41
+ − 1 \documentclass[dvipsnames,14pt,t]{beamer}
241
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 2 \usepackage{../slides}
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 3 \usepackage{../graphics}
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 4 \usepackage{../langs}
41
+ − 5 \usetikzlibrary{arrows}
+ − 6 \usetikzlibrary{shapes}
+ − 7
241
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 8 \setmonofont[Scale=.88]{Consolas}
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 9 \newfontfamily{\consolas}{Consolas}
41
+ − 10
241
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 11 \hfuzz=220pt
41
+ − 12
+ − 13 % beamer stuff
381
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 14 \renewcommand{\slidecaption}{SEN 04, King's College London}
241
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 15 \newcommand{\bl}[1]{\textcolor{blue}{#1}}
41
+ − 16
+ − 17 \begin{document}
+ − 18
+ − 19 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
241
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 20 \begin{frame}[t]
41
+ − 21 \frametitle{%
+ − 22 \begin{tabular}{@ {}c@ {}}
+ − 23 \\
381
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 24 \LARGE Security Engineering (4)\\[-3mm]
41
+ − 25 \end{tabular}}\bigskip\bigskip\bigskip
+ − 26
+ − 27 \normalsize
+ − 28 \begin{center}
+ − 29 \begin{tabular}{ll}
+ − 30 Email: & christian.urban at kcl.ac.uk\\
117
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 31 Office: & S1.27 (1st floor Strand Building)\\
105
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 32 Slides: & KEATS (also home work is there)\\
41
+ − 33 \end{tabular}
+ − 34 \end{center}
+ − 35
241
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 36 \end{frame}
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 37 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
41
+ − 38
+ − 39 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+ − 40 \begin{frame}[c]
404
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 41
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 42 \begin{center}
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 43 \includegraphics[scale=0.34]{../pics/trainwreck.jpg}\\
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 44 last week: buffer overflow attacks
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 45 \end{center}
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 46
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 47 \begin{itemize}
406
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 48 \item no ``cheating'' needed for format string attacks
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 49 \item the main point: no cheating to start with
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 50 \end{itemize}
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 51
404
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 52 \end{frame}
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 53 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 54
406
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 55 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 56 \begin{frame}[c]
408
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 57 \frametitle{Case-In-Point: Android}
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 58
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 59 \begin{itemize}
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 60 \item a list of common Android vulnerabilities
411
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 61 (5 BOAs out of 35 vulnerabilities; all from 2013 and later)
408
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 62
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 63 \begin{center}
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 64 \url{http://androidvulnerabilities.org/}
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 65 \end{center}\bigskip
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 66
411
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 67 \item a paper that attempts measures security of Android phones
408
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 68
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 69 \begin{quote}\small\rm ``We find that on average 87.7\% of Android
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 70 devices are exposed to at least one of 11 known critical
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 71 vulnerabilities\ldots''
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 72 \end{quote}
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 73
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 74 \begin{center}\small
411
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 75 \makebox[0mm]
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 76 {\url{https://www.cl.cam.ac.uk/~drt24/papers/spsm-scoring.pdf}}
408
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 77 \end{center}
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 78 \end{itemize}
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 79
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 80 \end{frame}
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 81 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 82
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 83
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 84 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 85 \begin{frame}[c]
406
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 86
411
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 87 A student asked:
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 88
406
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 89 \begin{bubble}[10cm]\small How do we implement BOAs? On a
411
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 90 webpage login, for example Facebook, we can't do this.
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 91 I am sure the script will stop us even before we reach the
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 92 server. The
406
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 93 script will not let us enter hexadecimal numbers where email
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 94 or username is required and plus it will have a max length,
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 95 like 32 characters only. In this case, what can we do, since
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 96 the method you showed us wouldn't work?
