 Uh, what's up, late study years. Okay, you guys got like 17 hours until the exam, right? And you probably touched the fragment interview here, I'm assuming. Okay, so I'm Gabe, and this is Scott, and we're just undergrad GAs, this slide. How do I go? He's got down. Oh, down. Oh, I have to, with the mouse? No, no, no, you just got to click once. All right, here, just like coming down. Okay, there we go, now it's working. Okay, so go fast to the slamer. We're undergrad TAs. We aren't graders. We aren't the grad TAs. We're not the PhD students. We don't have the answer key. This is our way that we work through this. So in order to make sure that this relationship works, you guys have to understand that. So like very unlikely, but it is possible that some of these might be incorrect. If it is, let's talk about it. Yeah. Okay, so we're gonna go through the first question. So hash functions are used to encrypt values? What do people think? Anyone guesses? All right, just throw a guess. Is this your fault in binary? You say it's your fault. Good. Yep, that's correct. It's false. Okay, cool. And here's why. So remember, recall that hash functions are only one way. So remember, has threw in a blender into the shot loss analogy? So like you could throw the fruit in the hash function, it blends it up and they output the smoothie and you cannot go back. Let's you're like, damn, it's time soon. And then there's like one of my pet peas and there's what causes a lot of confusion is. Say it with me, hashes are not D hash, decrypt, or reverse. So the difference between hash functions and encryption is hashes are one way. Okay, that's like the big thing. And I don't know if you guys look through the practice midterm, but there's a lot of questions on hashes and hash functions. So I'm assuming it's a very important topic. He wants you guys to actually understand. Oh, sorry. I don't see how hashes are. So the key is that is the keyword encryption. Encryption declines or implies that it can be decrypted, which hashes can't. So yeah, so encryption means you can go both ways. So like you encrypt the value, there's a key or something that you can make it go backwards. Anyone have any questions with hashes? Yeah. So you don't break, that's why we say break and not decrypt or D hash or any of this, because you can't go backwards. So like you have to find a collision, like you have to find the original, throw out the same hash function, find that collision. We're going to talk about that later because that's the last free response question. But for now, let's just move on because I want to be able to get through this and then answer all your questions. Okay. So second question, me in the middle is a valid comment threat that must be considered. Yes. All right. Yeah. This one's pretty easy. Cool. Okay. This one is a little tricky. So who knows the answer to this one? The UNIX ACO can express all the same security policies as access control matrix. Oh, wow. Yeah. This is the one that caused a lot of confusion last semester. So this is a recap for anyone who didn't know how you got that. So like, you have like the ACLs and capabilities or instances of the access control matrix. And the big point that like is how I would think of this is like UNIX is like a specific one. And like, we have to remember that we're trying to think of like big abstract ideas that encompasses everything. So anyone confused about that? Sounds like you guys are regarded. Cool. All right. And Belle, whatever model a subject as can read on an object and also another subject. Oh wait, I'm on one. Sorry. This one just straight up memorizing his slide. I think this is the access control slide 34. I even put it on here. Authentication describes what you can do to a system. True or false? False. Right. Right. Because authorization is what you can do. And then this is a, I don't know if anyone remembers. Perfect security is achievable. Yep. Straight up. Common sense. Salts are added to slow down the hashing process. Oh, cool. I make scary and make reviews. All right, cool. It's actually false because all assault is is your plain text password. Assault is like some random gibberish that gets tossed into it and then you go into the hash. So that way the salt gets mixed up with the hash and it just makes it harder to find a collusion. So like here's a nice diagram of it that I found. So that's all assault is you just go with your plain text passwords. Now you got like your salt and then it gets garbled up to some gibberish to get started. Any questions about salts? Just remember that the salt is added before the hash function. That's a big one too. It's not added. Technical components of security are more important than human components. Yeah, cool. I always love this like little picture like sums up anyone who's ever worked in IT. Like you got all this cool met like security policies and mechanisms, but you know, it takes user error to like defeat all of it. Okay. Security is more important component in an organization is the most important