Writing
Teaching
# week03 ## Houdini, authentication, and fake news ## Come up and ask me questions for 5 mins :) --- ## Stuff to mention - Analysis means doing more than class notes. - Say what you think, then justify it. - If you need to submit late, please tell me early. - We can quickly revisit the SQLI demo if useful. -- ## Criteria check Open the current COMP6841 course page, not the old 2025 link. Look for: - what good analysis looks like - what evidence belongs in the logbook - how late submissions work this term --- ## What was in the lectures? -- ## Core ideas - Measurements and estimations - Entropy - What makes a password hard to guess? - Passwords and authentication - What makes login stronger than "knows one secret"? - Social engineering - Give me an example from real life. -- ## Engineering ideas - Encryption - What are some examples? - Is all encryption useful? - When is encryption solving the wrong problem? -- ## Why this still matters Houdini is not just a spooky history bit. - AI voice clones - deepfake videos - fake screenshots - impersonation scams - "trust me, this message is real" Same problem: > How do we prove who a message came from? --- # Case Study: Houdini --- It is the 1920s and you are the great Houdini. Houdini hated so-called "mediums" taking advantage of grief-stricken people trying to contact loved ones who had died. -- He expected fake mediums would claim to speak for him after his death. They could say: > Houdini told me mediums are real, actually. -- So Houdini and his wife Bess privately worked out a protocol. The goal was to stop fake mediums from passing off made-up messages as messages from Houdini. -- Sadly, Houdini's actual protocol was flawed. Your job: 1. State the most important properties a better protocol should have. 2. Give the protocol. 3. Explain what attacks it resists. 4. Explain what attacks still worry you. -- ## Why is this cyber? This is an authentication problem. Can Bess and the public check that a message really came from Houdini after death? -- ## Careful with CIA The CIA triad is: <table style="font-size: 0.58em; line-height: 1.35;"> <thead> <tr> <th>Letter</th> <th>Standard meaning</th> <th>Houdini relevance</th> </tr> </thead> <tbody> <tr> <td>C</td> <td>Confidentiality</td> <td>Nice to have, but not the main goal.</td> </tr> <tr> <td>I</td> <td>Integrity</td> <td>Helpful, but a tamper-proof essay is not enough.</td> </tr> <tr> <td>A</td> <td>Availability</td> <td>Not the core issue here.</td> </tr> </tbody> </table> Authentication matters most here, even though it is not the A in CIA. --- # What Are We Optimising For? --- ## Before the protocol What properties does a good answer need? Think about: - who can check the result - what the medium could have learned early - whether the test works more than once - what happens after a failed attempt -- ## First instinct check If your protocol works, who can check it? - Bess? - Houdini? - a mathematician? - the general public? -- ## What can go wrong? List three ways a fake medium could attack your protocol. Then list one way a real medium could accidentally or deliberately help a fake. -- ## Assumptions for today - Bess is on Houdini's side. - Houdini will try to communicate in good faith. - Real mediums exist. - Fake mediums exist. - We do not know how many real mediums exist. - Real mediums may leak secrets to fake mediums. -- ## Threat model <table style="font-size: 0.58em; line-height: 1.35;"> <thead> <tr> <th>Actor</th> <th>What do they know?</th> <th>What do they want?</th> <th>What can they do?</th> </tr> </thead> <tbody> <tr> <td>Fake medium</td> <td>?</td> <td>?</td> <td>?</td> </tr> <tr> <td>Real medium</td> <td>?</td> <td>?</td> <td>?</td> </tr> <tr> <td>Bess</td> <td>?</td> <td>?</td> <td>?</td> </tr> <tr> <td>Public</td> <td>?</td> <td>?</td> <td>?</td> </tr> </tbody> </table> --- # Activity --- ## First pass Laptops closed. Use printed notes if you have them. Spend about an hour on the case study: design, attack, revise, then share. In your group: 1. Write the security properties. 2. Design a protocol. 3. Attack your own protocol. 4. Improve it once. -- ## Roles - Facilitator: keep the group moving. - Skeptic: attack every claim. - Scribe: write the protocol and weaknesses. - Speaker: explain the final version. Everyone should speak at least once. --- # Pressure Test --- ## Swap protocols Swap with another group. Your job is to break theirs. Find: 1. One attack by a fake medium. 2. One attack involving a real medium. 3. One thing the public cannot check for themselves. -- ## Login analogy How does UNSW know it is you logging in? - zID - password - MFA code Why does the MFA code change? What is the Houdini version of that? --- # Share --- ## Group share For each protocol: 1. What is the strongest property? 2. What is the weakest property? 3. What attack still worries you? -- ## Class best list Let's combine the best parts. We probably will not get a perfect protocol. That is the point. Good security analysis leaves you with better doubts. -- ## Final question Where do we see this now? - identity verification - deepfakes - screenshots and forged evidence - incident response - public proof after a breach - online scams -- # Fin