 So we gave some examples last week of how we can use hash functions for providing authentication. Now when I say authentication, in fact we're doing two forms of authenticating. We're authenticating the user, checking the data came from the right user, and we're also sometimes authenticating the data. Making sure the data that's received is the same as what was sent, which we also call data integrity. So in fact the techniques we're looking at usually provide user or source authentication as well as data integrity. And we finished mentioning some properties, some properties that we need for the security of hash functions. In fact we'll see later there's a table that shows that depending on where we use hash functions they don't always require all these properties. So there are three main properties for security. The one-way property also called pre-image resistance. Weak collision resistance or second pre-image resistance, that is the first two, it's a bit confusing the names. We'll see that breaking the one-way property and weak collision resistance you use the same techniques, so there's similarities there. We'll see second pre-image resistant and second pre-image resistant. They're very similar. And strong collision resistance or simply called collision resistant is the third property. So let's try and make those three properties clear and understand which ones are hard for the attacker to break to defeat. So if a hash function has these properties what does the attacker need to do to defeat the security of that hash function? Just in summary we said one-way property is that with a hash function if we can calculate the hash of some message it should be difficult to go backwards, the inverse operation and given the hash value it should be difficult to find that message. That's the one-way property. Difficult computationally infeasible. That is with large enough values particularly the hash length it will take too long no matter what compute resources you have. The weak collision resistant or second pre-image resistant property is that if we have some message x and we know the hash value of it, the hash of x, it should be hard for an attacker to be able to find some other message y which has the same hash value as the hash of x. So given x the challenge for the attacker is to find another message y which has the same hash value that is h of y equals h of x. Of course we cannot use the same messages. They have to be different messages. So we would say a hash function has this property if it is computationally infeasible for an attacker to do this, to find this other message. And the third property collision resistant or strong collision resistant similar to the previous one it should be difficult for the attacker to be able to choose any pair of messages x and y which have the same hash value. So the attacker they get to choose of any two messages that they like, x and y and it should be hard to find any two messages that produce the same hash value. Whereas in the weak collision resistance that's a different condition and that the condition on the attacker is that given some message x find another message with the same hash value. Which one is easier for the attacker to attack or in other words which one is harder to provide in hash functions the second one is strong collision resistance. And although the mathematics is not the same the concept I will try and explain using a different problem which has similar characteristics which is called the birthday paradox. And you don't need to understand the details or the calculations of this birthday paradox let's spend five or ten minutes explaining it to demonstrate these. Why is one to one mapping not a requirement? What do you mean one to one? One to one. So your question is about a one to one mapping given a message m take the hash of that and we get let's say lowercase h what do you want a one to one mapping from well in fact we see we have two different requirements which are somewhat conflicting first note that our practical requirements are that the input can be variable size and the output is normally fixed and typically small that is the length of the hash value is fixed for a given hash function we always get the same length hash value but normally we'd like to take any size input I finished with a demonstration last week showing I can take a hash calculate the hash of a file so if the hash is say a length of 128 bits and the message is longer the message length can be larger than 128 bits then of course we're going to have multiple messages mapped to the one hash value so we will not have a one to one mapping there because if the message for example is a thousand bits in length larger than the hash value then there's two to the power of one thousand possible messages and two to the power of 128 possible hash values so multiple messages must map to the same hash value so this says that there'll be a many to one mapping here but that goes against our properties or makes it difficult for our properties because we would like a one to one mapping but we cannot have a one to one mapping it means that it still must be difficult to find a mapping that goes to the same hash value to find this collision so even though there will be collisions some messages will map to the same hash value the security of the hash algorithm depends upon how difficult it is to find a collision in theory there are collisions but how much effort does it take to find a collision and that's what these properties are about they're computationally infeasible we know it's possible in theory but it should take a lot of effort a lot of computation to find it and we'll see when we get to the end of here the security doesn't depend upon the message length it in fact depends upon the hash length the longer the hash the more effort required to find a collision so we don't have a one to one mapping we would like one but in practice we cannot now let's try something completely different who, how many people do we have here not a full class for sure of the 20 or so people so we've got about 20 people in the room what's the chance that one of you have