component in an organization. Oh and you guys are good. It's false because I don't know like anyone want to discuss this? Yeah, that's that's when this is like the caveat of like I could be wrong. Let's talk about it. All right. An effective security policy must encounter a counter every conceivable threat. Right. It just goes back to like perfect security is impossible. Okay. So I'm going to skip 11 and 12 because that relates back to hash functions that we're going to talk about in the last three response. So we're going to go straight to 1.13 if you guys have your practice midterms in front of you. So yeah, here it is true or false. The access control matrix is used to model what subjects have which writes on objects and other subjects. True. True. Everyone says true. Good job. Okay. Yeah. Slide six and seven. You could remember the access control matrix. Here's your subjects and use your subjects. So that's why you have that extra column because subjects can act on other subjects. And then I even posted the timestamp for when his lecture talks about that in case you guys want to go over it for anyone who's confused about that. Good questions. Cool. Okay. When using DES, ECB mode is more secure than CBC mode. False. Cool. You guys memorize this. So for anyone who don't remember what ECB or CPC is, just remember ECB is the what is like just the block one, the electronic code block one. And then you use the example of like, you're going to encrypt this ping win. But it just turns to like this and you can still actually see it. So that's why it's not very secure. So that's why cyberblock chaining is more secure because essentially you're scrambling the like the plain text prior to the encryption portion. Good. All right. Awesome. Okay. Okay. This one's a free response. This one's pretty easy. Let's be close to security. TIA. Good. Don't forget your tryout. And then I even have examples to help people who still don't understand the concept. So like confidentiality, you should not be able to view migrates. Only people with proper, don't worry as long as we posted, only people with proper actions like Professor Dufay should be able to actually migrate. And then you should not be to change your grades. So none of the war games type stuff. And then availability, you should be able to see your grades on grades go in your assignments. And we're confused. Okay. Describe the interaction between security policy and security mechanisms. What's up? Right. So security policies are the rules and the mechanisms enforce the rules. And then which one's more important? What did you say? Which one's more important? I'm asking you because you might ask that. Which one's more important? Oh, good. They're both equally as important. It goes back to that where like you could have all the best security mechanisms you want, but the user doesn't actually like follow the rules. It doesn't really matter, does it? Okay. Thank you. This one. Can you guys hear me fine? I don't need the mic. Good. Okay. So I'm going to go over this question. So you are the security officer for an organization and your organization. Okay. Has two groups of people who have a conflict of interest. They're working with different clients. So basically you want to create an access control policy to completely block off the flow of information between these two groups. I'll use this. Okay. So basically it's just asking what type of access control mechanism do you use? So anyone have any thoughts? Any other ideas? Here's a description of some of them if you forgot. So the big one that you need to get, the big takeaway I think of all the access control measures is discretion. So like who or what decides like access. And that's like one of the big things or like the biggest takeaways is like discretion. So that's like the three of these. So this question is kind of open-ended. Like you said, mandatory access control, that's a great answer. The thing is it's mandatory access control is kind of you can have these are less of like perfect guidelines. You use one or the other. You can have a mandatory access control with some elements of like a role-based access control. So basically for this question as long as you justify your answer well enough, it should be fine. But I would like to note that so he went over discretionary access control and OC, what's that one? You guys remember? Was it? Oh owner. Yeah. Okay. Yeah. So I just wanted to note that those two wouldn't necessarily be the best choices for this because your goal is to get them, you want these two groups of people to not be able to override the security policy at all. Okay. Any questions on that one? Sorry. The slides will be posted on the St. Piazza link. I just don't want to post it and like have no one show up. So anyone have questions on like the specific ones? So he's not going to expect you to like note like the minute details of these. What I would focus on is the big overall idea. So that's why he gave you guys like a situation and then your job is to choose one of