Information Security and Privacy

Subject description

• Introduction.

• Key standards and organizations (ISO, ITU-T, IETF, W3C, OASIS, OMA).

• Risk management.

• Security mechanisms (symmetric and asymmetric algorithms, strong one way hash functions, homomorphic cryptography), security services (principles and practical implementations of authentication, confidentiality, integrity, non-repudiation, access control, logging and alarming), public key infrastructure (time base, name space management, operational protocols), post-quantum computing (quantum key exchange, Lamport crypto scheme), side channels problems and countemeassures.

• Engineering issues related to securiity mechanisms.

• Authentication, authorization and accounting infrastructure (principles, examples of standardized solutions like RADIUS and Diameter).

• Security of physical and data layers (example protocols are WEP, WPA, WPA2 and WPA3).

• Security of network, transport and application layers, including internet of things and clouds (example protocols and applications included are IPSec, TLS, S/MIME, XMLSec, SAML, XACML, WS-*, Bitcoin and blockchains, Passkey).

• Formal methods (taxonomy of formal methods with examples like R. Rueppl's method and SPIN / Promela).

• Privacy (privacy by design) with trust management and reputation management in services oriented architectures.

• New security paradigms – Interenet of Things and cloud computing.

• Secure programming practices and verification (model checking).

• Risk management in information systems, organizational views and human factor views (security policies, human factor modelling and simulations).

• Accreditation and auditing of IS related to security (ISO 2700X, CISSP), standards for technical implementations of hardware and software components (Common Criteria), and standards for security management of artificial intellignece solutions.

• Basic legislation in the area of IS security and privacy (EU directives, national implementations).

• Conclusions.

• Addendum: Mini practical tasks covering the latest selected technological issues.

The subject is taught in programs

Objectives and competences

The goal of the course is to educate students to be able to actively provide security and privacy in contemporary information systems, be it as systems administrators, or developers of new solutions.
Categorized competences:
– Developing skills in critical, analytical and synthetic thinking.
– The ability to define, understand and solve creative professional challenges in computer and information science.
– The ability of professional communication in the native language as well as a foreign language.
– Compliance with security, functional, economic and environmental principles.
– The ability to understand and apply computer and information science knowledge to other technical and relevant fields (economics, organisational science, fine arts, etc).
-Practical knowledge and skills of computer hardware, software and information technology necessary for successful professional work in computer and information science.

Teaching and learning methods

Lectures, laboratory work (with practical prototype implementations), students’ presentations.
Attendance of laboratory work is mandatory (the exact percentage is announced at the beginning of a study year).
The lecturer may impose mandatory attendance of lectures.

Expected study results

After completing this course a student will:
-know and be familiar with principles for providing security and privacy in information systems,
-know and understand standard solutions in this area,
-be able to administer security and privacy of information systems,
-be able to develop simpler solutions in this domain,
-be qualified for internal security and privacy auditing,
-be able to define security policy.

Basic sources and literature

• Stallings W., Network Security Essentials, Pearson educations, 2017.

• D. Trček, Informacijska varnost in zasebnost, kopije prosojnic, FRI UL 2023.

• D. Trček: Information Systems Security and Privacy, Springer, New York, Heidelberg, 2006.