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 97 \end{bubble}\bigskip\bigskip\pause
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 98
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 99 \begin{itemize}
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 100 \item Facebook no
411
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 101 \item printers, routers, cars, IoT etc likely\pause
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 102 \item I do not want to teach you hacking, rather defending
406
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 103 \end{itemize}
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 104
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 105
411
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 106
406
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 107 \end{frame}
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 108 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
404
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 109
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 110 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 111 \begin{frame}[c]
407
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 112 \frametitle{Survey}
243
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 113
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 114 \end{frame}
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 115 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 116
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 117 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 118 \begin{frame}[c]
41
+ − 119
+ − 120 \begin{center}
241
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 121 \includegraphics[scale=0.45]{../pics/trainwreck.jpg}\\
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 122 last week: buffer overflow attacks
105
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 123 \end{center}
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 124
241
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 125 \end{frame}
105
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 126 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 127
404
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 128 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 129 \begin{frame}[c]
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 130 \frametitle{\begin{tabular}{c}Two General Counter\\[-1mm]
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 131 Measures against BOAs etc\end{tabular}}
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 132
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 133 Both try to reduce the attack surface:\bigskip
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 134
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 135 \begin{itemize}
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 136 \item \alert{\bf unikernels} -- the idea is to not have
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 137 an operating system at all
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 138 \item all functionality of the server is implemented in a
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 139 single, stand-alone program
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 140 \item all functionality an operating system would normally
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 141 provide (network stack, file system) is available through
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 142 libraries
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 143 \item the best known unikernel is MirageOS using Ocaml
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 144 (\url{https://mirage.io})
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 145 \end{itemize}
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 146
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 147 \end{frame}
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 148 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 149
105
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 150
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 151 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
391
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 152 \begin{frame}[c]
405
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 153 \frametitle{\begin{tabular}{c}Network Applications:\\[-1mm]
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 154 Privilege Separation\end{tabular}}
117
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 155
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 156
391
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 157 \begin{center}
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 158 \begin{tikzpicture}[scale=1]
117
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 159
391
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 160 \draw[line width=1mm] (-.3, 0) rectangle (1.5,2);
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 161 \draw (4.7,1) node {Internet};
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 162 \draw (-2.7,1.7) node {\footnotesize Application};
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 163 \draw (0.6,1.7) node {\footnotesize Interface};
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 164 \draw (0.6,-0.4) node {\footnotesize \begin{tabular}{c}unprivileged\\[-1mm] process\end{tabular}};
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 165 \draw (-2.7,-0.4) node {\footnotesize \begin{tabular}{c}privileged\\[-1mm] process\end{tabular}};
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 166
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 167 \draw[line width=1mm] (-1.8, 0) rectangle (-3.6,2);
117
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 168
391
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 169 \draw[white] (1.7,1) node (X) {};
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 170 \draw[white] (3.7,1) node (Y) {};
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 171 \draw[red, <->, line width = 2mm] (X) -- (Y);
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 172
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 173 \draw[red, <->, line width = 1mm] (-0.6,1) -- (-1.6,1);
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 174 \end{tikzpicture}
241
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 175 \end{center}
117
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 176
391
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 177 \begin{itemize}
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 178 \item the idea is make the attack surface smaller and mitigate the
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 179 consequences of an attack
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 180 \end{itemize}
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 181 \end{frame}
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 182 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
241
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 183
405
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 184 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 185 \begin{frame}[c]
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 186 \frametitle{Access Control in Unix}
117
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 187
405
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 188 \begin{itemize}
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 189 \item access control provided by the OS
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 190 \item authenticate principals
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 191 \item mediate access to files, ports, processes etc according to
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 192 \alert{roles} (user ids)\\
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 193 \item roles get attached with privileges (some special roles: root)\bigskip\\
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 194
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 195 \hspace{8mm}
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 196 \begin{bubble}[8cm]
406
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 197 \alert{\bf principle of least privilege:}\\
405
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 198 users and programs should only have as much privilege as they need to
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 199 accomplish a task
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 200 \end{bubble}
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 201 \end{itemize}
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 202
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 203 \end{frame}
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 204 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 205
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 206 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
391
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 207 \begin{frame}[c]
405
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 208 \frametitle{Access Control in Unix (2)}
241
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 209
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 210
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 211 \begin{itemize}
405
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 212 \item privileges are specified by file access permissions (``everything is a file'')\medskip
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 213 \item there are 9 (plus 2) bits that specify the permissions of a file
241
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 214 \end{itemize}
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 215
405
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 216 \begin{center}
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 217 ${\underbrace{\LARGE\texttt{-}}_{\text{\makebox[0mm]{directory}}}}
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 218 \;{\underbrace{\LARGE\texttt{r{}-{}-}}_{\text{user}}}\,
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 219 {\underbrace{\LARGE\texttt{r{}w{}-}}_{\text{group}}}\,
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 220 {\underbrace{\LARGE\texttt{r{}w{}x}}_{\text{other}}}\;\;\;
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 221 \LARGE\texttt{bob}\;\;\texttt{staff}\;\;\texttt{file}$
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 222 \end{center}
388
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 223
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 224 \end{frame}
405
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 225 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 226
388
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 227
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 228 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 229 \begin{frame}[c]
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 230 \frametitle{Unix-Style Access Control}
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 231 \small
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 232
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 233 \begin{itemize}
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 234 \item
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 235 Q: ``I am using Windows. Why should I care?'' \\
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 236 A: In Windows you have similar AC:
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 237
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 238 \begin{center}
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 239 \begin{tabular}{l}
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 240 administrators group\\
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 241 \hspace{5mm}(has complete control over the machine)\\
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 242 authenticated users\\
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 243 server operators\\
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 244 power users\\
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 245 network configuration operators
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 246 \end{tabular}
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 247 \end{center}\medskip
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 248
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 249 \item Modern versions of Windows have more fine-grained AC than Unix;
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 250 they do not have a setuid bit, but have \texttt{runas} (asks for a
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 251 password).\pause
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 252
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 253 \item OS-provided access control can \alert{\bf add} to your security.
