CS338 Computer Security
Wednesday, 18 October 2023

+ Next up
- Frameworks for thinking about security
    STRIDE, CIA, MITRE ATT&CK and D3FEND,...
- Ethical analysis of security situations
    focus on responsible disclosure as an example
- Authentication
    including password storage and cracking

+ Threat modeling and STRIDE
- Questions?
- Which ones are harder/weirder? (S, T, R, I, D, or E?)
- What is threat modeling for?

+ Authentication
- What is it?
    "Prove that you are who you say you are."
    "A process for doing ^"
    "It's like when the bank asks you for your ID"
    [Questions about meaning of "you", "who", "are"...?]

- How does authentication happen in non-digital life?
    Bank & ID
    Look at a person in person
    Job or other: provide birth certificate, SSN, green card, visa
    Biometrics--DNA, retinas, fingerprints, palmprints, voice...
    Signature in ink
        notarized signatures

Kevin Mitnick -- read his book about social engineering memoir

- How does authentication work in digital life?
    - Passwords
    - 2FA (two-factor authentication)
        password + texted 6-digit code
        face ID / fingerprint + texted 6-digit code
        password + authenticator app
    - Passkeys (FIDO2 passkey standards)
    - ...

- Passwords
    storing them -- DB of (username, H(password), misc info)
    cracking them -- brute force? by common password? ...?

+ Next assignments during the coming week
- Ethical analysis of a scenario
- A miscellany of password-cracking tasks