Some assignments do not have solutions or supporting files.

[Katz and Lindell] = Katz, Jonathan, and Yehuda Lindell. Introduction to Modern Cryptography. Chapman and Hall / CRC, 2007. ISBN: 9781584885511. [Preview with Google Books]

Some lectures do not have readings or handouts. Sessions after Session 18 are devoted to the quiz and project presentations.

Important Dates for the Project

By Lecture 10 – Every student must individually post one (or more) project ideas. This is a way for students to learn about what other students are interested in and find teammates. If you have more than one idea or interest, feel free to post all of your ideas, but please use different posts with different headers. Submit a one-page project idea. Your ideas can be from the project ideas we post or they can be new ideas. Feel free to choose your teammates as you wish. We expect groups to be three or four students.

By Lecture 13 – Turn in team composition and a multi-page project draft and bibliography.

Week of Lecture 16 – During this week, each project group will meet with the TA to review their progress.

Week of Lecture 20 – During this week, each project group will again meet with the TA to review their progress.

Lectures 22-25 – Groups will present short talks on their projects in class.

Lecture 26 (last class) – Written projects are due.

Project Ideas

You should also check out the references page, in particular online proceedings from the linked conferences, for inspiration.

Another source of ideas for your final project might be Phillip Hallam-Baker’s new book, The dotCrime Manifesto.

Topics from Previous Years

This list has gotten a bit long over the past few years. For now, take a look at the project pitches from 2010 and a list of projects from 2009 and before.

Hints for Writing Your Paper and Giving Your Talk

• How to make a good paper and talk
• How (and How Not) to Write a Good Systems Paper
• Edwards, Paul N. “How to Give an Academic Talk, v5.1” (PDF) (Courtesy of Paul Edwards. CC BY-NC-SA 4.0.)

This Year’s Projects

• Hacking Wireless
• Preventing Covert Webcam Hacking in the Civilian and Governmental Sectors
• Designing a Secure Biometric Identification System for Israel
• Covert Acoustic Channels: Improving Range, Accuracy, and Undetectability
• Covert Surveillance on PC and Android
• Distributed Settlers of Catan
• Tweetnet: Finding the Bots in the Flock
• Pebble Smartwatch Security Assessment
• Computational Security and the Economics of Password Hacking
• Detecting Subversion on Twitter
• Security Overview of QR Codes
• Security Research of a Social Payment App
• Blackbox: Distributed Peer-to-Peer File Storage and Backup
• Narwhal: An Implementation of Zero Knowledge Authentication
• Two Factor Zero Knowledge Proof Authentication System
• Security Analysis of Wearable Fitness Devices (Fitbit)
• IV = 0 Security: Cryptographic Misuse of Libraries
• CertCoin: A NameCoin Based Decentralized Authentication System
• Computing on Encrypted Data
• Security in Client-Server Android Apps
• Keys Under the Welcome Mat
• Unsafe and Unsound: Cryptoanalysis of Leaky Acoustic Signals
• SendSecure
• Speedy: A Sybil-resistant DHT Implementation

For more information about these projects, please visit the 2014 6.857 class site.

Security Books

Recommended Textbooks

There are three recommended textbooks (not required!) for this course. In addition, we have a number of other suggestions collected over previous years.

• Katz, Jonathan, and Yehuda Lindell. Introduction to Modern Cryptography. Chapman and Hall / CRC, 2007. ISBN: 9781584885511. [Preview with Google Books]
• Ferguson, Niels, Bruce Schneier, and Tadayoshi Kohno. Cryptography Engineering: Design Principles and Practical Applications. Wiley, 2010. ISBN: 9780470474242.
• Paar, Christof, and Jan Pelzl. Understanding Cryptography: A Textbook for Students and Practitioners. Springer, 2011. ISBN: 9783642041006. [Preview with Google Books]

