 All right, let's get started or you dive in Those hopefully everyone saw the piazza message note that I so I decided to Extend the homework one deadline to tomorrow night to give you some extra time since I Don't have the exact numbers, but I do know there were a total of 600 submissions to the system as of Office hours yesterday at 10 a.m. And I just checked and there were 1600 Like since then so roughly a thousand submissions with like if everyone is a smoke test than a real submission That's like 500 submissions, and I'm sure I did not look at the data, but I'm sure they're all clustered around the 10 p.m To 12 p.m window So I guess I did not have enough servers and CPUs running to test all of those so For that so for people that were able to do it beforehand Since you did stuff on time, which is always good if you got a hundred percent you'll get an extra five points on that Everyone else you have two extra days no penalty. Yes Yeah 95 is better Welcome to assignment on Tuesday. I spun up 40 servers So it should be twice as fast or not twice as fast, but twice as much capacity So we should be fine on that and then the other thing I'm going to do that I Realize is I'm going to send out like a sh like a test that sh script that you can run locally To make sure that it can compile and that the input runs correctly the way it should Because a lot of people are having problems with I think it's what it's C plus plus for some reason spins forever When you do end of file when you're using certain reading things, which is not cool So that actually blew up a lot of stuff because then people's Rather than their their submissions taking a few amount of time that took the maximum amount of time Which is I think probably three or four minutes per submission And so that also gummed up the queue and there's all kinds of stuff, but Cool. Any questions on that? Who did it in the craziest language? Well, I don't know like C or C plus plus is not crazy job. It's definitely not crazy Like a language you didn't let's necessarily learn in your classes Yeah But go you didn't go I remember that from off-siders. I Didn't go to go anything else and we do rust Oh Dart What's dark? Okay, is that like a rust type thing that's supposed to replace C but Okay Anybody do any lists like languages PHP yeah, did anybody actually do that? I mean it should be PC ish should be straightforward ish, but Yeah, anyway, maybe I'll do that next year. I'm a bounty for like the most obscure language possible Who that'd be good so I could do it Whatever language you do it in If you get some bonus points depending on how many other people choose that language Which then incentivizes all of you to choose some weird esoteric language and then actually get it to work Anyways, cool All right, so back to Mandatory access control, so what's mandatory access control? mandatory mandatory, what does that mean besides Required who requires it? Yeah, the system and why is it useful? Individualism on the files so that way yeah, so that way individuals don't get to choose who has access to what files, right? So as opposed to what's the other type? What are the other types of kind of access control models? Discretionary access control who controls what access to files and discretionary the owner of the file controls who Gets to access that file. What's the third one we talked about? Originator control, what's the difference there? The originator of what? The object or the data right whatever the so it's kind of separating that concept of Objects which makes considered files is actually who initially created that data So it doesn't matter how many times you copy that data the originator would still be able to control who accesses that Great, okay. Perfect. Now. I have a nice pen so you can get my great handwriting So we talked about so we talked about security levels and we talked about mandatory access control and the concept of having a Hierarchy of levels, so we talked about what was the low level? Unclassified I was above that Classified above that Secret above that top secret. Yeah, perfect. Cool. So then what were the rules that we derived? For reading and writing data here, or let's go with reading first. Yes Reading went down which meant that the subject has to be act have to be So thinking about that does that mean so you if an Subject has secret security clearance and the object has confidential. Can they read it? Yeah If the subject has secret and the object has secret can they read it? It's got some conflicting Usually if it's the same thing I will just continue Yes, yes, why yes? They're the same level right so you should be able to read things at your level So what if the subject is at secret and the object is at top secret? No, we should block that you should not be able to read up so you can only read down Perfect. What about writing? You can only write up so you can only write at your level or higher right, so these are some of the kind of questions that we can talk about is you are a You have secret level clearance. Can you write an unclassified object? Why? Right to ensure that there's no possible way for secret information to leak out As we talked about in a real system There's ways to purposely kind of lower your level to the unclassified level so you can write unclassified data Because otherwise in this organization no information would ever flow out of this organization, right? Down the ranks Cool, but why is this model not? Why is this? To coarse-grained. What's the problem with our current way of thinking about access control with these four levels? Yeah, well, why don't we just add more levels Why don't we add like a kind of secret? Between confidential and secret and then add a like middle secret in between secret and top secret and then add a Super top secret secret Right so go back to how do we define these levels or what was kind of intuition behind defining these levels or Think about it a different way. You are in charge of this system. You have a piece of data What do you classify that data as? What do you use as your criteria? Yeah, based on how harmful it is to the organization if that data gets out Right, and so you can see things like the codes to launch nuclear missiles. Is that a dangerous piece of information to be out? Yes, so you would have that at the top most level But as we talked about you have multiple pieces of information at the top secret level or it Let's say whatever that top level is But if you have access to top secret then you have access to all of that data So it doesn't make sense that just because you're working