the same birthday as me not the birth year, that's a low chance but the same date, day and month just consider days and months well how would we calculate it so assuming everyone has an equal distribution or a uniform distribution of birthdays that ignore twins and so on so the day that you're born on it can be from between 1 and 365 there are 365 days to choose from forget about leap years so a question is what's the chance that one of you have the same birthday as me or as another person well how would you calculate that well consider what's the chance so of the 20 here if there's what's the chance of one person having the same birthday as me well let's say my birthday is on the the 1st of January it's not then the other person their birthday can be on one of 365 days and the equal chance to be on any of those days so the chance of them having the same birthday well the way to think about it is the chance that they don't have the same birthday the probability that someone doesn't have the same birthday as the 1st of January is what so probably they don't have the same birthday there's 364 days which they won't have the same birthday out of 365 so the probability that someone doesn't have the same birthday as me or as the 1st of January is 364 out of 365 and the probability that they do is 1 minus that which is 1 minus 364 over 365 that's the probability that one person if choose from just one other person that we don't this is the probability that we do have the same birthday which is 1 over 365 now there are more than one person in the group there are 20 of you so you can expand that what's the chance that of two people neither of you have the same birthday as me well similar approach what is it it's the chance that one person doesn't have the same birthday and the chance that also the second person doesn't have the same birthday as me or the same birthday as the other person okay so of three people in the group me and two others what's the chance that the first one doesn't have the same birthday as me and then the second one as well okay and now expand it to 20 people and without wasting time on writing it down I have an equation in fact we end up as here so the chance that one person doesn't have the same birthday as me is 364 over 365 and the chance that a second person is also 364 over 365 so 364 over 365 multiplied by 364 times 365 so with n people the probability that no one has the same birthday as me is 364 over 365 to the power of n and hence the probability that someone does have the same birthday they don't is 1 minus that so this is given some birthday x what's the chance that of a group of n people that one of them has the same birthday as me alright we'll see the significance of this value or this equation shortly it's described there with a more detailed example where's my pointer so going back just considering 2 people quite simple I've got a birthday on the 1st of January probability that the other one does not have the same birthday as 364 over 365 if there were 3 people in the group if I've got a birthday on the 1st of January the probability that 1 of them doesn't or person a does not have the same birthday is 364 over 365 and the probability that b does not have the same birthday as me is also 364 over 365 hence the probability that neither do a nor b does is multiplication of those two probabilities and you'd expand that that's for 2 people that's 364 over 365 squared and with n people it's to the power of n the probability that no one has the same birthday as x and the probability that therefore that someone does is 1 minus that now a different problem of the 20 people in the room what's the chance that 2 people have the same birthday any 2 people have the same birthday do you think it's greater than the previous case so if n is 20 for example 20 people if someone has the same birthday as me would calculate 1 minus 364 over 365 to the power of 20 we get some number what if we ask a different question what's the chance that any 2 people in the room have the same birthday do you think the probability will be higher or lower would not be the same what's the chance that of this group of 20 people that 2 of us have the same birthday is it higher or lower than the previous one is the probability higher or lower than this let's try, let's vote hands up for higher hands up for lower anyone hands up for don't know let's see and the mathematics is harder but so we will not try to demonstrate on the board but let's just see let's use the same approach so now the probability that any 2 people have the same birthday it's 1 minus the probability that no 2 people have the same birthday so if you take a pair of people a pair a pair and the chance that they don't have the same birthday and we do that in all cases then it's 1 minus that so now what's the probability that no 2 people have the same birthday first consider a group of just 2 people if one of them has a birthday on the 1st January then the probability that the other person does not have a birthday on that same day is 364 over 365 that's same as before what if we had 3 people in the group well if one of them has a birthday on the 1st of January probability that one of the other ones, user A, does not have the same birthday is still 364 over 365 and the probability that B, the third person does not have the same birthday as the first one or the second one is 363 over 365 that is I have a birthday on the 1st of January, the first person the chance that they don't have the same birthday as the 1st of January is 364 over 365 there are 364 other days and then the third person the chance that they don't have the same birthday as me and that other person is 363 out of 365 because I have the birthday on the 1st of January the other person if they have a birthday on the 2nd of April then the chance of the third one does not have a matching birthday there are 363 days left so for that second person the chance is 363 over 365 and if we expand that group now that was n equal to 2 n equal to 3 n equal to 4 we'll see the pattern it's 364 over 365 multiplied by 363 multiplied by 362 and so on and in general we