Other Suggested Textbooks

• Stamp, Mark. Information Security: Principles and Practice. John Wiley & Sons, 2011. ISBN: 9780470626399. [Preview with Google Books]
• Menezes, Alfred, Paul van Oorschot, and Scott Vanstone. Handbook of Applied Cryptography. CRC Press, 1996. ISBN: 9780849385230. [Preview with Google Books] 
  This is a very comprehensive book. The best part is that you can download this book online! The hardcopy is very convenient though.
• Schneier, Bruce. Applied Cryptography: Protocols, Algorithms, and Source Code in C. 2nd ed. John Wiley & Sons, 1996. ISBN: 9780471117094. 
  This is the best book to read for an introduction to applied security and cryptography. There is much less math than the book by Menezes et al. Sometimes statements are made without much justification, but no other book even compares to this comprehensive introduction to cryptography. The bibliography alone is worth buying the book.
• Paar, Christof, and Jan Pelzl. Understanding Cryptography_: A Textbook for Students and Practitioners_. Springer, 2011. ISBN: 9783642041006. [Preview with Google Books]
• Anderson, Ross. Security Engineering: A Guide to Building Dependable Distributed Systems. John Wiley & Sons, 2001. ISBN: 9780471389224. 
  An excellent book on security in real world systems.
• Stinson, Douglas. Cryptography: Theory and Practice. Chapman and Hall / CRC, 2005. ISBN: 9781584885085. [Preview with Google Books] 
  This used to be required for 6.875, the theory of cryptography class at MIT.
• Schneier, Bruce. Secrets and Lies: Digital Security in a Networked World. John Wiley & Sons, 2004. ISBN: 9780471253112. [Preview with Google Books] 
  Schneier used to advocate good cryptography as the solution to security problems. He has since changed his mind. Now he talks about risk management and cost-benefit analysis.
• Rescorla, Eric. SSL and TLS: Designing and Building Secure Systems. Addison-Wesley, 2001. 
  The only book you need to read to learn about the evolution, politics, and bugs in the development of SSL. Eric’s a swell guy too; buy his book.
• Neumann, Peter. Computer Related Risks. Addison-Wesley Professional, 1994. ISBN: 9780201558050. [Preview with Google Books] 
  Power grid failures. Train collisions. Primary and backup power lines blowing up simultaneously. These events aren’t supposed to happen! Neumann offers a plethora of stories about the risks and consequences of technology, gathered from his Risks mailing list. On a side note, Neumann is also responsible for coming up with the pun/name “Unix.”
• Nielsen, Jakob. Usability Engineering. Morgan Kaufmann, 1993. ISBN: 9780125184069. [Preview with Google Books] 
  There are a lot of non-intuitive GUIs out there for security products. Anyone making a security product for use by humans should learn about the principles of smart GUIs.
• Kaufman, Charlie, Radia Perlman, and Mike Speciner. Network Security: Private Communication in a Public World. 2nd ed. Prentice Hall, 2002. ISBN: 9780130460196. [Preview with Google Books] 
  The authors discuss network security from a very applied approach. There is a lot of discussion about real systems, all the way down to the IETF RFCs and the on-the-wire bit representations. The authors also have a fun, informal style.
• Garfinkel, Simson, and Gene Spafford. Web Security, Privacy & Commerce. O’Reilly Media, 2001. ISBN: 9780596000455. [Preview with Google Books] 
  It’s hard to keep up with all the security software out there. But these authors do a good job documenting it all. Garfinkel was an undergraduate and PhD student at MIT.
• Kahn, David. Codebreakers. Signet, 1973. ISBN: 9780451089670.
• Hallam-Baker, Phillip. The dotCrime Manifesto: How to Stop Internet Crime. Addison-Wesley, 2007. [Preview with Google Books]
• Smart, Nigel. Cryptography: An Introduction. 3rd ed. Mcgraw-Hill College, 2004. ISBN: 9780077099879.
• Yan, Song Y., and Martin E. Hellman. Number Theory for Computing. Springer, 2002. ISBN: 9783540430728. [Preview with Google Books]
• Angluin, Dana. Lecture Notes on the Complexity of Some Problems in Number Theory. Yale University, 1982. 
  Chapters 3–10 provide relevant number theory for the class.

Security Conferences

• USENIX Security Symposium
• ACM Computers, Communications, and Security conference
• CRYPTO
• IEEE Symposium on Security and Privacy
• Network and Distributed System Security Symposium (NDSS)
• Financial Crypto
• USENIX Workshop on Hot Topics in Security (HotSec)

Papers

Most of the reading material in 6.857 comes from conferences on computer and network security. Here is a list of the papers we hope to discuss; we won’t have time for everything. Send us a note if you see a paper that greatly interests you.

• Why Johnny Can’t Encrypt: Security GUI
• Logical Key Distribution (LKH): Multicast group key establishment
• Revocation and Tracing Schemes for Stateless Receivers
• Mao, Wenbo, and Colin Boyd. “On the Use of Encryption in Cryptographic Protocols.” University of Manchester (1995).
• End-to-End Authorization
• SSH: remote login
• Rex: Remote login through file descriptor passing
• Identity-based encryption
• Timing Analysis of Keystrokes and Timing Attacks on SSH
• Security in Plan 9
• Infranet: Circumventing Web censorship and surveillance
• Inferring Internet DoS Activity
• Xbox hacking
• Privilege separation
• Stackguard

Miscellaneous

• CSAIL Security Seminar: Attend the seminar talks if you are interested in current security research.
• The 6.033 textbook, particularly the chapter on Information security (PDF).
• IEEE CIPHER newsletter
• Schneier’s CRYPTOGRAM
• comp.risks archive via UseNet contains the latest few issues, it can also be browsed via Discuss.
• sci.crypt archive via UseNet contains discussion of cryptography. A lot of the stuff is questions by people unfamiliar with the topic or just starting out, but there are sometimes useful postings in there too.
• Ron Rivest’s Cryptography Page has lots of links.
• CERT is responsible for helping disseminate information on security problems with computer systems.
• Phrack is an electronic publication aimed at electronic hackers; read and enjoy, but don’t abuse.
• alt.2600 is yet another hacker publication, which also has a splufty web page.