on a I don't know a super secret The examples kind of Let's say yeah, so the top secret data you have you work Developing cool exploits for the NSA Which is class possibly classified at the top secret level should you also have access to? all of the nuclear codes and all of the other Talked about clearly know that doesn't make sense. So what actually happens So what system did they come up with to deal with this? categories and what a cat like what? Yeah, so we had some examples of like nuclear NATO ace. There's a lot of them You can actually just Google for like security categories And the key example, and this is what somebody brought up in our discussion on Tuesday Is that the key idea is this need to know basis? Do you actually need to know this information or not? so How do we define our policy now because our policy used to be really easy? right read down right up done and How does even thinking about? So let's let's walk through some examples now So let's say that now we have we have top secret we have secret classified Unconfidential or unclassified. So we still have our hierarchy But now we have things like let's say nuclear and NATO So we have them these categories. So let's say we're a subject We're at let's say top secret security clearance What other information do I need to know about a subject? In order to determine what things they can access Yeah, the category they belong to we need the category right so we need not just the level so we use the let's go to notation Right, so we used to use just the level of well the level of this subject Let's go SL is top secret But now we need more information and we can think about this as a set so does it Does it make sense? I mean should a person just have one category access? No, the person could have multiple it could be a number of multiple categories, right? So over here this subject. So this is a terrible curly brace kind of like this So I can have access to NATO and then and then Let's say we have some document some object and this security clearance here is let's say classified and It's nuclear Should I be able to read this object? No, why not or yes, why not or why? Say it again. No, because it's outside a category. Yeah, but I have a higher suit. I'm at the top secret level Right, but I don't need to know about this because I'm not I'm not classified for this category Right, I don't need to know about any of the new to their stuff So even if it's at the classified level, I still can't read it even though my security clearance is higher right So what if I then change now this to NATO? Can I read this object I write to this object? No, why not Right because then I'm essentially again leaking information from top secret down to confidential The L stands for level so this is being security level of some subject s and the security level of some object But notation isn't super critical here So okay, so we said I can I can I can read this document I can't write or I can read this object. I can't write to this object And we said if I if so what if there's an empty set Can I now read to this object? Gonna read this object Why it's not associated with any category, so how do we treat it then? Yeah, just like we did in the previous access right so we can read it can we write to this object Why not right because you only write up and we may be leaking information about this NATO Category to an object that has no category designation. What if I have no category? Can I read this object? Yes, can I write to it? What are the rules for this? Yeah, so what are the rules for reading or writing or there's no categories? Just the same exactly exactly the same as what we just arrived up here, right? so then So then how do we think about okay? So we said well the security clearance is very kind of easy in some sense because we already have that But how do we deal with these ideas of categories? So let's say I have nuclear and NATO So should I be able to read this object that has category of NUC? Why? Yes, so it's a part of my list of categories, but what if this object now is Nuclear and ace Can't read it because it's not Right and this is terms of sets so now think about it in terms of sets So what's the relationship that we're trying to get here? That's Set you Subset so we want a subset relationship, right? So we want we can read objects where The first part matches just like we said that the security clearance is at or below us and that the categories of the object are a subs or a Subset or equivalent to That's like a C. Yeah, the C with the lower bar underneath it. I forget how to pronounce it So we want basically so we have the category We want to say is essentially so read for reading. We basically have the same one. So the key thing to always remember is If our access is secret and this is a top secret document Should we be able to access it even though we have all the categories? No No, because fundamentally we still need to keep this top secret secret this level hierarchy, right? so And this is exactly what we have so and the way to actually express this is very cool. So What we can do is we can construct basically a lattice based around this subset Relationship so at the bottom of this line is we have an empty set because the empty set is a subset of every set Do you agree with that? Right, there's always nothing inside of a set. I guess And at the top so what's the top most element where everything else will be a subset of that element? The set of all categories. Yeah, so that's the top most level and then what we're going to do is we're going to draw a We'll draw an edge in this graph when one set has a subset relationship So we think about the bottom most level we have the second hanging new the second hanging a no the second hanging ace and all and The empty set is all a subset of each of these But are they subsets of each other? No, well, so it's gonna be the next layer Right all the sets containing two elements So first out of second hanging nuclear and NATO so then what are the edges going to be to both nuclear and NATO right because the the object The second hanging nuclear and NATO the second thing nuclear is a subset of that and the second thing NATO is a subset of that And we just keep going And we get the super cool structure and at the very top of this because we just have three elements We will have the second thing nuclear NATO a so we can use so how can we actually use this lattice to answer the question of can This subject read this object The category of the what so The category of the object must be a subset of the subject right so we