can expand that out and simplify and it becomes some factorial 365 factorial over 365 to the power of n times 365 minus n factorial that's the probability that no two people have the same birthday so here it's slightly different the third person cannot have the same birthday as me or the other person and that's why we got that case of 363 over 365 and then the probability that any two people have the same birthday as 1 minus what we just calculated now to make sense of equations here's a plot where of those two equations with different values of n down the bottom the red line is the first one given the way to read this plot is if there are 20 people in the group a group of 20 people n equals 20 then the probability that someone has the same birthday as me is here what's that about 0.05 about 5% chance that someone has the same birthday as me the blue one is the second case the probability that any two people have the same birthday so we take the 20 people here what's the chance that a pair of people have the same birthday it's getting close to 40% chance much higher that is the chance that two of you have the same birthday than the chance that someone has the same birthday as me we've got more degrees of freedom we can choose in that case so the red one is the first case and the blue line is the second case and we see that the probability of any two people having the same birthday is much higher than someone has the same birthday as an existing person why are we talking about birthdays similar concepts to the weak and strong collision resistance remember weak collision resistance is the chance that the attacker can find another message with the same hash value as a given message that's like the first case like the red one here the probability of doing that for finding a collision here we're finding collisions of birthdays on the same day with hash attacks against hash functions we're trying to find collisions of hash values the probability of finding a collision given some message find another hash value is not the same as but think about the red line whereas strong collision resistance is the attacker can choose any two messages find a collision we can have any two people's birthdays find a collision the probability of that is much higher the chance of an attacker finding a collision with weak or if they're given some message that is weak collision resistance property is much lower than the chance that they'll find a collision if they can choose any two messages so which one is more secure or it may be easier which of the two properties strong or weak collision resistance is it easier for the attacker to break strong collision resistance there's a higher probability that they'll find a collision the blue one given the same size n there's a higher chance that they can find a collision if they'll be able to choose from any two messages so if they say strong collision resistance it is easier for the attacker to break that or another way to look at it it's harder to provide that property it's harder to make sure that it's impossible practically impossible for the attacker to find a collision that satisfies that property it's easier to provide the weak collision resistance property the mathematics is not identical but the concepts are the same as the problem the birthday paradox it's much higher chance that any two people have the same birthday than that one person has the same birthday as some given person so coming back to here some hash functions may have the weak collision resistance property that means it's practically impossible for the attacker to find another message with the same hash value but they may not have the strong collision resistance property even though it's practically impossible to find some other message with the same hash of X it may be practically possible to find any pair of messages so providing this property in hash functions is harder than providing the weak collision resistant property if your hash function has the strong collision resistant property in fact it also has the weak collision resistant property but some hash functions have weak collision resistance but not strong collision resistance any questions before we compare the amount of effort required to break them so try and distinguish between weak and strong collision resistance you don't have to understand the mathematics of the birthday paradox just be able to compare them understand if you're the attacker which one's easier for you to attack let's go to still on this topic which properties do we need well it depends on what we use a hash function for so there are different hash functions available we mentioned I think one or two last week MD5 is one SHA the secure hash algorithm is another hash function what properties should a hash function have of those three that we've listed of these three pre-imaged, second pre-imaged collision resistance or one way weak collision, strong collision resistant it depends on what you're using the hash function for here are some examples and we'll not go into the details if you're using a hash and providing some digital signature trying to confirm that this message came from a user then it should have all three properties if you're using hash functions for detecting viruses so not about encryption but about detecting a virus then it turns out that usually you just need the second property, weak collision resistance a hash function that has this property is sufficient it doesn't even have to be one way property you've used or you've seen hash functions in PHP and you can apply the hash function on a password to store in a database for example and we'll cover that in another topic so when we take a hash of a password the collision resistance is not such an issue it's mainly about having the one way property or pre-imaged resistance that's the desired property for password storage so it depends upon what what you're looking for as to what properties are needed for security how do we break hash functions well a brute force attack and the one way property and weak collision resistance also called pre-image and second pre-image properties a brute