CS338 Computer Security
Wednesday, 8 November 2023

+ Jeff's ambivalence

+ Where have we been?
- Networking: clients, servers, layered headers
- TCP: ports, sequence numbers, handshake
- HTTP: GET, POST, HTTP headers
- Cryptographic primitives
    - symmetric encryption
    - asymmetric encryption, focus on RSA
    - key exchange, focus on Diffie Hellman
    - cryptographic hashes
    - digital signatures
    - X.509 certificates
    - PKI generally: doing key exchange without
        vulnerability to AITM
    - Encoding mechanisms: base64, ASN.1, DER, PEM
    - [pretty much skipped MACs]
    - [definitely skipped elliptic curve asymmetric encryption]
- TLS handshake
- Threat modeling; STRIDE as our example framework
- (Brief glance at) CIA, Parkerian Hexad
    [Pause: what does CIA stand for again?]
- (A little) ethical analysis of security scenarios
    stakeholders, rights, goals, trade-offs
- (A little) legal context: the Digital Millennium Copyright Act's
    anti-circumvention section
- (A little) authentication
    - HTTP Basic Authentication
    - password storage 
    - brute-force password cracking
- AITM with ARP cache poisoning
- Cross-site scripting (as an example of the OWASP top ten
    web security issues)
- Some tools
    - wireshark
    - burpsuite
    - curl
    - nc
    - gobuster
    - ...

+ Wrapping up
- Can you apply this knowledge to understanding a historical security incident?
- More structure from the attacking perspective: key phases of a pen-test
- (Final takehome exam) Revisiting some key concepts: TLS, authentication, etc. 
- Key ideas for protecting yourself
- Ideas for future study

+ Today
- Get started on partners and topics