can look here We can say well, this is the subject Right the subject has nuclear NATO then they can read objects that and the other way to read this graph is Does the empty set is that a subset of nuclear NATO? Yes, so there's a transit of property here, but we're not drawing you don't draw all the edges because that gets insane So then we can easily say so we can say oh look if nuclear NATO or if the object is nuclear and the subject is Nuclear NATO they can read it because it's a subset and you can keep doing this and then But you can say the flip side if the object is nuclear NATO an ace then the person cannot read it and right is just flipped around the opposite way Just as we had it before And this is actually gives rise to one of the most famous models of security. This is the Bell Lepagella model Which we just figured out with Discussing it and it uses this concept on a lattice of dominates. So here we're using subset relationships But thinking exactly what we talked about a nuclear NATO dominate all of these nodes of nuclear NATO and the empty set So you express this more formally you have some security level L and again here now we have category So it's not just the security level L, but the security level is L with the set of categories so one security level dominates the other security level if and only if L prime is less than or equal to L and C prime is a Subset or equal to C and then once we do that with this definition of dominates we can use that to describe exactly so this is Us defining our intuition of what we've just created when we talked about these sets, right? so we talked about we defined it in terms of L prime or less than or equal to and subset relationship So we define an operator to do this which is nicer because then we don't have to put this all over place And so now our security conditions become simple We can say a subject to read oh if it only if s dominates oh and The star property which is the right property that we talked about is s can write to oh if only if the object dominates s So this is the exact same concept. We talked about of read down write up, but now with this idea of Categories in terms of sets and subset relations questions Now would you have this you can do the same thing that we talked about previously? You can then prove that no toxic information can be leaked out in this model Which is a nice property I have if you want to enforce this system Because that's the security property you really care about Yes, except and you said already that there's a way to like Make yourself in order to fuck someone that's in a higher security clearance to like publish information of the lower level Since obviously we wouldn't be able to do anything otherwise Yes, and that's the the key word here is model So Bell and Lopadula are last names of people on the random name. I can go look at this paper I think it's from the 70s, but I don't remember correctly This is actually kicked off the idea of like Even before this people, you know Without heavy mathematical proofs of being able to prove that a model is secure There is like well why even worry about security or think about security so then you can think of well If you you would extend this model to incorporate those elements, but you still at the end of the day have to trust All these things right this is still a system people can leak information and so that doesn't actually There's no technical way to stop it again Probably name it something like the lattice mandatory access control model is probably because it's specifically about mandatory access control and Around this concept of lattices and actually to be honest This is one of the reasons why I like doing this is because this lattice concept comes up a lot in a lot of different types of computer science There is a formal definition, I do not have it off the top of my head I'm not a very mathematically inclined person, but if you it's yes for sure there is a definition and I believe it's around You need some kind of relation, which is similar to a subset of relation And that could actually be any type of thing that you're comparing you can think of like Less than would create a lattice, but it would be just it would just be a long line of things So it's not a really interesting lattice, but you could do All kinds of things this actually comes up in program analysis Where if you want to let's say Try to analyze a program statically to understand what values each of the variables in the program can hold that different program points You model possible string values with this where at the top of the lattice you have a star Which means this variable can hold anything and at the bottom you have null where you know it's null The problem is that lattice becomes infinite and then you get into this problem that you can never actually Finish and so you have to have techniques to kind of deal with that So you do cool things like you knew sub string or Prefix string analysis to determine which is super interesting like if you want to look at we actually did this in a project We want to understand what URLs mobile apps were opening like Android apps And so we did an analysis and you can build basically think of it as this lattice where Prefix string so you actually don't care about the rest of the string because you want to understand is the HTTP They're talking is it HTTPS is it a local file these kind of things so and it's this concept comes up a lot Or far better people to explain it then Please in this Access control model if you have a subject that dominates the object in the subject rewrite the object at their security level Interesting. Okay, good question. So let's think about this so So Okay, so you have a subject dominates an object Right, so so the question is can the subject read the object? Yes, can they create a new object with the exact same security level as the old object and write to it No, but what can they do why why not they actually can in one case It's like the same Yeah, if the equivalence right if you have an object that's at your security level with exactly the same Categories you can read that object and create a new object with that same level in the same categories but if you're reading a an object and You want to create a new object? What are the properties of that new object that must hold? It's at your level or higher exactly so that object dominates your security clearance Right, so this is that idea so you could create you could read a lower level object And then create a new object at your same security level and category and then now that's good