force attack against them the basic approach is you try all possible values you need to find some message that produces some given hash value so a brute force attack is to try all possible message take some message m1 calculate the hash is it the hash value we're looking for if not try the next message m2 calculate the hash and is it the hash value we're looking for and keep trying until we get it so try all possible messages it turns out that if you try messages randomly the amount of attempts that you need to find a collision to find the right hash value is proportional to the length of the hash value if we have an m-bit hash code for example the length of lowercase h here is m bits then approximately 2 to the power of m attempts are needed until you find a collision or you find the hash value so going back that's for both of these properties a brute force attack for example weak collision resistance what we're doing we know some hash value we know the hash of x we need to find another message y which has the same hash value so what we do is we choose some random message y calculate the hash does it match the hash of x if not try another random message keep trying and on average you take 2 to the power of m attempts where m is the length of the hash value it's not dependent on the message length it's dependent upon the hash length so if our hash length is 128 bits for example md5 is a hash function if it's a 128 bit hash value then we need 2 to the power of 128 attempts about equivalent to 128 bit key in terms of the amount of effort needed to break that that is 100 the same number of attempts but with the strong collision resistance property it's easier it's easier for the attacker to find any two messages with the same hash value and the amount of effort required is approximately equal to 2 to the power of m on 2 half the hash length in our case if our example hash length is 128 bits the amount of effort is 2 to the power of 64 much much less that is if we're trying to break the strong collision resistance resistance property and the hash length is 128 bits a brute force attack would take about 2 to the power of 64 attempts but if we're trying to break the one way property or the weak collision resistance property then a brute force attack would take about 2 to the power of 128 attempts much much longer so if we want to provide if we need a hash function for a digital signature if we want to provide all three properties that means the hash length must be long enough that the number of attempts cannot be made in reasonable time and 2 to the power of 64 attempts is nowadays considered not is considered possible to try so generally we need larger hash lengths 2 to the power of 64 is in theory possible to attempt 2 to the power of 128 is not so if we had a 256 bit hash value it would take 2 to the power of 256 attempts on the first two properties and 2 to the power of 128 attempts on the third strong collision resistance property that would be considered secure for a brute force attack now for a password storing a password if we need a hash function the main property we care about is the one way property we don't care about strong collision resistance so having 128 bit hash value is sufficient in that case because the attack would still take 2 to the power of 128 attempts we don't care if someone can break the strong collision resistance property in this case it's not required for security it depends upon what the hash value is useful the hash function it's easier to break to do a brute force attempt against the strong collision resistance property than against the other 2 properties that's a brute force attack there may be other attacks that take advantage of the algorithm design so brute force can be applied against any hash algorithm but if you know the hash algorithm and you can find weaknesses in the algorithm maybe you can provide some other more intelligent attacks and there are some attacks possible in theory but they're quite complex and we're not going to look at individual hash algorithms nor different attacks but generally they're not much better than a brute force attack for example there's an attack on the 128 bit md5 takes 2 to the power of 60 attempts well that's less than 2 to the power of 64 but not much so 16 times less is not much if we don't save much by cutting down char which has different variations but we'll mention shortly is one hash function and generally the attacks against some variations of the secure hash function char are considered infeasible not possible so the security of hash functions is mainly measured upon the hash length let's finish with just two mentions of two common hash functions which are in use md5 the message digest algorithm developed by one of the guys who developed rsa on revest the hash length is 128 bits it was and in fact is still commonly used you'll see it in different applications still use md5 but it's considered weak the hash length and there's some attacks that make it possible to find collisions so it's considered weak and not recommended for use anymore but you'll still see it in use you may see it when you download files from websites for example you download an ISO of a Linux operating system then maybe also the website lists the hash value why? when you download the file you want to make sure it's exactly the same as the one that was published by the person who created it so they also published the hash value when you download the file you calculate the hash value if it's the same as the published one then you're quite certain that the received file is the same as the one that they published if the hash value is different the md5 value is different then maybe the file didn't download correctly and you shouldn't use it so md5 is still in use but not recommended and the replacement algorithm, the one that the US national institute of standards and technology developed with this secure hash algorithm in fact it has different variants char0 or char1 char2 and so on some of them are listed here and in fact it's not just char1 but and it indicates the length of the hash value char1 had a 160 bit hash value