Fall 2023

Section 1: TTh 3:30pm - 4:45pm - 2111 JKB

Please read the entire syllabus. It will help both you and me.


This course covers fundamental principles of computer security. The course consists of three parts:

Part 1: Cryptography: We will study and experiment with basic cryptographic primitives (symmetric encryption, asymmetric encryption, MAC, and cryptographic hash functions). We will learn how these primitives are used to achieve certain security properties.

Part 2: Systems: We will study systems that use cryptography, including HTTPS and secure email, to see how cryptographic primitives are used in practice on the Internet.

Part 3: Software Security: We will learn about some of the most common errors that software developers make that attackers then exploit. We will learn how to avoid or prevent these mistakes.

The learning outcomes for this course are:

  • Have a breadth of knowledge in computer security

    • Understand basic security terminology and use it accurately in technical discussions

    • Understand the kinds of threats facing people and systems and the technology to address those threats

    • Understand the limitations of technology in creating a secure system

  • Understand the basic principles of cryptography and how cryptographic building blocks can be assembled to provide security services

    • Build a system: Implement a cryptographic algorithm from a standards specification.

    • Remove the mystery of cryptography and replace it with knowledge of basic principles

    • Understand the use of cryptography in existing security protocols

    • Be able to explain how a protocol meets a given set of security requirements

  • Understand the basic principles of secure software design

    • Break and fix a system: Demonstrate how attackers compromise real-world systems, and then show how to prevent these attacks.

    • Avoid common design and development errors

    • Understand basic usage of standard cryptographic primitives

  • Demonstrate leadership skills

    • Be able to make sound technical decisions in the design and acquisition of security technology

    • Have technical and communication skills needed for leadership roles

    • Be ready to conduct security research in industry or graduate school

  • Promote a code of ethics that is compliant with the law and in accordance with gospel principles

The prerequisite for the course is CS 324 Systems Programming.


There are no required textbooks for this class. We will use a variety of online materials associated with each lecture. I strongly encourage you to review the materials before each lecture.

Assignments and Grading Policy

The assignments for this class will consist of homework, labs, and exams.


Homework is due on Tuesday at the beginning of class. Submit it online in LearningSuite before it is due. Submitted homework must be a PDF.

Each homework is worth 25 points

Late Homework Policy: If it is submitted by the following class period after it is due, you can receive a maximum of 15 points. If it is submitted before the next exam, you can receive a maximum of 10 points.


Each week that a project is assigned, it is due before midnight on Friday. Projects are worth 65 points each. Students are encouraged to meet project deadlines with much time to spare. I want to see all students complete every lab by the end of the semester, as this is by far where the most learning will occur. I want you to learn, and you will learn more if you complete the assignments.

Projects each have their own specific passoff instructions, which you should carefully follow. Each and every assignment includes a final submission to LearningSuite.

Code can be submitted as .zip or .tar.gz, but please make sure that when files are unzipped or untarred that they are inside of a directory - ideally with your name and the project name - instead of placed in the current directory. I really really dislike this. Don't do it. You may think I'm joking but I'm fully ready to deduct points.

If proj11.tar.gz expands into


rather than:


then we'll both have a bad time.

Late Project Policy: As an incentive to help you stay current, we will record late days and early days for each project (university holidays excluded).

Each day a project is late will be deducted from your total, and each day a project is early will be added to your total. You can't get early days for a project if you have not turned in a previous project. You start with a balance of +5 days, and are capped at a maximum postive balance of 10. The initial balance ought to be enough to cover any minor issues that may arise, (e.g. friend's wedding, job interview out of town, pet dental emergency). If this balance will not be sufficient to cover some issue you expect in the future, please work ahead to build up your balance. In extreme circumstances please discuss your scheduling issues with me ahead of time as early as possible. There may be some flexibility.

At the end of the semester, you will receive a penalty if your late/early balance is negative. Your overall project points may be penalized up to 2% for each late day on your final balance. If all projects are completed, the penalty for late days will be capped at 10% so that your grade may be reduced by a maximum of one letter grade.

Project Pass-off Policies: Projects may be written in the language of your choice unless instructed otherwise. For many of the projects there is an automated passoff system. Each project has passoff instructions that should be followed carefully.

This is generally no longer necessary, but for historical reasons, in the event of a LearningSuite failure , you may pass off a project after the deadline for full credit, and without using late days, provided you email a SHA-256 checksum of all files associated with your project to the TA before the deadline. You can generate the checksum again at passoff to convince the TA that your assignment was completed on time. You can generate a checksum on linux using openssl (e.g., >openssl dgst -sha256 [filename] ). Search online for how to do this on other systems. I leave this section in my syllabus so that I can make a lame joke while discussing this on the first day of class. If I forget to, remind me.

Extra Credit

There will occasionally be extra credit offered through various means. There is an extra-credit project, and an extra-credit homework assignment, and a variety of in-class CTF-style security-related puzzles. You'll see an example on my screen some time during the second class session, and we'll discuss it after enough have solved the challenge. Please do your own work. None of these extra-credit opportunities are likely to have a noticable effect on your final grade in the course - they are primarily for fun and not worth many points, compared to the other assignments.


There will be 2 mid-term exams (posted schedule) each worth approximately 175 points, and one final exam worth 175 points covering material from the entire course.

Final Grades

All points are equal. Your final score will be calculated as a percentage of total/possible points, using the standard university grade distribution formula. Point totals are approximate and may vary by a small amount (e.g. a mid-term exam might be 172 or 179 points etc).

Collaboration Policy

All assignments must be completed individually. You are encouraged to collaborate as much as possible, including discussing solutions and solving problems together. For homeworks, write up your own answer individually (e.g. do not copy someone else's solution directly). If you are reading this syllabus and email your name/netid to me, you will get 3 points of extra credit, as long as your email arrives before the beginning of our second class period. For projects, you are encouraged to discuss solving the projects and any programming problems you encounter generally, but you must write your own code, make your own screenshots, etc.


If you have a serious medical or personal issue, please see the instructor to make arrangements for late work. I am happy to make accommodations for a learning disability if you submit an accommodations letter to me through the University Accomodations office. In general, such accomodations are not retroactive. No work can be turned in after the university's last day of instruction.

Exams must be taken on the scheduled day(s). Medical exceptions are available, but please notify the instructor in advance or as soon as possible. Non-medical exceptions (e.g. traveling to a job interview) can possibly be made in advance with sufficient notice.

Educational Policies

Honor Code Standards

In keeping with the principles of the BYU Honor Code, students are expected to be honest in all of their academic work. Academic honesty means, most fundamentally, that any work you present as your own must in fact be your own work and not that of another. Violations of this principle may result in a failing grade in the course and additional disciplinary action by the university.

Policy on Harassment

Harassment of any kind is inappropriate at BYU. Specifically, BYU's policy against sexual harassment extends not only to employees of the university but to students as well. If you encounter sexual harassment, gender-based discrimination, or other inappropriate behavior, please talk to your professor, contact the Equal Employment Office at 422-5895 or 367-5689, or contact the Honor Code Office at 422-2847.

Students with Disabilities

BYU is committed to providing reasonable accommodation to qualified persons with disabilities. If you have any disability that may adversely affect your success in this course, please contact the University Accessibility Center at 801-422-2767. Services deemed appropriate will be coordinated with the student and instructor by that office.