and everything's fine Which is kind of that idea of writing up and somebody else could do that with your object. It's fine because The only thing you're bringing up is kind of less sensitive information into more secure Information right you may then have to think well is that old information actually at the proper level? And so you may need to think about that It's a different problem Can the people at a higher security level? Delete objects on a lower security level Okay, that's what do you mean by delete Like like I like erase it like so like so what are the two actions that subjects can do in this model read and write Read and write so what would delete be it would be a right probably would be a right so can a top-secret person overwrite a classified information no No, because They can only write at their level or up And again, this is because what is of the three security properties that we talked about originally What security properties this model trying to enforce? What are the three security properties? confidentiality integrity Availability CIA. Yeah confidentiality integrity availability. What does this model care about? confidentiality confidentiality right the entire goal is so that Information does not leak out of the organization. So it's all about confidentiality. They actually don't care about In this case, they don't care about integrity at all Which means that you could actually have somebody so think about something at the unclassified level Could they overwrite top secret data with this model? Yeah, because they can write to some document and technically delete it but You could think about that would be an easy thing to extend to that reason about That's if you just this is a you know again model means you only do these two things and that's it And other questions burning Questions you've been holding on to the last week that you desperately need answers yet about this class so it just kind of confused me a little bit, so I'm like Like what you said a person like from unclassified Top secret data basically can can write to top secret data is all this model says But I mean we're saying that like right Possibly I think that's one definition you could think of do you even know the name of the file to delete if you think about it in terms of files You could think that delete could be a different operation But then so I guess my question more is like well like If a person from unclassified is writing to top secret, I Just don't see how like that's not possible like information. Can they So let's say you have a top secret document the nuclear codes You're at the unclassified model in this at the unclassified level at this level How do you leak that information? What's the only way you can get those codes? You only have two actions reading and Writing so of those two, which is going to give you the information Reading can you read a top secret document in this model? No, but even if you overwrote them you still Don't know what those original contents were And the question is what are they being used for right if those if your new codes are then used to prime nukes Then you have a clear problem, right and that's more about the provenance of data like where did that data come from? Which is something you could tackle on to the end of who changed this last Yeah, so but if you wrote the nuclear codes as an unclassified individual like if you I don't know for some reason you were Unclassified and you wrote them sure you would have you wouldn't be able to read them any more But you would you know like as a person you would have that information because you wrote them exactly Yes, but the question is does that give you anything, right? Because it all depends on because at any point somebody else could go and overwrite that information But still you don't know you still don't know what that was original because like you think about it whoever Originally created that data. They explicitly tagged it as top secret Yeah, I mean if what if an un for some reason an unclassified person was the originator of the data Or someone of a lower security clearance was the originator of the data So they have the original contents of the nuclear codes So you would like whoever's in charge of that would elevate their security clearance up to top secret or something, right? this is we've heard of that thing of like I Guess it happens in physics or something where you're like where they say like okay imagine a Spherical a spherical cow Right, so it's kind of the same thing of like you're you're you're simplifying reality into this model That definitely doesn't make sense that allows you to do some interesting things with it But yes, this is the problem with all models in general is they definitely do not Capture all these real-world conditions and so part of the interesting thing and I'm sure if you look at this model I'm sure people have proposed all kinds of ways to actually But the problem is by improving this model You still need to prove the security properties that no data can leak and so for every modification you make to make this model more realistic You then have to go and prove that it still has the original properties you wanted and so yes It becomes less useful in some sense because that becomes more difficult Yeah, you're like assume you have humans who can have their own tree will in this system I don't know everything breaks awesome. So okay, so we have two objects or two. Let's say things for now a and b a has top secret and ace B has secret NATO ace so Ken a Has a subject read a document that's top secret and has no categories Ken a and I'm actually not gonna tell you if you're right or wrong. It's just gonna be a fun exercise So Ken a right to a document that is s and ace That's the same categories Yes, but it's not the same level this is what trips you blow the lock one reiterating this drink The problem is the secret there Can they read a top secret document that is NATO and ace? Can I write to a top-secret document that is NATO and ace yes Okay, so I think about the security levels first and they Write to something that's at their level. Yes. Yes. What were the requirements on writing? The objects dominate the subject which means in terms of what for this set That the object set of categories is what compared to the subjects ace and find it and maybe something else Like there's a super set that the objects categories are a super set of Subjects categories. Is that true? Yes. Yes, you can think of this as writing up And the key thing if you want to check yourself is thinking about Does this leak any