Content Clarifications

• [1:56 PM] Pre-Master Secret: It is okay for the TLS handshake to fail, as long as the client/server derived a previously-used master key.
• [1:52 PM] Pre-Master Secret: Assume that all addition operations are performed on unsigned, 256-bit integers. The output is taken modulo 2^256.
• [1:46 PM] DKIM, part 6: For Version B of DKIM, assume that the mail server publishes old public keys along with the old private keys.
• [1:44 PM] Indirection, part 3: The stack diagram shown is incorrect. The values 1 and title should should be swapped on the stack.
• [1:13 PM] Assume that _domainkey subdomain directly issues TXT records for {KEY_ID}._domainkey. For example, the _domainkey.1e100.net nameserver directly issues TXT records for 20161025._domainkey.1e100.net.
• [1:08 PM] Pre-Master Secrets: For all parts, assume that the MITM has observed previous handshakes between the client and the server.
• [1:04 PM] Hackerman Visits the Voting Booth, part 3: Assume that the Russian supercomputer is able to brute-force the password in in roughly an hour.
• [12:16 PM] To Believe or Not To Believe: Alice generates a certificate with her private key, not her public key.

Wording Clarifications

• [1:58 PM] To Believe or Not To Believe: All subparts are independent.
• [1:56 PM] Pre-Master Secret: The attacker learns the value of the master key as long as the attacker knows the key derived by the client and the key derived by the server.
• [1:23 PM] CalCentral Security, part 6: “Retrieve the class list” means that the attacker is able to learn the class list.
• [12:59 PM] DKIM, part 5: The DKIM key refers to the private key in the DKIM key pair.
• [12:54 PM] To Believe or Not To Believe: For all parts, Alice is not capable of stealing other people’s private keys.
• [12:44 PM] Malcode, parts 3 & 4: “Cause every copy of the malcode to look different” means that the encrypted copies of the malcode differ in at least 1 byte.
• [12:37 PM] To Believe or Not To Believe: For all parts, you verify any signature you are presented with against the corresponding public key.
• [12:28 PM] Hackerman Visits the Voting Booth, part 5: If there is more than one possible IP address, you only need to provide one in your answer.
• [12:22 PM] CalCentral Security, part 4: The footnote on https://berkeley.edu/ is part of the static HTML page.
• [12:10 PM] To Believe or Not To Believe: k1 and k2 are both secret keys shared between Alice and Bob.
• [11:55 AM] Q2: “below the rip” means “somewhere below the rip,” not necessarily directly below the rip.
• Several questions say something like “which defenses, on their own, would stop this exploit.” This means the answer choices should be considered independently. For example, if you select (A) and (B), you are saying defense (A) alone stops the exploit, and defense (B) alone stops the exploit. You are not saying that (A) and (B) together would stop the exploit.