found at the following web pages: http://sce.uhcl.edu/NTLabIntroduction.asp for the NT lab and http://sce.uhcl.edu/UnixLabSoftware.asp for the UNIX lab

Oracle online information
The Distributed Computer Security Lab at UHCL: DCSL User Information

Evaluation:


category	percentage
assignments	10%
projects	20%
presentations	10%
tests	20%
participation (in class and in the discussion board)	10%
research paper	30%

NOTE: The accumulated points from all the categories determine a person's final grade. There will be no extra-credit projects.

Grading Scale:


Percentile	Grade
93% or above	A
S90% - 92%	A-
87% - 89%	B+
84% - 86%	B
80% - 83%	B-
77% - 79%	C+
74% - 76%	C
70% - 73%	C-
60%-69%	D
59% or below	F

Tests:

Both analytic and synthetic abilities are emphasized. Being able to apply the learned knowledge toward problem solving is also highly emphasized in the tests.

Assignments/Projects and Late Penalty:

Assignments and projects will be posted at the class web site. Assignments & projects are due before the beginning of the class on the due day. See Topics and Notes for the due dates.

Points will be deducted from late assignments: 20% for the first 24 hours after the due time, 40% for the next 24 hours, 70% for the third 24 hours, and 100% after that. No extension will be granted except for documented emergency. Starting to work on the assignments as early as possible is always the best strategy.

NOTE: Unless otherwise specified, all assignments and projects are individual work. Students should take caution not to violate the academic honesty policies. See http://b3308-adm.uhcl.edu/PolicyProcedures/Policy.html for details of the University policies.

Assignments/Projects Guidelines:

Identification page: All assignments must have your name, and course name/number/section number (e.g., CSCI234-01 or CSCI5333-03) at the top of the first page.

Proper stapling: Staple all the pages together at the top-left corner. NOTE: Do not use paper clips.

Order! Order! Arrange the solutions following the sequence of the questions. Write the question number at the top-right corner of each page.

Word processing: It is required that you type your reports (e.g., print them using a printer). Use a word processor and appropriate typesetting and drawing tools to do the assignments.

Check the spelling and the grammar for the whole document before handing it in. You may loose points due to spelling or grammatical errors.

Use proper commenting and structure in your programs.

Projects:

The projects will involve the design and implementation of a secure N-tier web based application demonstrating the development of a secure Java online application using various technology. Students are expected to employ the theories and techniques learned in the class to design and implement the system.

Attendance Policy:

You are expected to attend all classes. If you ever miss a class, it is your responsibility to get hold of whatever may have been discussed in that class.

Instructor's Notes:

Unless due to unexpected, documented emergency, no make-up exams will be given. No make-up exams will be granted once the exams have been corrected and returned to the class.

Important: If you think you have lost some points due to grading errors, make sure you approach the instructor within a week after the assignment, project, or test is returned to you.

To get the most out of this class, you need to read the textbooks and spend time using computers regularly. Be prepared for a class by preview the material to be covered in that class and participate in discussions and problem-solving exercises, if applicable, in the class.

Due to the intensive nature of graduate classes, 15-20 hours per week are expected of students in studying the textbook/notes and working on the assignments, in addition to class attendance. Expect to spend more hours during summer sessions.

Go to the Index

Main Page

Biography

Teaching

o Office hours