these and justify it. So like don't try to like memorize every minute detail on it. Yeah. DAC is discretionary access control. OCAC is originator controlled I believe. Yeah. So discretionary is I believe. What was that? Oh yeah owner whatever. Yeah. So the owner access control that means whoever owns the object it's up to them who can do what with that object and discretionary I believe is that. So discretionary is owner based and then the owner is a originator. Oh sorry. I misunderstood. Yeah. You know more than I do. It's recorded now. Yeah. Gotta delete that. Yeah. So those would just be not the best choices for this particular problem but for other situations you could easily justify those that's working. Oh and then remember back to my discretion not to rely on just these slides. So like for the exam he might flip it and ask like if you want to keep classified material which one would you use like that sort of thing. So you might want to know these two so. Yeah. Oh so like let's say you want to manage classified information like you have a top secret secret and unclassified and you want to manage who gets access to what which access control auto would you use. So that's what I'm saying like don't just rely like oh I'm going to memorize our back a back and Mac and then totally forget about back and ok. So like that's what I'm saying like it's don't use like the practice midterm is great because it tells you what type of question is going to be on there but don't rely just on this like you would for like a calp one exam or something like he might flip it and then you guys will be caught flat footed because you only taught like study the first three. Just understand how they flip it. Yes. Yeah. Yeah. Think of like big big ideas. Don't try to like zoom in. He's not like if you didn't know this one your practice exam. He doesn't actually like minute details. He wants like you to understand the big overarching concepts because you don't get a cheat sheet. So any other questions on this one. Yeah. You don't get a cheat sheet. Oh no. He said it many times. You don't get a cheat sheet. There's no cheat sheets. We got in this one. Okay. So the next question is all you get. So this one's just asking how you would deal with the Caesar Cipher given one. Well I guess it assumes you don't know it is. You have to find that out. So any ideas on how you guys all did the assignment. How would you figure out that it is a Caesar Cipher first of all. Yeah. Right. Yeah. Yeah. So it would still appear like English. It would just appear shifted if you were to plot the frequencies. Yeah. Yeah. You could just try. Yeah. If you want. Yeah. You could just try to solve it to see if it is first of all. Yeah. So then how would you solve it like that. Yeah. That's pretty much the only way. There's you can get technical with it but you don't really need to. So like he was saying just now the exam it's pretty likely you'll have similar questions but not the same. So for instance they could ask the same question but with a Vigenere Cipher or RSA or any of the other Ciphers you've learned. Yeah. So we can go over that if you guys have any questions about it. We could go at the end. Right now I'm just trying to get through all the questions that way you guys should start thinking about some of this stuff. Oh cool. So this is all right cool. So this one I actually worked a decent amount on because I'm good. Okay. Anyone can hear me in the back right. Talking long enough. Cool. All right. So this one I kind of make an awesome visualization of it because I'm a visual learner and this one tricked me up at first just reading his math notation which like I'm not a math student. I'm a CS student. Right. Okay. So first you got your message M and then these are the keys you have your possession. Right. So you have your like Alice's public key. So the public key of Alice's P little a you have your secret key or private key. So you're Bob in this situation. So that's why it's S of B. And then don't worry so much on the right side. I'm just showing you like this is how Alice would open it. So first you would use your private key to encrypt the message. So that way that fulfills the how Alice will know that's from you because you're using your private key to lock up the box. And then next you would use Alice's public key to encrypt that. So now you have like two boxes. Right. Anyone still falling along on my awesome Adobe after effects diagram greedy modeling. Yeah. Okay. So the pink is going to be Alex's Alice's possession. So she has her secret key. Right. And her secret key can open up her public key. So that's why you use her public key to encrypt it. So that goes away. And then now this is the important thing here. It's it's what's PB public key of Bob which is you. So you may have to make sure that Alice actually has your public key. That's one of the big things like if she doesn't have that key she can't decrypt your secret key box. Right. So then she'll use your key to decrypt it. And then Alice gets your