New User Special Price Expires in

Let's log you in.

Sign in with Facebook


Don't have a StudySoup account? Create one here!


Create a StudySoup account

Be part of our community, it's free to join!

Sign up with Facebook


Create your account
By creating an account you agree to StudySoup's terms and conditions and privacy policy

Already have a StudySoup account? Login here

Computer Security

by: Ashleigh Dare

Computer Security ECS 153

Ashleigh Dare
GPA 3.75

Hao Chen

Almost Ready


These notes were just uploaded, and will be ready to view shortly.

Purchase these notes here, or revisit this page.

Either way, we'll remind you when they're ready :)

Preview These Notes for FREE

Get a free preview of these Notes, just enter your email below.

Unlock Preview
Unlock Preview

Preview these materials now for free

Why put in your email? Get access to more of this material and other relevant free materials for your school

View Preview

About this Document

Hao Chen
Class Notes
25 ?




Popular in Course

Popular in Engineering Computer Science

This 28 page Class Notes was uploaded by Ashleigh Dare on Tuesday September 8, 2015. The Class Notes belongs to ECS 153 at University of California - Davis taught by Hao Chen in Fall. Since its upload, it has received 38 views. For similar materials see /class/187714/ecs-153-university-of-california-davis in Engineering Computer Science at University of California - Davis.

Similar to ECS 153 at UCD

Popular in Engineering Computer Science


Reviews for Computer Security


Report this Material


What is Karma?


Karma is the currency of StudySoup.

You can buy or earn more Karma at anytime and redeem it for class notes, study guides, flashcards, and more!

Date Created: 09/08/15
Cryptographic protocols design and analysis David Wagner University of California Berkeley Notation A B C S names of legitimate parties Short for Alice Bob client server M name of a malicious attacker Short for Mallet Notation 1A gtBa The above means 1 Protocol designer intended the message 1 to be sent by I party B 2 This message was intended to be sent first in a series of Caveats 1A gtBa Do note 1 B only receives the message 13 not who it came from Thus messages should include the sender s name if the needs to know it 2 There is no guarantee that A the network or the adversa as intended Thus messages might be intercepted modified reorder More Notation k is a key 1 is its inverse For symmetric cryptosystems k k l for publickey cryptos the public key and k 1 the corresponding private key Notation Without End 51k means 1 encrypted under k Warning This is implicitly assumed to provide both secrecy al the standard notation For instance 13 yk securely binds 1 1 Excercise How do you implement xk 13k1 means 1 signed under k l Most authors conventionally use xk1 for signatures but I don t like the standard notation Exercise Why not Still More Notation TA is a timestamp chosen by A NA is an unpredictable random nonce a challenge chosen Who s awake What does the following notation mean 1 A gtBI 14 kABABK21KB 2 B gt A messagekAB Warmup Establishing a secure channel with a challengeresponse prot Can you spot the flaw 9 93M A gtBI B gtAI A gtBI A gtBI A gtBI A NB NBK21 messageKB message KB DenningSacco 1 Key exchange between A B with the aid of an online certifice 1 A gtS AB 2 S gtA certAcertB 3 A gtB certAcertBkABTAK1KB A Can you spot the flaw Breaking DenningSacco 1 Look closely 3 A gt B certAcertB kABTAK1KB A The key kAB isn t bound to the names of the endpoints A B Therefore B can extract the quantity MAB TAK1 and use i A in a new connection to 0 like this 3 B gt C certAcertC kABTAK21KC As a result 0 mistakenly concludes he is speaking with A A Lesson Moral Be explicit Bind all names and all other relevant c every message Exercise Why do so many protocols fail this way Credits Abadi Early SSL Key exchange with mutual authentication 1 A gtBI kABKB 2 B gtAI NBkAB 3 A gtB certANBK21kAB Can you spot the flaw Breaking early SSL Look closely 1 A gtBI kABKB 2 B gtAI NBkAB 3 A gtB certANBK21kAB Alice will sign anything with her private key The attack on early SSL B can open a connection to C and pretend to be A as follows 1 B gt C I kBCKC 2 C gt A NCkBC When 0 challenges B with nonce NC Bob sends NB 2 NC and uses her as an oracle 114 gt B I kABKB 2 B gt A I NCkAB 3 A gt B certA NCKA1kAB A will sign anything so B extracts NdKZl and he s in 3 B gt C certA NCK21 AB Fixing early SSL Fix replace NBK1 with A B NA NBK1 A A 1 A gtBI kABKB 2 B gtAI NBkAB 3 A gtB certAABNANBK1kAB A Moral Don t let yourself be used as a signing oracle Add randomness and bind names before signing Credits Abadi GSM challengeresponse A is cellphone handset B is a base station 1 B gt A NB 2 A gt B I A NBK1datak AB where k fKAB NB is the voice privacy key Can you spot the weakness X509 standard 1 Sending a signed encrypted message to B 1 A gt B A TA B messageKBK1 A Can you spot the flaw Breaking X509 standard 1 Look again 1 A gt B A TA B messageKBK1 A There s no reason to believe the sender was ever aware of the the message An Attack on X509 1 Example Proving yourself by sending a password Attacker M intercepts Alice s encrypted password 1 A gt B A TA B passwordKBK1 A Then M extracts passwordKB and sends 1 M gt B M TMB passwordKBK1 M Now M is in without needing to know the password Another Attack on X509 1 Example Secure auctions The same attack provides an easy way for M to send in a cop under his own name without needing to know what A s bid we Lessons An important difference between 0 Authentication as endorsement ie taking responsibility 0 Authentication as a way of claiming credit Encrypting before signing provides a secure way of assigning but an insecure way to establishing credit Moral sign before encrypting Credits Abadi TMN Pop quiz Watch carefully A B establish a shared key 193 using the help of a fast server 1 A gtSI kAKS 2 B gtSI kBKS 3 3 A meg13 A recovers kB as M 69 M 69 k3 Can you spot the flaw Breaking TMN Let s play spot the oracle The attack Given kBKS M M can conspire to recover kg 1 M gtSI kBKS 2 M gtSI kMKS 3 S gtMI 63le Now M M can recover kB from kBKS Cre Goss railway protocol A and B establish an authenticated shared key MB 2 734 69 I 1 A gtBI A7 AKB 2 B gtAI B7 BKA Do you see the subtle weakness Triangle attacks on Goss If session keys sometimes leak the system breaks M can recover 734 from 734KB by opening a session to B ar A s encrypted contribution to the key 1 M gtBI C7 AKB 2 B gtM B739KM Now if M can learn kBM somehow he can compute 734 kl Basically if B lets session keys leak M can use him as as a 7 oracle to obtain 734 from 734KB Play the same games with A to recover 773 from 773KA you then learn 1743 Crelt Implementing protocols Explicitness is powerful and cheap The mathematical notation 1 B gt A I NB 2 A gt B I NB A7BKA might be implemented in practice as 1 B gt A Msg 1 from B to A of GSM protocol v10 is a 2 A gt B Msg 2 from A to B of GSM protocol v10 is the challenge NB and A asserts that the ses fresh and good for communication between 1 session where N B was seen KA Can you see why each of the elements above are there Implementing protocols Any value received as cleartext should be treated as untrustw may use it as a hint for performance but don t depend on it fc Minimize state each message should be selfexplanatory