information? So what knowledge does the subject potentially know here? Yeah, they know everything that is top secret that Has no category and also ace information So if they create a document That is top secret and is tagged with ace and NATO. They're not leaking any information out Because people who can read this document have to have what? What categories Ace and NATO which means they must have ace which means it's totally fine for them to read this document Right. All right can be so be a secret NATO ace can be right to a document that is secret and is NATO Why yes Right so because now because when what's the key information leakage problem here Yes, the ace category can leak into this document, right? Be has access to all of NATO and all of ace which means if they create a document That is only type NATO that means people who only have NATO will get access to ace information. That makes sense Can they read a top secret document that is NATO ace? Yes. Yes. Why yes? No, no they can't Why not? Yes, because of the security levels here, right the sets of the same the categories of the same the levels of the thing Can they read a document that is secret that is ace and nuclear? Levels the same But can't they read anything like below Same category Exactly reading on a need-to-know basis right because if they were able to read this file What do they have access to here nuclear information that they should not have access to because they only have access to NATO and ace Exactly, so this should be blocked Right, if you think about it, it's because these categories on the lattice. Do they dominate each other? No, no, they're next to each other, right? There's no way to compare There's no subset relationship between NATO ace and ace new either is a subset of the other Right, so this person cannot read from this file Can they write to that file except the next one this can they write to this file? Yeah Yes, so they can't because they could leave what information to this file NATO right we don't care about the ace information because this attack is ace But they cannot write to this to this object because they would be leaking NATO information to this object Little trickier than we thought on first flush, maybe Can they write to an unclassified document that has no security? No Lower level. Yeah, the security levels are lower So these are not yet, please Say that again You mean like creating categories that are in themselves security levels I'm sure you could You could make a new level or you could You could create categories at each of the levels so you could have new unclassed new Secret new top secret and use that in some sense And then you'd have to make sure you gave everyone who had top secret access to all the other ones But you could create something similar, but it doesn't just slot right in it kind of gets messy Exactly, you know that everything's not complicated, but yeah, what were the first four again? I don't know you have to go back on the tape later and you then or think about it and talk to your fellow students I know talking to people You do it anonymously on the message board Okay, cool, so we are Interesting Okay, so key thing So there are other types of access control models that are based on things that we did not talk about so what What was kind of for all of these models? What were some of the key notions about subjects that? Affected whether somebody could access an object or not So in the mandatory access control we had basically that we've needed to know the security level of the subject I mean you need to know the categories what about for discretionary Yeah, maybe the relationship of the subject to the object like whether they created it or whether they're part of the group that created it or the owner of it Yeah, exactly for discretionary access control is all about ownership who owns what object and that determines what they can do with it So there's other types of things and they're We started to think about applying these to like even a classroom setting So we I think talked about I don't remember how long ago it's been time is very tricky, but we talked about Like the online the my ASU web page like for this class where you sign up for classes And I get to see a different view or you think about my ASU in general when you go there You see different things than I do. Why is that? Why but what about me gives me access to more things? Is it my name? Yes. Yes, so all atoms get access to more stuff My position what about my position? Yeah, so like my role in the University right is a teacher instructor professor whatever you want to say So I have a different view than you what's your role in the university? Students your students professors, what are the roles are there in the university? graders what else Advising Staff make sure things run administrators Presidents tutors. Yeah, so you may so there's a whole Area of access control that's based on roles and it's actually something that translates very nicely into organizations Right, so in an organization, what kind of roles do you have generally? Like supervisors or managers, what else? Employees like you know, which could be a huge set of employees and then you have a subset of managers You have a subset of like C style like CEO style people And the idea here is that the permissions are not determined by whether you own the file or What but about the user's role so in this way you define access control rules in terms of what roles can do what things? What about like websites? What are some roles on a website? So we talk about that as you want What about like generally admin so an admin on a website? What else a visitor versus like a registered user Yeah, like a guest versus a registered user who has an account Maybe an unpaid account versus a paid account, right? These are all different kinds of roles that actually slot very easily that you could easily think about access control in terms of these Rather than thinking about individual users access, right because you don't really care about if specific well in some cases you So and it's contrast with kind of discretionary access control the user's permission is based on their identity Which user they are and what files they own? Whereas mandatory access control is really based on like clearance like what are you clear to view? Another really interesting thing and this is something that comes up So actually based access control is another different type and area of access control and the idea here is really So what are the There's always a good one. Okay, so What are the rules around Say buying