message. Yeah. That's when it does. Maybe I didn't type it but it might have that. Hold on. This question sticks right. Well, okay. But make sure that only Alice could read it. I mean, sure. Okay. So recap. First you need to share Alice your public key because she needs it to encrypt yours later on. You're going to use your private key to encrypt the message. And this is his notation on his PowerPoint slides. So like you have your secret above message going to be C. And you're going to use Alice's public key to encrypt that one. So I'm just going to represent as P A of C or we're just going to call it C prime for now. And then now only Alice could read your message because if E tries to use the public key of Alice on that on like your C prime, nothing because only Alice's private key can decrypt it, right? Everyone's still tracking that. And then E, if she tries to use your public key, it's not going to work on the outer box because it was encrypted with Alice's public key, right? So that's why it's not going to work. Everyone's, yeah. Yeah. So remember the analogy of like the key that only turns right and the key that only turns left. So that's what basically this is. So like, um, all right, what were you just moving on? Or skip that so that we could see it. So like, Alice gets your message and she's happy. So like, you see how it's like secret public secret public. So essentially at the end, all those cancel each other out and you get M. So that's why. So like, if you have an extra P in there and there's no like secret key to decrypt that public key, then it's not going to work and vice versa. So that's why at the end you get SP. Yes. It's not, this is just like his notation is not actually in that order. Like, I always thought of it as like having two boxes. Yeah. So it's like, you use the secret key on the outer layer and like the public key on the outer layer. Well, the big one is like, you want to use Alice's public key on the outer layer. Yeah. Because no matter what key you throw at it, the only one that could decrypt it is Alice's secret key, which she should have and never ever share. Right. So it's like there's only she can access the outside. So yep. So that's why it's secret of a or S of a which is secret of a anyone confused. So this is like a, yeah. Wait, what part? Well, because once you open that outer box, you now have this inner box that you encrypted with your secret key. So what can undo that? The prep your public key. So that's why it's important to have that outer box because you need to make sure that only Alice could access that outer box. I own a visual learners. This is why I made this awesome graph. Adobe After Effects. Basically a graphic designer. All right. Anyone still confused? It's like a pretty important concept. Yeah. You said it's important that we know that Alice has a public key, but it doesn't say that she does. I would personally write that's why like I put to reiterate like first step, just give her your public key. Like that's the very first thing you should just write that. Knock it out. Like just in case you don't, you don't want to assume, right? Like it's a pretty response question. So like you want to show that you actually understand this concept. But so yeah, so that's why I'm saying set one, give Alice your public key. It doesn't matter. You could share that public key with anyone. That's why the public key like you could take her public key and it still wouldn't work because only your secret key can undo that outer box. All right. Yeah. I'm pretty sure he'll accept an essay from it. I mean, he's not an asshole. Okay. Like his goal is to make sure like you understand the big concepts. Like, oh, you didn't, you didn't put the proper thing on the outside. Like anyone else? And everyone understand our PGP keys and keys? Yeah. I wouldn't even know it, but I'll just, you could definitely write it. Like I would use P, like I would use S of B to encrypt the message. And like, he's like, I don't want to, because I'm not a grader. So I'm not, I don't want to say absolutely you don't have to use notation, but I would just focus on understanding the big idea. And if you show that I'm pretty sure they're more focused that you understand that like public and private key encryption over, oh, you didn't use the proper notation that the S of B takes a function of M or whatever. Anyone else? Okay. And then so this one asks for three different types of authentication mechanisms. I saw this on Piazza earlier. I couldn't get to it. And I want to list them out, list out three. Okay. So, so this is the like, I always remember like what, what, like three what and where. So like you got your what, what and where. So like what you know, so like this picture, you know your password, right? So let's think of two factor authentication because that's what some of you guys use hopefully. If not, I hope you do after you take this class. So what you know, you know your password. So that's one. And then everyone has their phone with you. So that's what you possess. And