CS338 Computer Security
Wednesday, 20 September 2023

+ Basic Auth quick walkthrough
- Reminder of setup: client, server, TCP connection, protocol
- Section 2 of RFC 7617, starting at "Upon receipt of..."
- Let's watch it in burpsuite while reading the RFC

+ Questions

+ Roadmap: topics to get us from here to TLS
- Symmetric encryption (we'll focus on AES but mention others)
- Asymmetric encryption (we'll focus on RSA but mention EC)
- Key exchange, including Diffie Hellman
- Relevance of AITM (also known as PITM and MITM)
- Cryptographic hashes
- Digital signatures
- X.509 certificates and PKI
- (Pragmatics along the way: openssl, PKCS documents, etc.)
- and finally, we can now read TLS 1.2 (RFC 5246) and TLS 1.3 (RFC 8846)

+ Alice, Bob, Eve, Mal/Mallory, and their friends
    https://xkcd.com/177/, https://xkcd.com/1323/

+ A couple key (ha!) questions
- how do you share a key with somebody across a network?
- how do you gain confidence that the entity you're talking to
    is likely to be who/what you want to talk to?

+ Quick spin through symmetric encryption (see video for more detail)
- DES
    - the NSA
- AES contest
    - Schneier's Law, and the stuff he said in this class in 2022
    - Performance vs. security
    - Other finalists still in use (notably Blowfish and its successor Twofish)
- Block cipher modes

+ Lab
- Use openssl to encrypt and decrypt with AES
- Miscellaneous questions about openssl
- Setting up no-password login using ssh