alcohol in a state you must be 21 get to be 21 or older. Do they care what your name is? Do they care where you live? Do they care? Look at my head. Do they care about your Eye color. Yes, your hair color your height your weight Whether you're an organ donor Do they care about what do they care about just age? Just do they even actually care about your age? What do they actually care about? What do they actually care about what's the thing that they're checking are you 21 or older? Do they care if you're 22 or if you're 65? Maybe Some places they let you well without an ID Right, but legally right so the idea behind attribute-based access control is and then the problem is well One problem is when you go to a store you're giving them this card that has not just your age on it Which is the attribute they want to check but it has all these other attributes they want to check And so the idea behind attribute-based access control is kind of saying Hey, what if we split people up instead of just there it's kind of like a more fine-grained role-based access control of Giving people employees different attributes and then being able to check based on those attributes So this would be basically there's some cool way for the state of Arizona to issue you a digital attribute That says you are 21 and over that you could then present to the cashier And it would verify that you actually are 21 or older without even revealing your birthday or where you live Or any of this other information that is on your Or you think of Other attributes would be like are you a student the superlays still do this where they give you free? Street soda if you show a student ID Yeah, or let's say Amazon yeah, you get or get up you get free Free private accounts as long as you have an edu account or Amazon's Right. These are all things that what they're using is usually email-based authentication to see if you have it or not But it would be kind of cool. And this is what attribute-based access control tries to deal with How do you actually create these attributes such that other people can verify them? and So what's really cool is you can make complex Boolean expressions on these attributes You could you could really do complicated things by saying? If you're a member of this group and you're of this age, then you get access to these things So it really allows really fine-grained access control rules that can help people do those kinds of things and so And there's a whole host of kind of other types of access control and and some of the interesting things of If you think about and I was thinking about okay, so what's the cool research topics here What's actually kind of because what you're learning about is the stuff that is kind of current right? But scientists are going out there trying to research and push the bounds here So one key thing is usability So we talked about we talked about a usability in terms of mechanisms and security mechanisms If a mechanism isn't usable then people will either misdeploy it or remove it So how do you if I say hey, I have this awesome access control policy You just need to write a 500 line Python program to implement your policy And then everything will magically work. You think everybody's gonna be able to do that correctly Or even worse I have some complex language that I created that you can write your access control language in and Everything will just work Right. So how do you actually create this in a usable way? How can you create access control that's flexible that actually? Is realistic with the real world and real-world access and access control How expressive is the access control? This is something that we ran into when talking about Unix He said the Unix model only has these 12 bits and man. It doesn't allow us to express things that we want Another thing is federation so Which is essentially two organizations deciding to collaborate so for instance What's it doesn't ASU let any Starbucks employee have like free online courses from ASU that was a partnership that was announced How do they actually determine that they're a valid employee ASU just have a list of all the Starbucks employees Do you think Starbucks wants to give us that? I think you apply through Starbucks corporation Yeah, so but then at some point you need to apply you need to create an ASU account So ASU has to validate with Starbucks that you are an active employee. What happens if you leave after you have that account? They probably updates Or like Starbucks and something must happen right so the idea is here How do you have access control policies that kind of expand multiple organizations? Which is pretty interesting a question's on kind of the frontiers of access control Flexibility would be it's Allowing kind of the access control to more naturally deal with what humans do so for instance You think about me in my office, right? So like I have a key to my office, which should mean in very strict terms. What should that mean? Only I have access to that office, right? But if I lose my keys, am I just like I have to go find them again like what happens? I'm fired. They're just like that office is now no longer usable by anyone Offices that are empty with ghosts in them because nobody everyone lost their keys Yeah, I have to get a new key from the office or I go up to the CS office because somebody has it spare keys for every floor. I can even go to I think Brickyard has The building security they can actually let you into an office But I have to kind of convince them that I am that person So I probably show my ID that has my name and my name's outside my office So they would hopefully let me in based on that But still like something, you know flexibility in that sense because in the computer system for a password You're just locked out Right, and so you have to build in these mechanisms. And so how can you actually support that in a way that is? Flexible while still maintaining the security requirements, okay? We will move on I'm going to No works, okay, cool All right, so now we get to the part that is pretty fun of cryptography So What was part of the problem when we were talking about we Only we had a discussion about we wanted to create a link To a file that we could share with people that anyone with that link could access that file What was some of the things that we? Tried to do or beckons and so we tried to do yeah So we needed this notion of that the path was kind of random enough that nobody could could guess it and So what have you heard about cryptography? So what does cryptography mean to you? Encryption, so what's