Instructor:
Nadia Heninger
(nadiah at cs dot ucsd dot edu)
TA:
Miro Haller
Lectures:
Monday 2-4:50pm EBU3B 4140
Grading:
50%: Class Participation
50%: Implementations + Final Project
We have 37 terabytes of Internet-wide TLS 1.3 and 1.2 scan data that has never been examined, with more coming in each week. This class will be a hands-on exploration of some plausible cryptographic implementation problems that can show up in this type of data. You'll read the relevant papers and standards documents, implement the attacks, and run them on real data.
This will be an interactive discussion- and implementation-oriented class. The schedule includes readings for each day. Bring your laptop to class, because we will discuss the ideas and then work on implementing them on real data.
Prerequisites: Grad students should have taken CSE 207B and/or CSE 207A or equivalent; undergraduates should have taken CSE 107 and earned an A or better.
| Topic | Readings | Assignments | |
| 9/29 | Introduction | Lecture Slides | |
| 10/6 | GCDing RSA Keys | Mining Your Ps and Qs: Detection of Widespread Weak Keys in Network Devices by Nadia Heninger, Zakir Durumeric, Eric Wustrow, J. Alex Halderman | Warm-up exercise due |
| 10/13 | Scanning and Parsing | ZMap: Fast Internet-Wide Scanning and its Security Applications by Zakir Durumeric, Eric Wustrow, and J. Alex Halderman A Search Engine Backed by Internet-Wide Scanning by Zakir Durumeric, David Adrian, Ariana Mirian, Michael Bailey, J. Alex Halderman Ten Years of ZMap by Zakir Durumeric, David Adrian, Phillip Stephens, Eric Wustrow, and J. Alex Halderman | |
| 10/20 | TLS | Ch. 2 and 3 from Bulletproof TLS and PKI by Ivan Ristic The Illustrated TLS 1.3 Connection The Illustrated TLS 1.2 Connection | |
| 10/27 | RSA Signatures with Errors | Factoring RSA Keys With TLS Perfect Forward Secrecy by Florian Weimer Open to a fault: On the passive compromise of TLS keys via transient errors by George Arnold Sullivan, Jackson Sippe, Nadia Heninger, and Eric Wustrow Passive SSH Key Compromise via Lattices by Keegan Ryan, Kaiwen He, George Arnold Sullivan, and Nadia Heninger | |
| 11/3 | ECDSA Nonce Repeats | Elliptic Curve Cryptography in Practice by Joppe W. Bos, J. Alex Halderman, Nadia Heninger, Jonathan Moore, Michael Naehrig, and Eric Wustrow | |
| 11/10 | Fancy ECDSA Attacks | Biased Nonce Sense: Lattice Attacks against Weak ECDSA Signatures in Cryptocurrencies by Joachim Breitner and Nadia Heninger | |
| 11/17 | ECDL Attacks | In search of CurveSwap: Measuring elliptic curve implementations in the wild by Luke Valenta, Nick Sullivan, Antonio Sanso, and Nadia Heninger A riddle wrapped in an enigma by Neal Koblitz and Alfred Menezes | |
| 11/24 | MLKEM |
CRYSTALS--Kyber: a CCA-secure module-lattice-based KEM by Bos, Ducas, Kiltz, Lepoint, Lyubashesky, Schanck, Schwabe, Seiler, Stehle Module-Lattice-Based Key-Encapsulation Mechanism Standard ML-KEM Post-Quantum Key Agreement for TLS 1.3 by Deirdre Connolly | |
| 12/1 | TBD |