Introduction to information and network security

This module begins with an introduction to cybersecurity, illustrating it with concrete examples and introducing the security criteria commonly used to define and evaluate the properties of the elements of an information system, or of an entire information system. Next, the specific features of data networks are examined, in order to determine the most appropriate techniques for protecting information flows. Among these protection techniques, particular emphasis is placed on cryptographic techniques and tools, which are widely studied and whose scope extends far beyond the context of networks. The benefits of cryptography are highlighted in a wide range of contexts: user authentication to an information system, information protection, network flow protection, secure communication protocols such as IPSec and TLS (ex-SSL), etc. The module concludes with a hands-on exercise to build a VPN (Virtual Private Network), drawing on most of the concepts covered above.

• By understanding them, be aware of most of the cybersecurity risks to which information systems are exposed.
• To be able, as a future professional, to avoid the relatively simple cybersecurity risks to which information systems are exposed by adopting equally simple good practices, and, as a user, to avoid risky behavior.
• By understanding them, be aware of the limitations of some common network protocols in terms of cybersecurity.
• Be able, in relatively simple cases, to envisage solutions to counter the cybersecurity risks to which current networks are exposed.
• Know and understand the basic principles of applied cryptography.
• Be able to use cryptography judiciously to protect any information or network flows.
• By understanding them, be able to use secure network protocols to protect information flows.

• General computer knowledge.
• Network principles and architectures, in particular IPv4 and IPv6.

• Notion of information security: awareness and introduction to cybersecurity
  • The challenges of information systems security
  • Fundamental security requirements
    Introduction of DICP criteria: Availability, Integrity, Confidentiality and Proof.
  • Notions of vulnerability, threat and attack
    Illustrations and potential consequences for entities under attack.
  • Some legal and regulatory aspects
• Network security
  • Examples of common, simple protocol weaknesses
  • Information security and network flow protection
  • The need to use cryptographic techniques and tools
• Cryptographic techniques and tools applied to DICP security criteria
  • Hash functions
    - Applications to MAC (Message Authentication Code) and MIC (Message Integrity Code) generation.
    - Salt and pepper concepts.
    - Applications to irreversible secret storage and data anonymization.
  • Symmetrical cryptography with shared secret key
    Properties and uses for network flow protection (among others).
  • Asymmetrical public and private key cryptography
    - Properties and use for network flow protection (among other things).
    - Notions of certification and certification authority.
• Applications
  • User authentication to an information system
  • Secure network protocols: IPSec and TLS (ex-SSL)
    Notion of VPN (Virtual Private Network).
• Practical work
  
  Illustration of most of the concepts covered above by building a VPN.

N.B.: This module deliberately does not cover "penetration testing", or "pentesting", nor attacks on real systems; only a few examples are given, without any concrete means of exploiting them, to illustrate and justify the concepts studied.

• Official DoD Internet documentation: https: //www.rfc-editor.org.
• Documents published by ANSSI: https: //www.ssi.gouv.fr.
• W. Stallings, "Cryptography and Network Security: Principles and Practice" - 7th Edition, Pearson, 2017.
• Non-exhaustive course handouts (note-taking compulsory) and practical texts.