encryption? Yeah Say again a lot of XORs that is definitely true. Yeah A way of securing information so it's hard to know what it is. What's what's the purpose like why why do we even care? Right, so we talked about kind of these these access control models and we said with this mandatory access control We have the system that kind of enforces access We can have these all these great properties, but really at the end of the day You need to actually share information with people right they need to send information so how can you actually ensure in a Technical way that that data is In some sense safe, so what's the security property here that we care about? Was that Not quite integrity maybe Confidentiality so yeah, so we want to keep so we want to try to keep secret data secret with confidentiality and Have only those people that we want to know be able to know and understand the data So it's helpful to kind of pull the word apart I don't know Greek, but apparently it's derived from the Greek words for hidden secret and writing Which kind of makes sense it used to be this hidden Writing and the whole idea is how do we keep at a high level? It's about how do we keep information secret or hidden? And this is going to be kind of that driving force Behind what we're studying and what we're learning about here So we need to nail down some kind of terminology at the start so Or let's we'll pull back a little bit so our goal here is we want to Communicate some information from one party to another party and we want to keep that information secret When would that be useful? What credit cards yeah, well, you don't want me knowing about your credit card your pin numbers are Yeah, I said sharing a password with somebody so they can access it like a Netflix account Sharing public Wi-Fi, so you're all using the same Wi-Fi you'd want to make sure that everything Everything that you're typing into that web page and all of your web pages. It's not shared with everyone else on that Wi-Fi. Yeah Yeah, so why why would Generals and Yeah, why I mean is it would be useful Yes, very much yes, yes Right, so this is actually I mean a lot of what we'll see where cryptography came from came from military context because You have this problem where you need to communicate information to people about what you're doing or what the attacks were or where to move ships and then That your adversary would love to know that information about where your ships are going to be and what they're going to do and so cryptography was really created in this way of Trying to keep information hidden and secret any other Maybe to comply with legal requirements like for for example, I think you're not supposed to like put student information On an encrypted drive. Yeah, so Student information as part of the FERPA requirements. Why do we now want student information on an encrypted drive? Because if it gets stolen then anyone has access to it Yeah, then if anyone stole my laptop they would get access to all that student information on there if it's encrypted then and Comment they can't break the encryption or the key or whatever then they won't be able to find it. So cryptography actually It actually forms a basis if you think about it, I mean it came from this kind of war and Warfare context from actually a long ways ago, but really kind of has Such practical use nowadays. It's kind of crazy, right? So you think about would you ever trust? banking or doing anything on the internet if you had no way to guarantee that The information you're sending to the bank nobody else can see it or Purchasing things online. We just talked about credit cards and pin numbers Would you purchase anything online if you knew that anyone who is listening on your Wi-Fi could steal that information? I mean some people probably would it actually probably still wouldn't work isn't that part but There'd be a lot of security people screaming about how bad it was There'd be easy tools for criminals to sniff credit card numbers. It would be kind of a madhouse. So So we need to lay down some terminology so we make sure we're all on the same page So what do we mean by encryption? Like Higher level Yeah, so the process basically of turning so we're gonna define some terms so plain text So we usually think in cryptography you have some plain text, which is some message you want to send to the other party You want to encrypt that into ciphertext, which is some hopefully random gibberish That you can give them and if anybody else reads it they can't Get the plain text back. Yeah, or can we also say that? Turn it into something that is Undistinguishable from a random strength. I would I would say that that is the property You want from a lot of encryption algorithms. You could have some crazy encryption algorithms that like spit out English text Like you could map random bits to a I don't know depending on what you're trying to if you wanted to not quite look like random bites You could do things there. So at a high level, I think It can be but you yeah, it's In some sense. Yes, they're related. I don't know that I want to draw a fine distinction between the two But but yeah, you can think of In ways of that and doing that but but yeah the idea is so encryption is you're transforming a message So from so a plain text message into some ciphertext that the meaning is concealed and that's what we'll go with for now We'll get more deeper into the roots here So what would be decryption? The opposite taking some ciphertext and turning it into some plain text We didn't talk about it. I'll get how that happens. We'll go into all of that But this is really good for now. And so this is this whole idea How do you actually do these two steps? Right, how can I even do this such that I have some message in my mind? I transform it into something crazy I give it to one of you and only that person can be cryptid but anyone else that gets it will not be able to Turn it back into that point next Just kind of it's actually crazy that all this stuff works. This is nuts So when we think about so more terminology, so we think about a crypto system So this would be basically a system that describes how to encrypt or decrypt messages So you'd say okay with a yes This is how it works or with this kind of crypto system But all you need to define are those two functions that we talked about which are Encryption and decryption thinking in terms of functions. What's their input? So what does encryption take as an input? plain text and outputs what? Cypher text and what is decryption takes? Cypher text and outputs Cool, it's