Buy Material

Are you sure you want to buy this material for

25 Karma

Buy Material

BOOM! Enjoy Your Free Notes!

We've added these Notes to your profile, click here to view them now.


You're already Subscribed!

Looks like you've already subscribed to StudySoup, you won't need to purchase another subscription to get this material. To access this material simply click 'View Full Document'

Why people love StudySoup

Jim McGreen Ohio University

"Knowing I can count on the Elite Notetaker in my class allows me to focus on what the professor is saying instead of just scribbling notes the whole time and falling behind."

Allison Fischer University of Alabama

"I signed up to be an Elite Notetaker with 2 of my sorority sisters this semester. We just posted our notes weekly and were each making over $600 per month. I LOVE StudySoup!"

Steve Martinelli UC Los Angeles

"There's no way I would have passed my Organic Chemistry class this semester without the notes and study guides I got from StudySoup."

Parker Thompson 500 Startups

"It's a great way for students to improve their educational experience and it seemed like a product that everybody wants, so all the people participating are winning."

Become an Elite Notetaker and start selling your notes online!

Refund Policy


All subscriptions to StudySoup are paid in full at the time of subscribing. To change your credit card information or to cancel your subscription, go to "Edit Settings". All credit card information will be available there. If you should decide to cancel your subscription, it will continue to be valid until the next payment period, as all payments for the current period were made in advance. For special circumstances, please email


StudySoup has more than 1 million course-specific study resources to help students study smarter. If you’re having trouble finding what you’re looking for, our customer support team can help you find what you need! Feel free to contact them here:

Recurring Subscriptions: If you have canceled your recurring subscription on the day of renewal and have not downloaded any documents, you may request a refund by submitting an email to

Satisfaction Guarantee: If you’re not satisfied with your subscription, you can contact us for further help. Contact must be made within 3 business days of your subscription purchase and your refund request will be subject for review.

Please Note: Refunds can never be provided more than 30 days after the initial purchase date regardless of your activity on the site.