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 254 (defence in depth)
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 255 \end{itemize}
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 256
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 257 \end{frame}
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 258 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 259
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 260 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 261 \begin{frame}[c]
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 262 \frametitle{Weaknesses of Unix AC}
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 263
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 264 Not just restricted to Unix:
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 265
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 266 \begin{itemize}
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 267 \item if you have too many roles (i.e.~too finegrained AC), then
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 268 hierarchy is too complex\\ \textcolor{gray}{you invite situations
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 269 like\ldots let's be root}\bigskip
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 270
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 271 \item you can still abuse the system\ldots
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 272 \end{itemize}
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 273
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 274 \end{frame}
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 275 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 276
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 277 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 278 \begin{frame}[c]
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 279 \frametitle{A ``Cron''-Attack}
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 280
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 281 The idea is to trick a privileged person to do something on your
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 282 behalf:
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 283
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 284 \begin{itemize}
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 285 \item root:\\\texttt{rm /tmp/*/*}\bigskip\bigskip\pause
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 286
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 287 \footnotesize
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 288 \begin{minipage}{1.1\textwidth}
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 289 \textcolor{gray}{the shell behind the scenes:}\\
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 290 \textcolor{gray}{\texttt{rm /tmp/dir$_1$/file$_1$ /tmp/dir$_1$/file$_2$ /tmp/dir$_2$/file$_1$ \ldots}}\bigskip\\
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 291
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 292 \textcolor{gray}{this takes time}
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 293 \end{minipage}
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 294 \end{itemize}
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 295
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 296 \end{frame}
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 297 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 298
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 299 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 300 \begin{frame}[c]
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 301 \frametitle{A ``Cron''-Attack}
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 302
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 303 \begin{enumerate}
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 304 \item attacker \textcolor{gray}{(creates a fake passwd file)}\\
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 305 \texttt{mkdir /tmp/a; cat > /tmp/a/passwd}\medskip
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 306 \item root \textcolor{gray}{(does the daily cleaning)}\\
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 307 \texttt{rm /tmp/*/*}\medskip\\
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 308 \hspace{2cm}\textcolor{gray}{\small records that \texttt{/tmp/a/passwd}}\\
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 309 \hspace{2cm}\textcolor{gray}{\small should be deleted, but does not do it yet}\medskip\\
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 310
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 311 \item attacker \textcolor{gray}{(meanwhile deletes the fake passwd file, and establishes a link to
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 312 the real passwd file)}\\
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 313 \texttt{rm /tmp/a/passwd; rmdir /tmp/a;}\\\texttt{ln -s /etc /tmp/a}\\
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 314 \item root now deletes the real passwd file
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 315 \end{enumerate}
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 316
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 317 \only<2>{
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 318 \begin{textblock}{11}(2,5)
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 319 \begin{bubble}[8cm]
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 320 \normalsize To prevent this kind of attack, you need additional
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 321 policies (don't do such operations as root).