very good at a high level We'll see that there's other inputs and outputs that are needed in most crypto systems, but those will be crypto systems specific so But at a high level that's the really important thing that could consider there good plain text Cypher text Okay, cool. These are good terms just to know a Cryptographer is somebody who creates new encryption algorithms and new ways and new crypto systems that does super cool stuff people who break crypto systems are called crypt analysts or Maybe crypto analysts so you will be doing some of this at some point analyzing crypto systems and breaking them So If we're able to do this without getting into the details, what are some of the benefits that we can get here? Of what we just talked about in terms of all the CIA Assume we have some crypto system. We can encrypt things about the person if you encrypt things Maybe well, how what would integrity mean in this sense? But how's that integrity? What is integrity concerned with? Yeah Yeah, so in this case it'd be the plain text that I send you you get exactly the same plain text back from that And then what's coming at Jalini in this context that only the intended recipient can actually read it Right so that I have a plain text. I generate Cypher text. I can give this Cypher text to the entire world But only my intended recipient will be able to actually decrypt it So this is and if you think about in terms of what we've been talking about, right? This is kind of a mechanism that you can use to get confidentiality And you can also do cool things. We will use There'll be some crypto things that do integrity so that the person receiving the message can actually verify that It was the same message that you originally sent that the plain texts are the same What about authentication is that important? Yes, what does authentication mean in this context? That you are who you say you are that I am who I say I am but I'm Just messages. Yeah Yes, so the method similar concept but framed in the way of these crypto systems Is that if I receive a message and I think it's from one of you then I actually know that it's from one of you Right, so you think about like for instance, let's say somebody sent me an email saying hey I'd like to change my password on the submission server. My user my Hacker alias is foobar. I go to change foobars But I never authenticate that the person who sent me that message actually was that person And now they know this password and can change it Some other security benefits we didn't talk about that we'll get into I mean that we'll see how it's done. So non-repudiation. What does that mean? What does repudiation mean fancy word? Denying what? Sending the receipt denying that you ever sent the message right repudiation would be like I never sent that message So a non-repudiation mean you can't do that You can't do that. Yes trick question So this would mean You can use cryptography to do something like you can tell your Your banking firm to sell a thousand shares of the stock they go do that but the stock tanks You can't then go and say well, I never sent that message somebody else must have sent that Right, so you think about it in terms of a little bit in terms of authentication of who sent it but verifying that this person actually sent this message in a essentially a cryptographic way which is good Cool. Okay, so we can formally define a crypto system And this is kind of the standard way to define this So we have E and D these are already very easy very discussed them What are they? Encryption and decryption right some functions in crypt some functions of decrypt and Is the set of possible plaintext? Why is why do you care about this? It's too small then you can Yeah, or you think about Has anybody done a very simple basic Encryption scheme when they were younger you're right that's in class Yeah, what did you do? Did you be able to encrypt arbitrary bytes? You send a jpeg to somebody No, what's your encryption scheme work on Text right usually a through z right even just 30, you know the English alphabet And so that's why this is important is thinking about what is the set of possible plaintext. So is it all English characters is it alphanumeric is it arbitrary bytes, which is really what we care about now and you think about Back in like wartime. This is actually what they were they weren't sending arbitrary messages, right? Think about like World War two era. They're sending like messages to each other in Usually not English, but in whatever the language is of that other country So then K is some set of keys as we'll talk about usually you need some kind of keys here You don't just get encryption for free or crypto systems for free And we'll see how those are used and then see is the set of ciphertext. So why is this? Different than M that might be different right you may have you may you can think of so then E Takes in what if we think about this set here. So if you model E is a function What is this function except as input? M probably M star or something like that right the all possible Things that are inside this set M and outputs what see see and then Decryption is the opposite takes in cybertext outputs like that So that's fair to this. This is and so the twist that we haven't yet talked about which we're doing right now is The encryption function will take in some key and Use that to help with some cybertext and where the decryption function will also take in a key So this is so we will actually get into these right now the most famous cipher So has anyone ever accidentally invented a Caesar cipher? Do you know what this is? Yeah substitution so the idea is and I'm a substitution so your key is going to be some Number from well zero would be terrible, but from like 1 to 26. So you adjust every letter forward K number of characters. So if it's one you would move every character forward one to encrypt and This was actually a legitimate cipher. This was used back in the days in the early Roman days As I was talking about Julius Caesar in the year 56 And it says if you had anything confidential to say he wrote it in cipher That is by so changing the order of the letters of the alphabet that not a word could be made out If anyone wishes to decipher these and get their meaning He must substitute the fourth letter of the alphabet namely D for a and so on with the others So this is a text from Was this almost 2,000 years ago or so an encryption algorithm of how to encrypt text When we come back and see each other on Tuesday we will talk about this we'll go through this how to attack it