<< Home
The Kerckhoffs Institute for Computer Security is a collaboration between the computer science departments of the University of Twente, the Eindhoven University of Technology and the Radboud University Nijmegen, and offers a 2-year master programme in computer security. It was founded in 2005.


The current society is dominated by the increasing role of computerised systems. However, as a side effect, the society becomes increasingly vulnerable to misuse of such systems. This explains the growing interest in and importance of computer security. The Kerckhoffs computer security master aims at educating those who will occupy the leading positions in this field. Below we provide the motivation for the master programme.


The importance of computer security was already recognised several decades ago, but with the enormous development of the Internet with its viruses, buggy software, and programs under attack, society on a whole develops a clear awareness of the computer security problem. As it also appears to be a very hard problem, society will need many computer security specialists in the near and distant future.

The traditional approach to computer security is incident driven, while in the design stages of a computer system, security is often an afterthought. The challenge is to train a new generation of computer professionals who are aware of the implications of security with respect to all aspects of a computer-based system.

On an international scale these observations have led to the development of several Master's programs in computer security. In the Netherlands, there are initiatives to develop so-called Master's program profiles in this field. In order to strengthen and converge these local initiatives, three Dutch universities (Radboud University in Nijmegen, Eindhoven University of Technology, and Twente University) have joined forces to develop a common Master program in Computer Security of outstanding quality. We achieve this by combining the complementary expertise of the three sites. Our approach is incremental, and lightweight. The initial curriculum is partly based on existing courses, extended with some newly developed courses.

Computer security is not just a matter of cryptography or program correctness. This master programme focuses on the problem of making computer systems (hardware and software) secure, i.e. correct as well as invulnerable to attacks. As a result, the master programme will have a computer science perspective.

The master programme will be located at three sites. This will lead to organisational challenges in order to keep the overhead for both teachers and students low. To keep teaching load low, and to attain high teaching efficiency, courses will be given at a single site only. As a consequence, students will have to travel to other locations in order to participate in those courses (some of which are mandatory). But in order to minimise student travel, the teaching schedule is set up in such a way that, on average, students will have to travel to another location only once per week each semester.

Our perspective

In the discipline of computer security one may distinguish societal from technical issues.

The societal aspects cover organisational and legal measures, which support and complement the technical aspects. How does one control the access to assets? Which sanctions exist on breaking the rules, or on downright (computer) criminality? How is privacy protected? Human-machine interaction may also be classified as a societal aspect. What level of identification or authentication is still acceptable and feasible?

In the technical issues one may distinguish security engineering from analysis. Security engineering deals with tools, methods and techniques for the design and implementation of secure (computer) systems. How could one design and build systems such that they are a priori guaranteed not to leak information, and are invulnerable for intruders?

Analysis refers to verification a posteriori. Given an existing system, could it possibly leak, or be attacked successfully? In particular with respect to analysis there exists a whole spectrum of methods, from very formal to very pragmatic.

In every day practise, one often uses extensive checklists against which systems are examined. Other, somewhat more formal analyses try to establish whether a given system will keep upright under a certain type of attack. Really formal methods try to prove that the given system does not possess certain unwanted properties.

The expertise of the three partners covers the three mentioned areas quite well. Eindhoven focuses particularly on design and analysis, Nijmegen on analysis and societal aspects, and Twente on societal aspects and design. Therefore, these areas are the core of the proposed master programme, with an emphasis on software and on a rather theoretical, academic, formal approach.

The following subjects will not be covered in the master programme, or only at an introductory level. We name physical security (of persons, buildings, etc.), other physical aspects (radiographic techniques, tamper-resistant hardware), systems and network management auditing, signals and communication intelligence, and forensic techniques.

Our name

The institute derives its name from Auguste Kerckhoffs, who stated that "The design of a system should not require secrecy and compromise of the system should not inconvenience the correspondents". In the academic security community Kerckhoffs' Principle is widely supported: in the design of a system, security through obscurity is considered bad practise, and present day secure systems (like SSL, AES, and UMTS to name but a few) are designed in all openness.

Kerckhoffs was born in Nuth, the Netherlands, in 1835. As such he was the most influential Dutchman in the history of modern security.


The initial curriculum was set up by the following people
  • prof. Bart Jacobs, Nijmegen Institute for Computing and Information Sciences, Radboud University Nijmegen.
  • Jaap-Henk Hoepman, Nijmegen Institute for Computing and Information Sciences, Radboud University Nijmegen.
  • Sandro Etalle, Faculty of Electrical Engineering, Mathematics and Computer Science, University of Twente.
  • Marko van Eekelen , Nijmegen Institute for Computing and Information Sciences, Radboud University Nijmegen.
  • Sjouke Mauw Department of Mathematics and Computer Science, Eindhoven University of Technology.

Hans Meijer also contributed to the initial phases of this project.