CSC 580: Cryptography and Security in Computing

A printable PDF is available.

Collaborative Research Projects

Students will work in teams of 3-4 students to complete a semester-long project. As an option for the Spring 2018 semester, we are doing a trial of collaborative projects between CSC 580 (Cryptography and Security in Computing) and ISM 324 (Secure Networked Systems). Collaborative projects will consist of two students from each class, and will explore a cloud storage security topic from a comprehensive view that will include both technical and business requirements perspectives. At the end of the semester, collaborative project teams will present their work at a special event that will include industry representatives, so it is a good chance to get some exposure with potential future employers. Collaborative projects will also provide good experience with the kinds of multidisciplinary teams that many of you will work on after graduation, and offers a good experience to put on your resume!

Cloud Storage Background

Cloud storage services provide file storage facilities that are accessible from anywhere on the Internet, and often include powerful file sharing and collaboration features. The power and convenience of cloud storage has led to widespread use of services such as Dropbox, Box, Google Drive, and Microsoft OneDrive. There are many security issues related to cloud storage that we will explore in this class as examples of concepts related to security goals, protections, and threat models, and we will look into issues such as where the data is stored, who has access to it, and what risks exist in various approaches to cloud storage.

Beyond general security issues associated with cloud storage, we will focus on Nextcloud (, which is a mature open source cloud storage system that includes features comparable to the main service providers mentioned above. The Nextcloud server can be installed and run on an organization's own servers, or can be used with a special-purpose cloud storage appliance, or can be used as a service (similar to Dropbox or Box) that is offered by over 50 different providers. Clients exist for all major desktop operating systems (Windows, Mac, and Linux) and mobile operating systems (Android, Apple, and Windows).

We focus on Nextcloud for two main reasons. First, it is open source and very flexible, so the software can be examined and experimented with. Second, versions due in early 2018, and available now in limited beta testing releases, include a powerful feature that none of the big services provide: end-to-end encryption. We will explore what this means and how it is achieved over the course of the semester, culminating in group projects where student teams examine and evaluate this new capability from a security and/or efficiency standpoint.

Collaborative projects will be organized around a theme or topic, and will investigate both organizational/business needs aspects and technical aspects. There is some flexibility in the exact choice of project topic. Two topic suggestions are given below, and other topics are possible with permission of the instructors (this is discouraged unless you have a particularly creative or strong alternative topic).

All collaborative projects require contacting an organization and doing interviews with at least 5 employees (both technical and non-technical) in order to learn about the organization's needs and use of cloud storage, and a technical component looking at specific technologies and solutions (down to the level of code review for Nextcloud).

Collaborative Project Topic Suggestions

The following are possible project topics for collaborative projects.

Collaborative Project Idea 1: Technical - Requirements and Solution Evaluation.
This approach focuses on technical aspects of information security protections, in the context of an organization (company or nonprofit) that the team will work with. Researching cloud storage from a technical perspective requires interviews about the organization's use and/or planned use of cloud storage, sensitivity of data involved, and organizational or other (e.g., legal) requirements on data protection. The organizational research part of the project should include interviews with at least 5 people, including both technical and non-technical employees. The technical capabilities and security protections offered by Nextcloud and at least one commercial provider (Dropbox, Box, etc.) should then be evaluated and matched with the requirements gathered from the organization. In the case of Nextcloud you should include a technical evaluation of both the overall security design and model, and an evaluation of the implementation that is provided by Nextcloud.

Collaborative Project Idea 2: User Issues - User Awareness and Usability.
Researching cloud storage from a user perspective requires preparing a survey that is designed to see how well the organization's users (including technical staff) understand "high level picture" of cloud storage, including issues such as where data resides in the system and the dangers involved in general systems of that type. The survey/interview should then delve into some specific aspects of Nextcloud and at least one other system, to see how well users understand specific statements from user documentation, system options, and potential error messages (if relevant). The team should interview at least 5 people, including both technical and non-technical employees. If such a system is currently in use at the organization, users should be asked about their day-to-day practices with regard to system use and data protection. The final report should include a comparison of user perceptions and behavior to best practices, and should include recommendations for improving proper use of security within the organization.

Timeline and Deliverables

Tuesday, January 16: Joint meeting of CSC 580 and ISM 324 to discuss the project (location to be announced).

Tuesday, February 6: Project Proposal
Students will write a document describing which project idea their team will perform for the project. Students will also identify the names of organizations, roles and names of employees that they would like to interview along with their contact information. Proposal should also include a tentative schedule for completing the project.

Tuesday, February 20: Project Plan
Students should design a list of questions that they plan to use during the interviews, and an outline of technical questions they will investigate. Carefully read and understand the project idea before designing the questions. This document should also include a schedule of self-identified project milestones, including a tentative interview schedule. All the interviews need to be completed by the date the progress report is due.

Tuesday, April 3: Progress Report
The progress report should be a brief summary of progress on both organizational/interview topics and technical investigations. Students are required to write detailed notes during the interviews, and the progress report should include transcriptions of the recorded interviews.

Tuesday, April 17: Final Project Report
Students will write a 20-25 page paper related to the selected project. Details about the paper contents are provided under each project idea above. The paper should be written in Times New Roman, 12pt, double-spaced font with one inch page margins. The page length does not include interview notes; however, the transcribed notes should be included in an Appendix at the end of the paper. Transcribed notes should not be submitted to the organization to ensure the anonymity of the interviewees. Students should use tables and images where appropriate to make information easier to read. The paper should include a 2-page executive summary that provides an overview of the interesting findings and recommendations.

Tuesday, April 24 - 6:00pm to 8:00pm: Final reception and presentations for collaborative projects with industry representatives.

Sample Grading Rubric

Organizational Research Part (40%): Successfully interviewed at least 5 people, including both technical and non-technical employees and gathered relevant information based on the selected project idea. Interview questions were appropriate for the selected task.

Analysis and Recommendation Part (30%):

  • Project Idea 1 (Technical): Successfully matched the requirements gathered from the organization with the cloud storage capabilities (technical and security protection) and made recommendations for the organization.
  • Project Idea 2 (User Issues): Successfully compared user perceptions and behaviors to best practices, and made reasonable recommendations for improving proper use of security within the organization.

Paper Organization and Clarity/ Presentation (15%): The paper includes an executive summary that summarizes the most important parts of the paper. The paper uses headings and the information flows well from one section to the next. The writing is clear and correct.

Milestones Completed On-time (15%): All of the milestones were completed by the specified dates and were thorough.