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 322 \end{bubble}
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 323 \end{textblock}}
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 324
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 325 \end{frame}
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 326 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
405
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 327
391
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 328 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
405
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 329 \begin{frame}[c]
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 330 \frametitle{\begin{tabular}{c}Infamous Security Flaws\\[-1mm]
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 331 in Unix\end{tabular}}
391
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 332
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 333
405
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 334 \begin{itemize}
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 335 \item \texttt{lpr} unfortunately runs with root privileges; you had the option to delete files after printing \ldots\pause
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 336 \item for debugging purposes (FreeBSD) Unix provides a ``core dump'', but allowed to follow links \ldots\pause
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 337 \item \texttt{mkdir foo} is owned by root\medskip
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 338 \begin{center}
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 339 \texttt{-rwxr-xr-x 1 root wheel /bin/mkdir}
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 340 \end{center}\medskip
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 341 it first creates an i-node as root and then changes to ownership to the user's id\\ \textcolor{gray}{\small (race condition -- can be automated with a shell script)}
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 342 \end{itemize}
391
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 343
405
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 344 \only<4->{
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 345 \begin{textblock}{1}(3,7)
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 346 \begin{tikzpicture}
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 347 \draw (0,0) node[inner sep=2mm,fill=cream, ultra thick, draw=red, rounded corners=2mm]
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 348 {\begin{minipage}{8cm}
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 349 Only failure makes us experts.
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 350 -- Theo de Raadt (OpenBSD, OpenSSH)
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 351 \end{minipage}};
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 352 \end{tikzpicture}
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 353 \end{textblock}}
391
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 354
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 355 \end{frame}
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 356 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 357
406
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 358 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 359 \begin{frame}[c]
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 360 \frametitle{Subtleties}
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 361
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 362 \begin{itemize}
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 363 \item<1-> Can Bob write \pcode{file}?
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 364 \item<2-> What if Bob is member of \pcode{staff}?
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 365 \end{itemize}\bigskip
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 366
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 367 \begin{center}
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 368 ${\underbrace{\Large\texttt{-}}_{\text{\makebox[0mm]{directory}}}}
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 369 \;{\underbrace{\Large\texttt{r{}-{}-}}_{\text{user}}}\,
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 370 {\underbrace{\Large\texttt{r{}w{}-}}_{\text{group}}}\,
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 371 {\underbrace{\Large\texttt{r{}w{}x}}_{\text{other}}}\;\;\;
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 372 \Large\texttt{bob}\;\;\texttt{staff}\;\;\texttt{file}$
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 373 \end{center}
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 374
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 375 \end{frame}
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 376 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
241
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 377
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 378 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 379 \begin{frame}[c]
406
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 380 \frametitle{Login Processes}
241
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 381
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 382
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 383 \begin{itemize}
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 384 \item login processes run under UID $=$ \pcode{0}\medskip
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 385 \begin{center}
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 386 \texttt{ps -axl | grep login}
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 387 \end{center}\medskip
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 388
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 389 \item after login, shells run under UID $=$ user (e.g.~501)\medskip
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 390 \begin{center}
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 391 \texttt{id cu}
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 392 \end{center}\medskip\pause
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 393
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 394 \item non-root users are not allowed to change the UID --- would break
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 395 access control
243
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 396 \item but needed for example for accessing \texttt{passwd}
241
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 397 \end{itemize}
41
+ − 398
241
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 399 \end{frame}
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 400 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 401
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 402 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 403 \begin{frame}[c]
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 404 \frametitle{Setuid and Setgid}
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 405
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 406 The solution is that Unix file permissions are 9 + \underline{2 Bits}:
405
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 407 \alert{\bf Setuid} and \alert{\bf Setgid} bits
105
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 408
241
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 409 \begin{itemize}
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 410 \item When a file with setuid is executed, the resulting process will
243
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 411 assume the UID given to the \underline{owner} of the file.
241
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 412 \item This enables users to create processes as root (or another
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 413 user).\bigskip
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 414
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 415 \item Essential for changing passwords, for example.
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 416 \end{itemize}
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 417
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 418 \begin{center}
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 419 \texttt{chmod 4755 fobar\_file}
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 420 \end{center}
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 421
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 422 \end{frame}
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 423 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
105
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 424
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 425 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
117
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 426 \begin{frame}[c]
241
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 427 \small
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 428
243
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 429 \lstinputlisting[language={},numbers=none,xleftmargin=-6mm]{lst}
241
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 430
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 431
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 432 \begin{center}
243
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 433 \begin{tabular}{@{\hspace{-24mm}}ll}
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 434 members of group staff: & ping, bob, emma\\
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 435 members of group students: & emma\\
241
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 436 \end{tabular}
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 437 \end{center}
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 438
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 439 \begin{center}
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 440 \begin{tabular}{@{\hspace{-7mm}}r|c|c|c|c|c@{}}
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 441 & manual.txt & report.txt & microedit & src/code.c & src/code.h \\\hline
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 442 ping & & & & &\\\hline
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 443 bob & & & & &\\\hline
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 444 emma & & & & &\\
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 445 \end{tabular}
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 446 \end{center}
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 447
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 448 \end{frame}
117
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 449 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 450
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 451 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 452 \begin{frame}[c]
406
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 453 \frametitle{\Large Discretionary Access Control}
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 454
241
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 455 \small
41
+ − 456 \begin{itemize}
406
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 457 \item Access to objects (files, directories, devices, etc.) is
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 458 permitted based on user identity. Each object is owned by a
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 459 user. Owners can specify freely (at their discretion) how they want to
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 460 share their objects with other users, by specifying which other users
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 461 can have which form of access to their objects.\medskip
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 462
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 463 \item Discretionary access control is implemented on any modern multi-user
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 464 OS (Unix, Windows NT, etc.).
