CSE 115 Introduction to Computer Science I FINAL EXAM Tuesday, - - PowerPoint PPT Presentation

CSE 115

Introduction to Computer Science I

FINAL EXAM

Tuesday, December 11, 2018 7:15 PM - 10:15 PM SOUTH CAMPUS (Factor in travel time!!)

CONFLICT?

E-mail documentation to: alphonce@buffalo.edu

Subject: CSE115 FINAL EXAM CONFLICT

no later than 5:00 PM Friday November 30

CONFLICT?

Alternate date/time Friday December 14 11:45 AM - 2:45 PM room TBA

Accessibility Resources

Schedule exam to overlap with alternate exam time Friday December 14 11:45 AM - 2:45 PM room TBA

EXAM RULES

Bring your UB Card No arrivals after the first 30 minutes No departures in first 30 minutes

EXAM RULES

Room assignments: published on last day of classes No electronics
 (phones, laptops, calculators, earbuds, etc) Closed books . Closed notes . Closed neighbors

Road map

▶︎ Week overview ◀ Encryption Hashing

Week overview

M: What are encryption & hashing W: encryption & hashing in practice F: cookies and authentication

Road map

Week overview ▶︎ Encryption ◀ Hashing

Encryption A and B want to communicate

A has a message to send to B

A B

Encryption A and B want to communicate

A sends message to B in plaintext

A B

Encryption A and B want to communicate

Because message was sent in plaintext B can read it

A B

Encryption A and B want to communicate

Because the message was sent in plaintext anyone can read it, including unknown party C

C A B

Encryption A and B want to communicate privately

A has a message to send to B

A B

Encryption A and B want to communicate privately

A encrypts the message with a secret key and sends the encrypted message to B

A B

Encryption A and B want to communicate privately

B cannot read the encrypted message

A B

Encryption A and B want to communicate privately

B decrypts the message with the (shared) secret key B can now read the message

A B

Encryption A and B want to communicate privately

C cannot read the message without the secret key

A B

Encryption A and B want to communicate privately

QUESTION: How can we distribute the shared key securely?

A B

Encryption A and B want to communicate privately

What if different keys were used to encrypt and decrypt?

A B

In public key encryption each party has a public key and a private key

Encryption A and B want to communicate privately

A B

Encryption A and B want to communicate privately

B sends a message to A encrypting it with A's public key A decrypts the message with their private key A's private key A's public key

A B

Encryption A and B want to communicate privately

A sends a message to B encrypting it with B's public key B decrypts the message with their private key B's public key B's private key

A B

Encryption Pairwise private communication

Public keys are available to anyone Private keys are known only to their owners Each Si can message R privately S0 S1 … SN R

Road map

Week overview Encryption ▶︎ Hashing ◀

Hashing

Hashing data is akin to fingerprinting. You are not your fingerprint, but your fingerprint uniquely identifies you.

Hashing communicating without revealing

A B

We shouldn't send the password in the clear…

password password password

Hashing communicating without revealing

A B

Ooops, anyone can see the password!

password password password

C

Hashing communicating without revealing

A B

Let's encrypt the password before sending it to prevent eavesdropping.

password password password

Hashing communicating without revealing

A B

If B stores the password, what happens if B is hacked? Passwords are revealed!

password password

Hashing communicating without revealing

A hash function is a one-way function: if cannot* be undone.

*probably

Hashing communicating without revealing

A hash function is a one-way function: if cannot be undone. "The hashing process is like a meat grinder: there is no key, everybody can operate it, but there is no way to get your cow back in full moo-ing state."

https://security.blogoverflow.com/2011/11/why-passwords-should-be-hashed/

Hashing communicating without revealing

Mincer icon made by Creaticca Creative Agency from www.flaticon.com is licensed by CC 3.0 BY

hash function

password

Hashing communicating without revealing

A B

The password encrypted during transmission, then hashed by B. The password hash is stored, not the password.

password password

Hashing communicating without revealing

A B

A stoled hash is less useful than a stolen password: it can't use used to directly access the account.

password password

Hashing communicating without revealing

B

Mincer icon made by Creaticca Creative Agency from www.flaticon.com is licensed by CC 3.0 BY

abc123

A

abc123

If two users have the same password, they will end up with the same hash

Adding salt (random data) to each password ensures each will hash to a different value.

Hashing communicating without revealing

B

Mincer icon made by Creaticca Creative Agency from www.flaticon.com is licensed by CC 3.0 BY

abc123

A

abc123

Encrypt the plain text password in transmission, store salted hash

A B

The password encrypted during transmission, then hashed by B. The password hash is stored together with its salt.

password password

Hashing Brute Force Attack

Mincer icon made by Creaticca Creative Agency from www.flaticon.com is licensed by CC 3.0 BY

for every string: hash string + salt

C

If the hash matches your hash, that string was your password

Attacker knows your salt and hash ==

Hashing Brute Force Attack Prevention

As a user: Use strong passwords! Attacker has too many strings to check

As a developer: Protect your database Attacker needs stored salt and hash to perform the attack

WEDNESDAY

How to encrypt How to hash

FRIDAY

Cookies Authentication