Security, or guaranteeing the expected behavior in face of intended attacks,
is an integral aspect of the design and use of modern information systems.
The workshop will provide hands-on programming experience in different
aspects of computer and communication security.
To Introduce students to the challenges of writing security-conscious
programs and implementing cryptographic protocols.
To lead students through an end-to-end software development cycle:
- defining the project
- researching for similar projects
- learning required background (protocols, APIs, environment)
- designing the methods of implementation
- actual implementation
- testing and debugging
- adjusting project in response to feedback
- wrapping up the project and presenting it to the world.
- To give students a better understanding of team-based development (as
opposed to solo projects): distribution of tasks, source control and
integration of code.
- To learn something new while having fun
The workshop projects will be interesting and "cool" but not easy!
There is no formal prerequisite requirement regarding cryptography
or computer security, although some prior background knowledge and affinity
will certainly help. Students will be expected to read and learn on their own
any concepts and systems that are needed in order to carry out the project
After two introductory
lectures, the students will form teams of 1 to 3 students.
Each team will choose a project of scope appropriate to its size (See list of
Project selection should be done as early as possible, but no later than
the third meeting, namely March 22.
The first part of the work on the project is devoted to collecting, reading and
understanding the background material. This includes understanding the goal,
the relevant theoretical background, the tools to be employed, the programming
environment. Very importantly, it also includes a literature search on
potential similar software that's already available.
At the end of this part, each group has to
present its plan to the instructors. You will have
to explain in detail the implementation design and show understanding of the
internals of the project. Emphasis on implementation and specific project
goals will be given by the instructors.
You are strongly encouraged
to have this presentation as soon as possible.
The main part of the work is devoted to implementing the plans made in the
first part. You are
expected to test the code you wrote, analyze its performance and draw conclusions as to
it can be improved, what features can be added. Throughout the semester we
will have three course meetings in which each group will describe its progress
class and will raise for discussion issues encountered while working on the
Submission will be done in three steps:
1. Pre-submission. Each group will have a personal meeting with Ran and Rani,
presenting their project in action. Although this presentation is part of the
grade, it is intended mostly for feedback.
2. Class presentation. On the last two weeks of the semester, each group will
present its project to the class.
3. Final submission. Each group will have another personal meeting with Ran and
Rani, presenting their project in action. Changes based on
feedback from pre-submission and class presentation will be expected.
- Present project plan and get an approval,
- Participate in class discussions about your project and other projects,
- Present the project and answer questions, following the guidelines in
The grade will be the sum of two components: The project component and the
understanding/participation component. The project grade will be based solely on
the quality of the
implementation and the demonstration, against the stated goals.
This component will be the same for all the participants in the project.
The understanding/participation grade is individual and
will be based on the Ran and Rani's impression of your understanding of the
in individual meetings and in the project discussion in class meetings.
Note that this component can be either positive or negative.
Code sharing policy
Some projects will be encouraged to share information and code; in other cases
such sharing will be prohibited.
Needless to say, any unauthorized copying or sharing of information will
result in a grade penalty or possible disciplinary action. This includes
unauthorized use of publicly available code (such as code provided on the
Internet) for some of the tasks you are required to implement. When in doubt,
- In some of the projects you may choose between Windows(2000/XP/Vista), Mac
OS or Linux as your OS of choice, but some should be OS-independent.
- You may write the project in Java or C/C++. If you want to use another
programming language, please contact Ran or Rani for approval.
- Code clarity and documentation
- You are required to write a high level description of your code, its
structure and main algorithms. Aside from developer documentation, you are
required to write documentation for users.
- Submission of source code and documentation is on the project page on
- Comment your code as clearly as possible.
- If possible, generate automatic documentation for your code (e.g.,
using Javadoc or Doxygen).
Below is an initial list of suggested projects.
The description below is very terse.
More details will be given in class. Projects may be added in the coming
In addition, teams are welcome to
propose their own security-related projects. These proposals will of course be
subject to approval of the course staff.
- Securing Webmail
Current webmail applications (such as Gmail, Hotmail, etc) require the user to
put complete trust in the mail server. In particular, the server is given full
access to the mail contents, and is trusted to verify the authenticity of
incoming mail in the name of the user. This set of projects is aimed to
develop methods for mitigating the trust in webmail servers, while maintaining
the functionality and ease of use.
- [2-3 students] Adding encryption and authentication to webmail client, thus
to preserve "end to end" secrecy and authenticity without trusting the
- [2 students] Adding a layer of protection that uses secret sharing among
instead of encryption.
- [1 student] Adding a steganographic layer to the previous solutions, to
hide the fact that encryption is being used.
Implementing Internet Security Standards
Yaron Sheffer's presentation
The Internet Engineering Task Force (IETF) is the main body for standardizing
This set of projects will implement some current proposed standards for secure
(These projects will be supervised jointly with Yaron Sheffer from Checkpoint
- [2 students] Implementing the standard proposed in
for incorporating a variety of authentication mechanisms in the TLS/SSL
- [2 students] Implementing the standard proposed in
for password-based authentication.
- [1 student] Implementing the standard proposed in
for sniffing packets to verify whether they are encrypted.
- Implementing a general secure multi-party computation protocol
- [3 students]
Secure multi-party computation is a cryptographic paradigm that allows
a set of mutually distrustful parties to perform some joint computation
in a way that guarantees correctness of the outputs along with secrecy of
local data (to the maximum possible extent).
The project is to implement a specific multi-party computation protocol.
The protocol is
currently written in an abstract format, with many details missing. The
implementation will need to fill out the details. In particular, an
appropriate communication protocol and API will need to be developed.
- Human-memorizable password enhancer
- [1-2 students]
Passwords that are chosen and memorizable by humans are notoriously weak
secrets. However, in many cases human-memorizable secrets are the only ones
available. The goal here is to implement one proposed way for enhancing the
security when the only secrets available are
human-memorizable. The context is encryption of local storage using a
password. However, instead of using the password directly, the user is
prompted via a CAPTCHA-like puzzle to generate randomness that's
unpredictable to a computer. The project will involve coming up with ideas
for effective puzzles and in addition implementing the underlying
mechanism for using the human answers for encryption.
- Your suggested project
||Try it out
|Multi party computation
|please read document for running it localy
|EAP/EKE (WpaSupplicant, freeRadius)
|Webmail encryption (Gmail)
|Webmail encryption (Yahoo)
|Webmail secret sharing