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 465 \end{itemize}
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 466
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 467 \end{frame}
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 468 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
41
+ − 469
406
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 470 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 471 \begin{frame}[c]
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 472 \frametitle{\Large Mandatory Access Control}
41
+ − 473
406
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 474 \small
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 475 \begin{itemize}
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 476 \item Access to objects is controlled by a system-wide policy, for
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 477 example to prevent certain flows of information. In some forms, the
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 478 system maintains security labels for both objects and subjects
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 479 (processes, users) based on which access is granted or
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 480 denied. Labels can change as the result of an access. Security
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 481 policies are enforced without the cooperation of users or
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 482 programs.\medskip
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 483
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 484 \item This is implemented in banking or military operating system
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 485 versions (SELinux).\pause
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 486 \item A simple example: Air Gap Security. Uses a completely separate network
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 487 and computer hardware for different application classes (Bin Laden, Bruce Schneier had
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 488 airgaps).\pause
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 489 \item What do we want to protect: Secrecy or Integrity?
41
+ − 490 \end{itemize}
+ − 491
117
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 492 \end{frame}
41
+ − 493 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+ − 494
105
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 495
118
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 496 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 497 \begin{frame}[c]
243
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 498 \frametitle{The Bell-LaPadula Model}
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 499 \small
105
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 500
118
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 501 \begin{itemize}
241
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 502 \item Formal policy model for mandatory access control in a military
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 503 multi-level security environment. All subjects (processes, users,
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 504 terminals, files, windows, connections) are labeled
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 505 with a confidentiality level, e.g.
118
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 506 \begin{center}
241
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 507 unclassified < confidential < secret < top secret
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 508 \end{center}\medskip
118
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 509
241
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 510 \item The system policy automatically prevents the flow of information
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 511 from high-level objects to lower levels. A process that reads top
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 512 secret data becomes tagged as top secret by the operating system, as
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 513 will be all files into which it writes afterwards.
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 514 %Each user has a maximum allowed confidentiality level specified and
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 515 %cannot receive data beyond that level. A selected set of trusted
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 516 %subjects is allowed to bypass the restrictions, in order to permit
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 517 %the declassification of information.
118
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 518 \end{itemize}
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 519
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 520 \end{frame}
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 521 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
241
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 522
118
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 523 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 524 \begin{frame}[c]
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 525 \frametitle{Bell-LaPadula}
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 526 \small
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 527
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 528 \begin{itemize}
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 529 \item \alert{Read Rule}: A principal \bl{$P$} can read an object \bl{$O$} if and only if
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 530 \bl{$P$}'s security level is at least as high as \bl{$O$}'s.
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 531 \item \alert{Write Rule}: A principal \bl{$P$} can write an object \bl{$O$} if and only if
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 532 \bl{$O$}'s security level is at least as high as \bl{$P$}'s.\medskip
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 533
406
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 534 %\item Meta-Rule: All principals in a system should have a sufficiently high security level
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 535 %in order to access an object.
118
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 536 \end{itemize}\bigskip
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 537
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 538 This restricts information flow $\Rightarrow$ military\bigskip\bigskip\pause
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 539
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 540 Bell-LaPadula: {\bf `no read up'} - {\bf `no write down'}
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 541
241
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 542 \end{frame}
118
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 543 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
241
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 544
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 545 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
118
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 546 \begin{frame}[c]
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 547 \frametitle{\begin{tabular}{c}Principle of\\[-2mm] Least Privilege\end{tabular}}
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 548
241
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 549 \begin{bubble}[10cm]
118
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 550 A principal should have as few privileges as possible to access a resource.
