CS338 Computer Security Wednesday, 11 May 2022 + Questions about the exam + Questions about password-cracking + Practical issues in brute-forcing passwords - The triple loop for Part 2 - Hash tables & dictionaries - O(N) vs. O(1) Part 2 for w1 in words: # 300000 for w2 in words: # 300000 pw = w1 + w2 h = make_hash(pw) if h in user_hashes: # 3000 - if this is a loop, then 3x3x3x10^13 ~ 10^14 print(user, h, pw) If user_hashes = ['aksdfjqoweoriuqlkjasdf', 'qeworiuqasndfjnlasdfoh',...] if h in user_hashes: is linear search O(N) If user_hashes = {'alsdflkjalksdjf':'jondich', 'qwoerouioiualx,mvnakjhrfd':'smithabc',...} if h in user_hashes: is constant time-ish search O(1) - The crashing precomputation program - The habit of order-of-magnitude estimation Example: precomputing all the A, B, C passwords (aardvarkbat, catangry) How many A, B, C words are there? 54000 ~ 10000 How many 2-word passwords? 10000^2 = 10^8 How long are the passwords: about 15 characters Memory required bigger than 5* 5* 1.5 * 10^9 - Digression: grep, regex + New assignments (reading & pen-testing) - Readings for Friday - Be prepped to discuss - Who benefits from Section 1201 of the Digital Millennium Copyright Act? - Who is harmed? - Examples of ways Section 1201 has helped people? - Examples of ways Section 1201 has harmed people? - Same four questions, but about Section 512. - Pen-testing assignment for Monday ===== Another day... ===== + Back to PKI and certificates: practical details - What's really in a certificate? - Let's look at one, or two - What additional issues (besides tying bob.com to P_B) does PKI need to deal with? (Revocation, expiration, CA hierarchy, rogue CAs, signing certificates, certificate signing requests, etc.) - Setting up a certificate: how Let's Encrypt performs the "due diligence" role of the Trusted Third Party, and what that means - Compare the previous item with how "forgot my password" systems let you change your password. In both situations, what assumptions are being made?