Course Meeting Times

Lectures: 2 sessions / week, 1.5 hours / session

Recitations: 1 session / week, 1.5 hours / session

Prerequisites

The prerequisites for the course are 6.033 Computer System Engineering and 6.042J Mathematics for Computer Science. It is recommended that students have had 6.006 Introduction to Algorithms or 6.046J Design and Analysis of Algorithms and experience with modular arithmetic.

Description

6.857  Network and Computer Security is a 12-unit (3-0-9) H-level course intended primarily for seniors and first-year graduate students. It fits within the Computer Systems Concentration. Graduate students will receive H-credit for this class.

Textbook

There is no required textbook for this course; lecture notes will be provided. A list of recommended books is available on the Related Resources page; that page also lists other references you may find useful.

Groups

6.857 Network and Computer Security is a group-oriented course. Students will work in groups on both homeworks and the final project. It is not expected that your project group will be the same as your homework group(s), although that is perfectly fine.

The final project team should be determined by Lecture 10. To keep groups running smoothly, students should ensure that their fellow members are actively participating and should communicate regularly.

Homework

We will distribute five problem sets on a biweekly basis.

Homework should be submitted in PDF format. For homework involving non-trivial mathematics, students are strongly encouraged to use LaTeX to typeset their answers. Homework that is difficult for the graders to read will lose points.

Late homework will not be accepted. If in doubt, turn your problem set in early. Solutions will be distributed with corrected homework–hopefully within a week of being collected.

Generally, homework must be done in groups (although we reserve the right to require individual homework assignments). You are to work on group problem sets and final projects in groups of (preferably) three or four. Each group will turn in one problem set, and one grade will be given for each problem set. You must work in groups; homeworks turned in by individuals, pairs, pentuples, etc. will not be accepted.

Be sure that you understand and approve the solutions turned in to each problem. As noted above, the staff will establish the initial organization into groups for the first three problem sets, but you may organize your own groups for the later homeworks and for the final project.

We may occasionally assign homework that you must answer individually; see “Collaboration and Plagiarism” for the policy governing these assignments.

Tests

We will have one in-class quiz (Lecture 19). The quiz will test your knowledge of material from lectures, problem sets, and readings. There is no final exam.

Final Project

Students will be responsible for a final project. You must work in a group of three or four people. The nature and the topic of the project is your choice, although it needs the approval of the teaching staff. We will generally approve interesting topics about cryptography, network security, and / or computer security.

It is advisable to get started early; we will gladly accept proposals before the deadline. Early submission gives us a chance to review and approve your project proposal, and to suggest references that you may have overlooked.

Grading

Collaboration and Plagiarism

No collaboration is permitted on the in-class quiz. All tests are open book and open notes, but closed electronic devices. We encourage you, however, to prepare for the quiz by discussing course material with your classmates.

You may collaborate with individuals from other groups in problem sets, but your solutions must be written up only by individuals from your group. For individual homework assignments (if any), you may discuss the problem set material with others. You must, however, write up your solutions independently.

If you do collaborate, acknowledge your collaborators in the write-up for each problem. If you obtain a solution with help (e.g., through library work or a friend), acknowledge your source and write up the solutions on your own. In most of your solutions, we will expect to see citations.

You may use any reference material to complete your homework assignments, including material on the Internet and material from previous years. However, we cannot emphasize enough that you must cite all your sources properly.

You must remove any possibility of someone else’s work from being misconstrued as yours. Plagiarism and other anti-intellectual behavior will be dealt with severely.

Ethics

This is a course on Network and Computer Security. Although the course is primarily concerned with techniques that are designed to increase the security of networks and computer systems, a proper understanding of those systems requires that you be versed in their vulnerabilities and failings as well.

Nevertheless, unless you have explicit written authorization from the owner and operators of a computer network or system, you should never attempt to penetrate that system or adversely affect that system’s operation. Such actions are a violation of MIT policy and, in some cases, violations of State and Federal law. Likewise, you should refrain from writing computer viruses, worms, self-reproducing code, or other kinds of potentially damaging software for this course unless you have explicit, written approval for the specific type of software that you wish to create. These kinds of programs are notoriously difficult to control and their release (intentional or otherwise) can result in substantial civil and criminal penalties.

In particular, term projects involving an evaluation of security of existing commercial products or systems need the approval of the course staff, who may require that you obtain permission from the vendor / supplier (depending on the nature of your proposed evaluation).

We strongly recommend that you consult the Athena Rules of Use and Section 13.2 of the MIT Policies and Procedures “Policy on the Use of Information Technology”.

Finally, we recommend that you read and review the ACM Code of Ethics and Professional Conduct.

We expect all students in this class to follow the guidelines presented in this document, and in the documents just cited. If you are in doubt about the legality or ethics of any activity related to this course, please consult the staff before undertaking any such activity.