What does "security" mean? Why is that question hard? Understand the 5 reasons security is hard. Understand security as risk management. What are policies and metapolicies? Why do you need both? What is MLS and why is it important? Understand the MLS labels and the dominates relation. How do you label mixed information? Understand least privilege. What are subjects, objects, actions and how are they used? Understand the Bell and LaPadula rules: simple security, *-property, and the two versions of tranquility. Why doesn't BLP bother with integrity? Understand the notion of an access control policy. Understand how an access control matrix can represent an access control policy. What are discretionary and mandatory policies? What is a covert channel? How does one relate to the policy? to the metapolicy? What is necessary for there to be a covert channel in a system? Understand how the Shared Resource Matrix Methodology works. What is a Non-Interference security policy? How can you turn an MLS policy into NI? Why would you want a non-transitive policy? What is integrity as a security concern? Understand separation of duty and separation of function. Understand Biba's three models of integrity. How is Strict Integrity the dual of BLP? Understand that integrity is orthogonal to confidentiality. Understand Lipner's model, Clark-Wilson, Chinese Wall, and RBAC. Understand the notion of storing the access control model. What are access control lists? What are capability-based systems? Understand the different notations for encryption/decryption. What is redundancy bad from a cryptographic standpoint? Understand: breakable, strong, keyspace. Why is the size of the keyspace relevant. Understand: substitution, transposition, confusion, diffusion. Understand: simple substitution, polyalphabetic subsitution, Vigenere cipher. Understand the types of attacks on cryptosystems. How does information theory relate to cryptanalysis? What is a perfect cipher? Understand the one-time pad and why it is perfect. What are the problems with OTP? What is the key distribution problem? Understand the Vernam Cipher, transposition cipher, cascade (product) cipher. Understand the distinction between symmetric and asymmetric crypto. What is public key crypto? How does it solve the key distribution problem? Be able to compare the number of keys in symm. and asym. crypto. Be able to compare the properties of keys in symm. and asym. crypto. Understand stream vs. block ciphers, and the advantages and disadvantages of each. What does malleable mean? Understand how AES works. Understand the modes of usage of crypto: ECB, CBC and CFB. Understand what keystream generation is. What are the properties of public key crypto? What advantages does it have? How do you get authentication / confidentiality using public key crypto? Why don't we use it all the time? What is a cryptographic hash function? What are the properties you want from one? Explain how crypto. hash functions are used. How can they be used for key exchange? Understand Diffie-Hellman key exchange. Understand why digital signatures are needed and what properties they should have. How could signatures be created with public key crypto? What are certificates used for? What assurance does a certificate provide? How do they work in theory? How does X.509 implement that? What is a cryptographic protocol? What's wrong with the strongbox protocol in the slideset? What goals might be desired from a protocol? Understand the notation for protocols. Why do we want to take an abstract view of protocols? Understand the attacks on protocols. Understand the Needham-Shroeder (N-S) protocol. What is it for? What are nonces and what are they for? Understand each step in the N-S protocol. Understand the attacks on N-S. Understand Otway-Rees as you did N-S. What is PGP and what are its goals? Was it successful? Understand the 5 PGP services, particularly how confidentiality and authentication are guaranteed. What are the four types of PGP keys? How are they generated and used? How are private keys protected? How does availability fit into the security picture? Understand the producer/consumer distinction. How does syn flooding work and how could you counter it? Understand what IDS and IPS are. Understand the role of false positive and false negatives. What does it mean for an IDS to be accurate? precise? What is the tradeoff between these two? Understand the base rate fallacy and why it relates to IDS.