241
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 551 \end{bubble}\bigskip\bigskip
118
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 552 \small
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 553
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 554 \begin{itemize}
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 555 \item Bob ($T\!S$) and Alice ($S$) want to communicate
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 556 \item[] $\Rightarrow$ Bob should lower his security level
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 557 \end{itemize}
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 558
241
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 559 \end{frame}
118
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 560 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
241
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 561
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 562 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
118
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 563 \begin{frame}[c]
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 564 \frametitle{Biba Policy}
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 565 \small
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 566
406
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 567 Data Integrity (rather than data secrecy)
118
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 568
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 569 \begin{itemize}
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 570 \item Biba: {\bf `no read down'} - {\bf `no write up'}
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 571 \item \alert{Read Rule}: A principal \bl{$P$} can read an object \bl{$O$} if and only if
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 572 \bl{$P$}'s security level is lower or equal than \bl{$O$}'s.
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 573 \item \alert{Write Rule}: A principal \bl{$P$} can write an object \bl{$O$} if and only if
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 574 \bl{$O$}'s security level is lower or equal than \bl{$P$}'s.
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 575 \end{itemize}\bigskip\bigskip\pause
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 576
119
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 577 E.g.~Firewalls: you can read from inside the firewall, but not from outside\\
118
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 578 Phishing: you can look at an approved PDF, but not one from a random email\\
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 579
241
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 580 \end{frame}
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 581 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
119
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 582
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 583 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 584 \begin{frame}[c]
241
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 585 \frametitle{Security Levels (2)}
119
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 586
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 587 \begin{itemize}
241
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 588 \item Bell-La Padula preserves data secrecy, but not data
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 589 integrity\bigskip\pause
119
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 590
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 591 \item Biba model is for data integrity
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 592
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 593 \begin{itemize}
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 594 \item read: your own level and above
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 595 \item write: your own level and below
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 596 \end{itemize}
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 597 \end{itemize}
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 598
241
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 599 \end{frame}
119
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 600 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 601
118
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 602 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 603 \begin{frame}[c]
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 604 \frametitle{Shared Access Control}
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 605
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 606 \begin{center}
241
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 607 \includegraphics[scale=0.7]{../pics/pointsplane.jpg}
118
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 608 \end{center}
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 609
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 610 \begin{textblock}{11}(10.5,10.5)
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 611 \small
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 612 To take an action you\\[-1mm]
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 613 need at least either:
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 614 \begin{itemize}
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 615 \item 1 CEO\\[-5mm]
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 616 \item 2 MDs, or\\[-5mm]
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 617 \item 3 Ds
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 618 \end{itemize}
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 619 \end{textblock}
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 620
241
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 621 \end{frame}
118
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 622 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
117
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 623
105
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 624 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 625 \begin{frame}[c]
241
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 626 \frametitle{\Large Lessons from Access Control}
105
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 627
118
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 628 Not just restricted to Unix:
105
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 629
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 630 \begin{itemize}
118
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 631 \item if you have too many roles (i.e.~too finegrained AC), then
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 632 hierarchy is too complex\\
241
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 633 \textcolor{gray}{you invite situations like\ldots lets be root}\bigskip
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 634
406
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 635 \item you can still abuse the system\ldots
105
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 636 \end{itemize}
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 637
241
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 638 \end{frame}
118
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 639 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 640
241
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 641 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
406
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 642 \begin{frame}[c]
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 643 \frametitle{Protocols}
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 644
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 645 \begin{center}
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 646 \includegraphics[scale=0.11]{../pics/keyfob.jpg}
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 647 \quad
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 648 \includegraphics[scale=0.3025]{../pics/startstop.jpg}
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 649 \end{center}
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 650
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 651 \begin{itemize}
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 652 \item Other examples: Wifi, Http-request, TCP-request,
409
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 653 card readers, RFID (passports)\ldots\medskip\pause
406
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 654
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 655 \item The point is that we cannot control the network: An attacker
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 656 can install a packet sniffer, inject packets, modify packets,
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 657 replay messages\ldots{}fake pretty much everything.
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 658 \end{itemize}
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 659
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 660 \end{frame}
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 661 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 662
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 663 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 664 \begin{frame}[c]
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 665 \frametitle{Keyless Car Transponders}
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 666
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 667 \begin{center}
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 668 \includegraphics[scale=0.1]{../pics/keyfob.jpg}
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 669 \quad
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 670 \includegraphics[scale=0.27]{../pics/startstop.jpg}
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 671 \end{center}
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 672
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 673 \begin{itemize}
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 674 \item There are two security mechanisms: one remote central
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 675 locking system and one passive RFID tag (engine immobiliser).
