CS338 Computer Security
Friday, 6 October 2023

+ Monday
- Details about exam
- Leftover questions

+ Goals of our protocol
- Alice & Bob share a secret K
- Other
    nobody besides Alice and Bob knows K

+ Assumptions
- Bob's certificate Cert_B containing P_B is readily available and
    was signed by a trustworthy CA
- Alice can validate CA any time
- Bob is the only one who has access to S_B
- Alice's DH secret is a
  Bob's is b

+ Given a possible protocol
- What does it look like if...
    A <--> B

    A <--> B  [E listening]

    A <--> M         [M impersonating B]

    A <--> M <--> B  [ditto, with M using B as a resource]

- Specifically in each of these scenarios
    - If Alice computes K1, who else knows K1?
    - If Bob computes K2, who else knows K2?
    - Do Alice and Bob have the same K?
    - Can Bob notice trouble?
    - Can Alice notice trouble?
    - Can Eve read messages encrypted with K?
    - Can Mal read messages encrypted with K?
    - Can Mal modify messages encrypted with K?

+ Protocol 1: just Diffie-Hellman

+ Protocol 2.1: Diffie-Hellman + challenge/response
    challenge = random R
    response = E(S_B, R)

+ Protocol 2.2: Diffie-Hellman + challenge/response
    challenge = R
    response = E(S_B, R || g^b mod p)

+ Protocol 2.3: Diffie-Hellman + challenge/response (better)
    challenge = R
    response = E(S_B, H(R || g^b mod p))


+ RFC 8446 The Transport Layer Security (TLS) Protocol Version 1.3
- Pay attention to
    - Section 2 for handshake overview
    - Section 3 for notation
    - Section 4 for detailed handshake top-level
    - Several bits of vocabulary
        (EC)DHE
        Pre-shared key (PSK)
        Forward secrecy
- Assumptions for this class
    - A & B are not using pre-shared keys; just (EC)DHE
- Study plan
    - we're trying to find the expositional thread that covers the simple
        core of Protocol 2.3 listed above, and ignore other details
        and special cases and variants
    - skim section 3 (see how arrays/vectors are denoted,
        learn the definition of the "opaque" type)
    - Read section 2, skipping everything that involves
        pre-shared keys and focusing on things involving (EC)DHE
    - In section 4, look at ClientHello and ServerHello,
        and dig into details from there. Can you see
        the g^a mod p, g^b mod p, R, and E(S_B, H(R||g^b mod p))
        showing up in those two messages?