it's called the message digest size in this table but the output md5 128 bits, char1 160 bits then there's char224 256 so you can have different length hash values using the similar algorithm just different length outputs and the rest is about the details of the algorithm which we're not going to cover char1 is no longer recommended char2 or the ones that say 256 bit hash values are recommended and in use widespread use the same organization also has been developing the newer version, char3 and in fact they had a competition that ran for 5 or 6 years people submitted their algorithm and I think October last year so 2 or 3 months ago they selected one algorithm out of 60 or so different algorithms to become the new char3 I don't recall what the hash length is of this new algorithm but it's char2 is still considered secure it's just that they want to plan for the future and they have another one and there are others so they're just two common ones MD5 and char and there are others as well we're not going to go through how they work brings us to the end of what we're going to cover about cryptographic hash functions we're going to still talk about authentication in the next topic before we move on everyone's clear about collisions collision resistance and how to attack them how secure the different properties are that's the hardest part that people find in this topic strong and weak collision resistance confuse people one way to think about the strong and weak collision resistance if you have a hash function that provides the weak collision resistance property but not the strong collision resistance property versus then maybe we could say that that hash function is weak another hash function which provides both weak collision resistance is stronger than the first hash algorithm so one that provides strong collision resistance versus one that does not the one that provides strong collision resistance is stronger than the other one if we can provide the strong collision resistance property we consider that a more secure algorithm because it's harder to provide that property it's easier to attack that's what now when we say we provide that property that property says it's impossible to attack so if a hash function provides strong collision resistance it means it's impossible for the attacker to break it so if it's possible for the attacker to break it then that property is not provided I think last week we showed some quick examples on the screen of calculating hash before we move on any questions if we say if a hash function provides that property if a function has the property of strong collision resistance that property says it's practically impossible to break that it's practically impossible to find a collision by selecting any pair of messages it's so if a hash function say we have a hash function we need to check if it has the property or not we've got two hash functions then if it doesn't have the hash have that property then it's easier to attack to break the to find a pair of messages that have a collision but once it has that property by definition the property says it's impossible to break if it doesn't have this property well let's say a hash function didn't have either of these properties weak or strong collision resistance if a hash function did not have either of these properties you were an attacker what would you try you would try just choosing any pairs of messages because you know that you'll find a collision first so if you want to find a collision try and choose any pair of messages that will find a collision or more chance of finding a collision then given some message choose find another message that causes a collision but once say we have some hash function that this property is true it holds that means an attacker will not be able to find a collision it would take too much effort think about those try and get your head around them we may come back to them after our break if you have further questions confusing isn't it okay pre-image pre-image is the let's go back to our slide where we say what is the pre-image the pre-image is the original message that's just the terminology we use so the pre-image of H is the message X the message that produced that hash value so X is the pre-image of H H is the hash value X is the message pre-image resistant means that given H it's impossible to find the pre-image okay given a hash value of H the message X is called the pre-image of H the property called pre-image resistant or the one way property is this property that given H it should be impossible to find its pre-image it should be impossible to find the message that produced H that's the pre-image resistant property or if we think of it in the normal hash functions the one way property our hash function should go one way but going from the hash value back to the message should be impossible the second property this weak collision resistance is about finding collisions that's why we call it a collision resistant property if this property is true if it holds then our hash function is resistant against collisions it's impossible to find collisions and it's the same with the third property if this property holds then our hash function is resistant against collisions it's impossible to find collisions but certain types we distinguish between them in the first one we said given X impossible to find some other Y that produces the same hash value it's impossible to find that collision if that property holds and the second one given you get to choose any pair of messages it should be impossible to find a collision if you can choose from any pair of messages does that answer your question about pre-image so pre-image is just meaning the message that produced the hash value I see people still brains are working that's okay again second pre-image resistant is just another name for weak collision resistant so just two different names for the same property if a hash function if we say it has this property of second pre-image resistant or weak collision resistant it doesn't necessarily mean pre-image resistant I think if you look in I don't have it but there's a