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 676 \item How can I get in? How can thieves be kept out?
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 677 How to avoid MITM attacks?
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 678 \end{itemize}\medskip
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 679
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 680 \footnotesize
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 681 \hfill Papers: Gone in 360 Seconds: Hijacking with Hitag2,\\
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 682 \hfill Dismantling Megamos Crypto: Wirelessly Lockpicking\\
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 683 \hfill a Vehicle Immobilizer
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 684
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 685 \end{frame}
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 686 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 687
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 688 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 689 \begin{frame}[c]
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 690 \frametitle{HTTPS / GSM}
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 691
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 692 \begin{center}
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 693 \includegraphics[scale=0.25]{../pics/barclays.jpg}
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 694 \quad
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 695 \includegraphics[scale=0.25]{../pics/phone-signal.jpg}
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 696 \end{center}
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 697
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 698 \begin{itemize}
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 699 \item I am sitting at Starbuck. How can I be sure I am really
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 700 visiting Barclays? I have no control of the access
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 701 point.
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 702 \item How can I achieve that a secret key is established in
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 703 order to encrypt my mobile conversation? I have no
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 704 control over the access points.
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 705 \end{itemize}
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 706
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 707 \end{frame}
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 708 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
415
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 709
406
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 710 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 711 \begin{frame}[c]
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 712 \frametitle{Handshakes}
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 713
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 714 \begin{itemize}
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 715 \item starting a TCP connection between a client and a server
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 716 initiates the following three-way handshake protocol:
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 717 \end{itemize}
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 718
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 719 \begin{columns}[t]
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 720 \begin{column}{5cm}
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 721 \begin{minipage}[t]{4cm}
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 722 \begin{center}
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 723 \raisebox{-2cm}{\includegraphics[scale=0.5]{../pics/handshake.png}}
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 724 \end{center}
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 725 \end{minipage}
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 726 \end{column}
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 727 \begin{column}{5cm}
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 728 \begin{tabular}[t]{rl}
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 729 Alice: & Hello server!\\
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 730 Server: & I heard you\\
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 731 Alice: & Thanks
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 732 \end{tabular}
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 733 \end{column}
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 734 \end{columns}
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 735
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 736 \only<2>{
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 737 \begin{textblock}{3}(11,5)
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 738 \begin{bubble}[3.2cm]
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 739 SYNflood attacks:\medskip\\
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 740 \includegraphics[scale=0.4]{../pics/synflood.png}
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 741 \end{bubble}
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 742 \end{textblock}}
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 743
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 744 \end{frame}
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 745 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 746
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 747 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
118
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 748 \begin{frame}[t]
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 749 \frametitle{Protocols}
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 750
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 751 \mbox{}
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 752
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 753 \begin{tabular}{l}
119
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 754 {\Large \bl{$A\;\rightarrow\; B : \ldots$}}\\
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 755 \onslide<2->{\Large \bl{$B\;\rightarrow\; A : \ldots$}}\\
118
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 756 \onslide<2->{\Large \;\;\;\;\;\bl{$:$}}\bigskip
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 757 \end{tabular}
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 758
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 759 \begin{itemize}
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 760 \item by convention \bl{$A$}, \bl{$B$} are named principals \bl{Alice\ldots}\\
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 761 but most likely they are programs, which just follow some instructions (they are more like roles)\bigskip
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 762 \item<2-> indicates one ``protocol run'', or session, which specifies some
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 763 order in the communication
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 764 \item<2-> there can be several sessions in parallel (think of wifi routers)
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 765 \end{itemize}
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 766
241
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 767 \end{frame}
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 768 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
118
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 769
241
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 770 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 771 \begin{frame}[c]
406
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 772 \frametitle{Handshakes}
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 773
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 774 \begin{itemize}
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 775 \item starting a TCP connection between a client and a server
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 776 initiates the following three-way handshake protocol:
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 777 \end{itemize}
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 778
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 779 \begin{columns}[t]
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 780 \begin{column}{5cm}
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 781 \begin{minipage}[t]{4cm}
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 782 \begin{center}
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 783 \raisebox{-2cm}{\includegraphics[scale=0.5]{../pics/handshake.png}}
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 784 \end{center}
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 785 \end{minipage}
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 786 \end{column}
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 787 \begin{column}{5cm}
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 788 \begin{tabular}[t]{rl}
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 789 Alice: & Hello server!\\
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 790 Server: & I heard you\\
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 791 Alice: & Thanks
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 792 \end{tabular}
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 793 \end{column}
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 794 \end{columns}
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 795
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 796 \begin{center}
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 797 \begin{tabular}{rl}
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 798 \bl{$A \rightarrow S$}: & \bl{SYN}\\
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 799 \bl{$S \rightarrow A$}: & \bl{SYN-ACK}\\
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 800 \bl{$A \rightarrow S$}: & \bl{ACK}\\
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 801 \end{tabular}
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 802 \end{center}
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 803
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 804 \end{frame}
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 805 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 806
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 807 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 808 \begin{frame}[c]
241
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 809 \frametitle{\Large Cryptographic Protocol Failures}
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 810
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 811 Ross Anderson and Roger Needham wrote:\bigskip
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 812
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 813 \begin{quote}\rm
406
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 814 A lot of the recorded frauds were the result of this kind of
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 815 blunder, or from management negligence pure and simple.
