CS338 Computer Security Wednesday, 8 October 2025 + Exam-prep questions - What's on your mind? - MAC vs. Signature (see drawings) - Why do DH instead of just using public/private key pair think about "what could Eve do" "what could Mal do" probably yes, you can put together a protocol that only uses RSA/EC to do this same thing...but would it be better? - What topics worry or puzzle you? - ... Pretend protocol for fixing problem #6: - A wants to talk to B - B sends cert to A (it says "this P_B goes with bob.com") - B sends Sig(S_B, cert) to A - A validates the cert and the sig - Why is this bad? - Mal could just ask B for cert + sig, and then use that combo when masquerading as B + After the exam - Threat modeling - Various conceptual models especially "CIA" (confidentiality, integrity, availability) - Ethical analysis - Midterm break - Pen-testing/ethical hacking/red-teaming - Security in software development - ... + Authentication - What is it? - "making sure the person requesting data access deserves it": two things 1. identifying the person/software requesting access [authentication] 2. once identified, making sure they deserve access [authorization] - Authentication: - ssh jondich@mantis.mathcs.carleton.edu; mantis demands password, etc. - Authorization: - jondich is logged in (i.e., has been authenticated) and asks "cat /etc/shadow" Linux/mantis checks permissions, finds jondich is not allowed to read that file, says no. - How is it different from / related to authorization? + Authentication scenarios - Tell the story: what happens when you login to Netflix (password, no 2FA) - User/browser: go to netflix.com (using https/TLS) - User: see login box, fill it out with email and password - Browser: sends the email and password P to the server - Netflix: compares H(P) to stored H(P) [note: for a moment, Netflix has P] - Enhance the story: same thing, but now there's 2FA - Tell the story: login to carleton.edu, with Duo - Change the Netflix story: same thing, but with passkey - Change the story: same thing, but "login with Facebook" + Duo - What is that 3-digit code about?