picture in the textbook that shows that hash functions do not have to have all of these properties a hash function but a hash function that is strong collision resistant is weak collision resistant a hash function that is weak collision resistant isn't necessarily strong collision resistant isn't necessarily one-way property yes yes if it has strong collision resistance it turns out it also means it's weak collision resistant yes in what cases are strong collision resistant better than weak collision resistant when, or maybe the question when do we need strong collision resistance that may come out here and it gives us the second column here second pre-image resistant is weak collision resistant and this is strong collision resistance so for a digital signature weak collision resistance is necessary because it should be hard for the attacker to find some other hash value which is the same or it's another message which gives us the hash value which is the same as the sent message and the note says down here we also like the strong collision resistance property if it's possible for the attacker to choose the original message let's go back to the digital signature diagram look at the top diagram remember with the digital signature what we do, we take a message we take the hash of the message send, encrypt that with the private key of the sender that is they're signing it and send the message and that encrypted hash across the network and what the receiver does is they check they verify the signature by taking the message and a hash of that message same hash function and decrypting the signed part using the public key of the sender and if they match they trust the message they have verified the signature and if they don't match something's gone wrong now what can an attacker do what the attacker may want to do is let's see what happens if we have different properties we have sent the message concatenated with the encryption using the private key of A of the hash of that message that's what's sent across the network that's in the middle part here let's say the attacker intercepts that and they they want to modify the message but they want to get the receiver to think that it's still signed by the original user they want to fool the receiver so what if they modify the message they intercept and then send M prime M prime and they don't modify the signature of the rest they send M prime and E PR of A hash of M so all they do is change M the sent message to M prime their own message what does the receiver do the receiver takes the hash of the received message M prime decrypts this part and they get the hash of M and they compare it against the hash of M prime and our weed collision resistance property in our hash function they should not match because it should be if our hash function is weed collision resistance it should be impossible for the attacker to find another message M prime that produces the same hash value of the hash of M so if our hash function is weed collision resistant that means the attacker cannot find another message where the hash of the other message equals the hash of the original message the attacker has M their challenge is to find another message M prime which produces the same hash value as M if they can this scheme would fail because if the hash of M prime does equal the hash of M the receiver would try to verify the signature and everything would be okay the hash of M prime they get that here they decrypt the signature and they get the hash of M they compare the hash of M prime and the hash of M and they would be the same if we didn't have the weed collision resistance property so that's why we need the weed collision resistance property for our digital signature if we didn't have it the attacker could modify the message the attacker could find a message with the same hash value as the original and simply modify it not have to modify this part just modify the message and the receiver would be fooled into thinking that it was signed by user A so we do need weed collision resistance property for digital signatures do we need strong collision resistance well remember weed collision resistance if we give an M try and find another M with the same hash value strong collision resistance the attacker gets to choose M and M prime any two messages when does that happen that would happen if somehow the attacker could get the sender to send a message that the attacker chose if the attacker chose M and signed it and sent it then the attacker needs to find some other M M prime with the same hash value which is this attack against the strong collision resistance property that is if the attacker can choose the original M and also choose M prime then that's the challenge of you get to choose any two messages and try and find a collision choose two messages which produce a collision that's easier for the attacker so if the attacker can choose this message then for this to be secure the property of the hash function should be that it is strong collision resistance if the hash function is not strong collision resistance and the attacker can choose the original message and of course they can also find another message with the same hash value then they will fool the receiver into thinking that the message came from A when it came from someone else in some cases the attacker may be able to choose the original message in some cases they may not in the slides it's called it's a chosen message attack the attacker somehow gets to choose the message that was sent that's for example I'm sending a message to the director about changing grades of students I choose the message normally and I sign it so I choose M and I sign it with my private key and send it well if somehow you can get me to choose if you can get me to send a message of your choosing so somehow you have a message and I sign it using my private key and send it then that's a case where you as the attacker got to choose the message and there are some special cases when that may occur it's not so common but in some cases it will occur where the attacker can control what the sender is sending as the message so in some