then that's how you know, like when you get two factor authentication, it sends you the push like that secondary code. So that's what you have. And then the third is what you are. So like biometrics capture to make sure you're not a robot. Like we got to make sure human, right? Like humans trying to log on. And then where you are so you can do like IP tracking or whatever. You only have to do pick three of these. I just put four. I want to set you guys up for success. Yeah. I would definitely write out the mechanism itself and then provide the example to prove you actually know what you're saying. I mean, I guess like, I don't imagine you're a greater and someone just put capture like that. Yeah, it would be what you are, but you would want to say that you like what you are would be an example would be I'm proving that I'm human by using capture. Yeah, like your phone. So like, you know how your phone sends you like a text message when you try to log into your bank or something. I don't know your bank makes you do that yet. It's just what you possess. Like some people have like UV keys. So that's something you possess. So that's why like two factor authentication, you choose two of these. Like what you know, everyone knows your password. Like, I mean, everybody individually knows their own password, right? So that's what you know. And then what you possess. Most people have a phone, I hope. Yeah. Yeah, like whitelisting geolocation. Yeah. Yeah, exactly. Yeah, like, you can only use your work appear that's plugged in and locked to this one desk. Anyone else use any clarification. So there's a video about like two factor authentication. I just like the picture. So you don't have to watch the video. I just like the diagram and kind of like helps you memorize it. You memorize two factor authentication, you're going to get least three. That's a D. Okay. So properties of hash function. So this is the last one. Cool. So there's actually three. So anyone want to give me the first one? It's actually in one of the questions were true and false. And you guys have your practice near terms. Perfect. Yeah. And then so what does that mean? Yep, it only goes one way. So given a hash, you should be able to go backwards and get the message us. And then I was going to do the second one. The second was a little confusing. So I'm going to get to it. So the second one is also known as weak collision resistance, but I would just memorize the second pre image resistance. So basically, you're given the message and the hash function with it. And then it should be impossible, but you should be able to find another message that's different that has the same thing. So this is primarily used to make sure that people don't manipulate a file and then get away with it. So like, so some like, I don't know if you guys ever noticed like when you go on websites and download a certain file, they have like a hash with it. You could actually check like run your own hash function on that file and make sure the tashes match. And that's what this is supposed to like ensure is like, let's get that. So it's make sure that like, I can't make up a BS message that's completely different, throw into the same MD five hash and get the same output with it. Because now it's impossible for you to determine that these were the same files. Because I mean, you would think they're the same files, but they're not. Let's go you in the back because you were first. Because you're given both of these. So you're given a message and a hash. You should not be able to make up your own message, throw into the same hash function that you're given, and it outputs the same hash. That's what this is mostly saying. That's all I've memorized Anyway, you rose your hand, right? Yeah. So there's a video that explains this with the timestamp. It's pretty good. I think it's pretty good. That's where I stole this picture. I don't know. I'm trying to set you guys up for success. You haven't noticed that you only have to choose two of these. So you can pick the first and third one because everyone knows collision resistance, like, because that's the only way you beat or you break caches, right? It's you find a collision. Anything else? Okay, cool. All right. So if you play League of Legends, you know that icon. So you got your final hours. You got 17 and a half or 16 and a half hours before the midterm. We're going to go over like any crazy questions. It's only 5.30. So that's why I want to blast through this for everyone who showed up on time. So questions. All right. Let's actually go back to the midterm. So like 1.11 is crypt, cryptological hash function should be resisted to pre-emit attack. That's true. You just went over why. And then the output of cryptographic hash function should be reversible. That's false. And then there's 1.14, which I hope you all get, which is you should build your own cryptography system, cryptosystem. Yeah, good. Okay. So we're going to do questions. It's only 5.30. So we'll be here for an hour. I don't know. Questions?