Computer and Network Security
CS594            Paper

1. abstract
2. introduction -- background information, literature search, scope and limitations of project
3. body -- methods used
4. analysis and conclusions
5. recommenations -- future work, unsolved problems
6. references -- journals, WWW references

The paper counts as 20% of the final grade and will be graded on quality of research, quality of presentation, and strength of references. Original research counts more than a critical review which counts more than a mere survey paper. Actually implementing and testing things counts more than reporting on someone else's experiments/results.

A list of possible topics follow, but you may suggest your own. A good topic would be one where you could contrast various solutions to a common problem. Due to the class size, it is expected that more than one student may pick the same topic. It is expected that each student will work alone on their project. The instructor must approve your topic.

Project milestones

• submit project title: 10/13/06
• project outline due: 11/3/06
• project due: 12/1/06

Possible projects

• trust analysis: PGP web of trust vs. trust hierarchy
• techniques for generating crypto random numbers and survey of what various crtypo packages use to generate random numbers
• NSA's FORTEZZA card and key escrow issues
• security features of various software packages: data bases, OS's (Windows XP, Mac OS X, Plan 9,...) or various free UNIX: linux, freebsd,openbsd
• schemes for (auto) patching OS ( Windows, RedHat, MAC, Solaris)
• fuzz testing network protocols
• Bent functions in crypto
• design of S boxes
• vulnerabilities revealed by traffic analysis
• secure OS technologies (EROS, TMACH, CMWs)
• secure linux (bastille, others?), OpenBSD
• securing Windows XP ( or UNIX)
• computer architectures for security
• digital steganography (ascii text, mail headers, ps, html)
• digital watermarks and copyrights
• vulnerabilities of Java, javascript, ActiveX, Flash
• Java security and crypto services
• applets or interactive web thingees to illustrate/teach crypto concepts (S-DES, LFSR, poly arithmetic mod irreducible,...)
• techniques/algorithms for hi-speed crypto (parallel)
• DNS security
• detecting sniffers
• disk encryption products/algorithms (EFS, MAC, cfs, scramdisk, ppdd, tcfs, ...) hardware-based
• immutable/append-only file systems
• stego file systems
• forensic hardware and software
• voice over IP vulnerabilities
• RFID vulnerabilities
• evaluation of safe string libraries
• evaluation of Cyclone, safer C
• Public-key for authentication: ssh, globus, kerberos, safetp
• cryptographic hashes (e.g. compare Panama to MD5, SHA)
• backtracking denial-of-service attacks (spoofed source address)
• ISP IP-spoof tester (use Trinux/ bootable floppy)
• information warfare/ cyber terrorism
• IPsec key mgt: photuris, skip, isakmp, skeme, IKE
• key distribution for multicast sessions, group key management
• ATM (asyncrhonous transfer) security
• wireless security (wap's wtls), 802.11i/x, WPA2 or WEP, mobile IP
• WiMAX security (802.16e) metropolitan wireless, AES-CCM
• cell phone security (gsm, cdpd, ORYX, ...)
• bluetooth security (wireless)
• data over cable (docsis) ( RSA, HMAC)
• encryption in banking or e-commerce
• Voice over IP threat identification (VoIP) and security
• windows XP security (kerberos, efs, pki)
• security in globus
• security of DVD's and/or MP3 follow-on
• electronic payment schemes (ikp, ecash, egold, ...)
• email filters -- spam, viruses, trojans: content checkers (TrendMicro, AOL, etc) or verify sender ID (IBM's FairUCE)
• sender policy framework (SPF) for email sender authenticity
• security for data acquisition & control systmes (SCADA) and SCADA HoneyNet
• security for sensor networks
• security for adhoc networks
• micropayment schemes
• security of snmp (v1 vs v3)
• elliptic curves in security
• compare hardware RNG (intel, amd, via, others?)
• secure processors (VIA nehemiah, Cavium, DS5002FP, Trusted Platform Module (TPM))
• ARM TrustZone (secure monitor)
• IBM 4758 crypto co-processor
• analysis of one of the other AES finalists
• analysis of one of the NESSIE/CRYPTREC crypto algorithms
• chaotic functions as one-time pads
• secure time services (timeofday/ntp, timestamps)
• compare firewall products
• authorization models (capabilities, ACLs)
• virtual private networks VPNs (Windows 2000?)
• attacking embedded systems (xbox, switches, routers, cell phone,toaster)
• router or routing protocol attacks (BGP, OSPF, ...)
• compare UNIX scanners (ISS, COPS, NESSUS, SPI)
• immutable executables (signed applets, ?)
• rootkit evolution (metasploit)
• SDSI or SPKI or X.509 hierarchies
• https/SSL performance
• survey of tests for randomness
• contrast various tests for primality
• compare secure file transfers (scp, sftp, ?)
• VIA's nehemiah secure ? processor or here
• electronics (tempest, wiretaps, EMP guns, biometrics)
• security in distributed computing (DCE, DCOM, CORBA, RMI)
• crypto API's (GSS, CAPI, Java JCE, others ?)
• server-side vulnerabilities (CGI, php, vbasic)
• analyze performance compression before encryption
• automatic cryptanalysis of some hand cipher
• implement and analyze of TEA or RC5 or ?
• electronic voting
• setup secure Apache web server and certificates
• setup OpenVPN testbed and test throughput
• internet poker with session keys, public/private keys
• digitial cash (Schneier, pg 142, protocol 4)
• how to alert user to a phishing email
• Pick an attack. Investigate how it works, implement the attack, and propose how to defend against it.