cases we need strong collision resistance some cases for digital signatures we just need weak collision resistance we definitely need weak collision resistance I think the textbook and it's a bit more detailed than what we have time to go for but there's a good example in the textbook of how does a user in practice get someone to generate a message M and then make it easy for that attacker to find some other message and hence break such a signature scheme there's an example of how to generate many possible messages by many 2 to the power of 60 or so different messages and it's not so hard in fact that the attacker if they can get the user to create a certain message they can find another message with the same hash value it is possible in some conditions okay any further questions about hash functions what have we got in the last 10 minutes before we start the next topic which is still on authentication let's look at one example of something different rather than starting let's look at an example of some of our algorithms we've mentioned so far in use this is a a wire shark capture from secure web access I'll only show a few packets here but what I did in this case I accessed a website using HTTPS you've used it in a number of cases when you access a bank or some secure login in some cases in fact when you log into Moodle for the quiz that login page requires you to use HTTPS and we'll mention that in another lecture but basically is using HTTP on top of some secure transport protocol so that the data that you send to the server is encrypted let's scroll down and find some packets this is when we start the green ones above we're using normal HTTP this is the case using real HTTPS we set up a TCP connection SIN SINAC and then before we send the request to the web server so you know with HTTP you send a get request to the web server the web server sends a response yes before we do that we set up a secure connection between your client, your browser and the web server and the protocol for doing that is called TLS transport layer security client sends a hello message and inside that hello message is many details but one of them that we see the client informs the server as soon as it supports so this is just setting up so what we need to do is when I connect to the web server we need to be able to encrypt our traffic encrypt SIN data use hash functions so what algorithms do we use so these hello messages are just for the client and server to inform each other what algorithms they support and they'll choose one and the cipher suites here so this is the client saying I support these different combinations and you don't have to remember all of them but TLS is the name of the protocol and then we see the way to read it in this selected one let's go from the back it's easier this is the hash algorithm that's going to be used so when we sign things when we perform authentication we need a hash algorithm what hash algorithm in this case char is the hash algorithm that's what the client offers to use char we're going to encrypt data with symmetric key cryptography when we encrypt our data normally for sending to the web server and the web server sending back we use symmetric key cryptography because that's faster than public key cryptography what algorithm AES and CBC is the mode of operation so that's what the client offers for data encryption and then there's two other parts and these two there's the way to exchange a key to exchange a secret before we can encrypt data both the client and the server need to know some secret because to encrypt data with AES we need a secret key and then there's that secret key where we can use an algorithm to exchange a secret in this case there's a variation of the Diffie-Hellman secret key exchange algorithm it's called elliptic curve cryptography Diffie-Hellman exchange so we would use Diffie-Hellman a variation of Diffie-Hellman to exchange a secret between client and server to sign any data we would use DSA DSA is an alternative to RSA for signing information so as we've seen we sign with some private key well DSA just a different algorithm than RSA so we select an algorithm for exchanging a key exchanging a secret for signing an authentication for data encryption the mode of operation and the hash algorithm so normally we need algorithms for all of them so signing uses a hash algorithm signing can use here we signed we used an encryption operation here what algorithm in this case we would use DSA we also used a hash function what algorithm and in fact the client supports many different sets of algorithms RC4 is supported Camellia is an alternative to AES Diffie-Hellman instead of the elliptic curve Diffie-Hellman just plain Diffie-Hellman RSA instead of DSA so different algorithms are supported by my Firefox browser and the server sends back a reply server hello and in there it contains where is it it contains what it selects so the client says I support all these algorithms the server chooses one based on what the server supports and what the client supports and in this case the web server chose this one SHA is the hash algorithm AES 256 bit key with signing is the mode of operation and the symmetric key encryption and in this case it uses RSA and it uses RSA for the secret key generation and also for the signing so it uses the same algorithm for both operations so that's just an example that in practice for network communications we make use of all of these algorithms symmetric key encryption public key encryption for signing for authentication hash functions, modes of operation and then there's a few more messages to exchange then eventually we start sending data and it's encrypted you know when you capture HTTP you can see in Wireshark the GET request if you look in these packets you will not see the GET request you'll just see random looking characters so we set up the encryption and then we start encrypting the messages using AES in this case we may show another example capture at a later stage and return to the details of the protocol in a different topic let's stop there and for those that haven't collected their quiz you can do