Lecture Course "Data Security and Cryptology"
 

General Information

• Name: Data Security and Cryptology (Andmeturve ja krüptoloogia)
• Location: Estonian IT College, autumn 2013
• Goal: To give a systematic overview of contemporary data security and cryptology, both from theoretical and practical side. Data security as a practical discipline will considered a little bit more theoretically and cyrpotography as a deep theoretical discipline (and also an important tool for data security) more practically

• Schedule (lectures): on Wednesdays between 12 and 2 pm, room 316
• Schedule (practices): on Wednesdays since 2 pm, from 5th week
• Points: 5 ECTS
• Code: I378
• Grading: final test, 70 questions with multiple choices
• Amount: 16 pairs of lectures, 12 pairs of practices, 74 hours independent work description in Estonian

 

Lecture Materials (PPTs, both in English and Estonian)

1. Introduction. Essense of Data Security. Data security, it’s essence and importance in contemporary information systems and in whole world. Availability, integrity and confidentiality, its importance in different information systems and in protection of IT assets. Standard model of security harming. Economical side of data security. Practical solving of security problem. Time: September 4th.  PPT slides of lectures. Echo from videolecture.
2. Common Ways to Secure Digital Data. Security Threats, Classification. Main differencies of typical ways of achieving availability, integrity and confidentiality for paper-based and digital data. Importance of cryptography. Classification of threats, spontaneous threats and attacks. Environmental threats, human and technical failures. Attack sources, channels and methods, their' overview.  Time: September 11th.  PPT slides of lectures. Echo from videolecture.
3. Vulnerabilities of Information Assets. Appliable Security Measues. Classification of vulnerabilities, their co-operability with threats. Types of differents classification of safeguards. Preventive, identifying and reconstructable safeguards, their’ sub-types. Organisational, physical and IT-related safegurds. Classification of safeguards in different standards.  Time: September 18th.  PPT slides of lectures. Echo from videolecture.
4. Risk Management and its Methodics. Main goal of risk management. Four different  practical risk management methods – detailed risk analysis, baseline approach, mixed approach and informal approach. Their comparison. Quantitative and qualitative risk analysis, their presumptions and used methods. BSI and ISKE as a practical examples of risk management. Time: September 25th.  PPT slides of lectures. Echo from videolecture.
5. Traditional (Pre-Computer) Cryptography. Differencies between contemporary and classical cryptography. Traditional Crytography as a „hidden word“, i.e. as a tool for confidentiality. Substitution and permutation ciphers.  Most-of-spread ciphers (algoritms). End of classical cryptography and its reasons. Transition into contemporary cryptology. Time: October 2nd.  PPT slides of lectures. Echo from videolecture.
6. Basics of Contemporary Cryptography. Main concepts, a role of a key in algorithms. Cryptography and cryptanalysis. Symmetric and  asymmetric cryptoalgorithms, cryptographic message digests, their’ usage. Exhaustive search, cryptoanalytic (breaking) methods.  Practical and theoretical security, a ways to achieve a practical security. Time: October 9th.  PPT slides of lectures. Echo from videolecture.
7. Symmetric Cryptoalgorithms. AES. Block and stream ciphers. Main indicators of a block cipher. Modes of a block cipher, cipher block chaining mode as the most-of-spread mode. Running block cipher as stream cipher, secure erasing. The story of AES its usage. Technical description of AES, possible attacks against AES. Realizations of AES. A hypotetical beaking machine. Time: October 16th.  PPT slides of lectures. Echo from videolecture.
8. Other Symmetric Cryptoalgorithms. IDEA. Skipjack. Blowfish. RC4. Their technical descriptions, practical usage, possible breaking (cryptanalytic) possibilities. DES as a retrospective view to history which gave us some classical concepts and structures. Properties of 3DES.  Time: October 23th.  PPT slides of lectures.
9. Asymmetric Cryptoalgorithms. RSA. Priciple of asymmetric and public-key encryption.  RSA. Mathematically generated keypair, one-way relation between public and private keys. Infeasible problems, introduction to computational complexity. Factorization and discrete logarithms as typical infeasible problems. Mathematical description of RSA, key generation and modular artitmetics. Cryptanalysis of RSA. Practical realisations, collaboration with symmetric algorithms.
10. Hash Functions. Cryptoprotocols, TLS. Theoretical background of hash functions, collisions, pseudo-collisions, one-way functions. SHA-1 and RIPEMD-160. SHA-2 and higher RIPEMD members for an enhanced security. Unsecure MD-family as a retrospectical view. MAC. Cryptographic protocols. TLS as a successor of SSL its description and usage. Necessity for certificates.
11. Digital Signature, its Infrastructure and Usage in Estonia. Document, an evdentiary value of a document. Technical and legal digital signatures. The role of public-key algorithm, demands to both public and private key. Private key as a chip. Certificate, CAs, time-stamp authorities. Validity of approval, PKI. Estonian Digital Signature Act and digtial signature practices.
12. Digital Signature as a Tool for Digital Record Management. Digital Archieving. Advantages and disadvantages of digital signature in comparison with handwritten signature and paper documents. Rrecommendations for main processes. Security aspects of digital record management. Original and copy of a document. Data carrier problem, data format problem and evidentiary value problem. Oversigning. Copies of digital and paper documents.
13. Database Security. Network Security. Basics of relational database security. Intergrity versus accountability. Queue of hashes. Encrypting, a necessity to HSM. Firewall, secure remote access. VPN, cryptowalls
14. Security Management (Organizational Security). Typical phases of security managament. Security policy, its’ structure and aim. Security forum and officer. Risk management process, basis for choosing different methods. Security plan. Securoity awareness programm. Follow-up activities.
15. Legal Control of Data Security. Protecting of Personal Data. Estonian Public Information Act. Chief and autorized processors, their definitions. A legal database, State Information System, X-road. Protecting of personal data, corresponding European regulations.  Estonian national Personal Data Protection Act. Personal data, sensitive personal data. Principles of processing, regsitration process, mandatory safefguards. Comparison with ISKE.

The materials of the lecture course, held in autumn 2012 ara available at address http://www.itcollege.ee/~valdo/turve/2012/    (in English). The materials of the lecture course, held in autumn 2011 in Estonian are available at address http://www.itcollege.ee/~valdo/turve/2011/ .

 

Laboratory work materials

·         1st lab - German BSI baseline security standard IT Grundschutz. German version 2009 (web version), English version 2005 (PDF)

·         2nd lab - Estonian public sector  IT security standard ISKE

·         3rd lab - other general (international) IT security standards - ITSEC, TCSEC, Common Criteria, Australian ACSI33. 

 

 

 

Independent work

·         Referative work, description is here (In Estonian) . Deadline of referative work - 14tk week, Wednesday (day of lecture)

·         Homework no 1 (3rd lab)

 

 

Grading (exam / test)

Grading: grade (mark ) will be determined by the result of final test. Test constains 70 questions with multiple choices.

NB! In order to access to the final test the independent work and practice works (will given currently) must be done and passed (marked)

 

Contact

Valdo Praust
ph. +372 514 3262
email: valdo.praust@gmail.com