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 816 \alert{However,
241
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 817 there have been a significant number of cases where the designers
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 818 protected the right things, used cryptographic algorithms which were
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 819 not broken, and yet found that their systems were still successfully
406
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 820 attacked.}
241
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 821 \end{quote}
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 822
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 823 \end{frame}
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 824 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 825
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 826 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 827 \begin{frame}<1-3>[c]
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 828 \frametitle{Oyster Cards}
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 829
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 830 \includegraphics[scale=0.4]{../pics/oysterc.jpg}
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 831
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 832 \begin{itemize}
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 833 \item good example of a bad protocol\\ (security by obscurity)\bigskip
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 834 \item<3-> ``Breaching security on Oyster cards should not
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 835 allow unauthorised use for more than a day, as TfL promises to turn
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 836 off any cloned cards within 24 hours\ldots''
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 837 \end{itemize}
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 838
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 839 \only<2>{
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 840 \begin{textblock}{12}(0.5,0.5)
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 841 \begin{bubble}[11cm]\footnotesize
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 842 {\bf Wirelessly Pickpocketing a Mifare Classic Card}\medskip
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 843
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 844 The Mifare Classic is the most widely used contactless smartcard on the
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 845 market. The stream cipher CRYPTO1 used by the Classic has recently been
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 846 reverse engineered and serious attacks have been proposed. The most serious
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 847 of them retrieves a secret key in under a second. In order to clone a card,
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 848 previously proposed attacks require that the adversary either has access to
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 849 an eavesdropped communication session or executes a message-by-message
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 850 man-in-the-middle attack between the victim and a legitimate
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 851 reader. Although this is already disastrous from a cryptographic point of
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 852 view, system integrators maintain that these attacks cannot be performed
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 853 undetected.\smallskip
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 854
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 855 This paper proposes four attacks that can be executed by an adversary having
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 856 only wireless access to just a card (and not to a legitimate reader). The
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 857 most serious of them recovers a secret key in less than a second on ordinary
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 858 hardware. Besides the cryptographic weaknesses, we exploit other weaknesses
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 859 in the protocol stack. A vulnerability in the computation of parity bits
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 860 allows an adversary to establish a side channel. Another vulnerability
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 861 regarding nested authentications provides enough plaintext for a speedy
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 862 known-plaintext attack.\hfill{}(a paper from 2009)
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 863 \end{bubble}
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 864 \end{textblock}}
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 865
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 866 \end{frame}
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 867 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 868
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 869 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 870 \begin{frame}<1->[t]
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 871 \frametitle{Another Example}
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 872
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 873 In an email from Ross Anderson\bigskip\small
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 874
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 875 \begin{tabular}{l}
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 876 From: Ross Anderson <Ross.Anderson@cl.cam.ac.uk>\\
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 877 Sender: cl-security-research-bounces@lists.cam.ac.uk\\
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 878 To: cl-security-research@lists.cam.ac.uk\\
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 879 Subject: Birmingham case\\
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 880 Date: Tue, 13 Aug 2013 15:13:17 +0100\\
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 881 \end{tabular}
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 882
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 883
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 884 \only<2>{
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 885 \begin{textblock}{12}(0.5,0.8)
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 886 \begin{bubble}[11cm]
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 887 \footnotesize
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 888 As you may know, Volkswagen got an injunction against the University of
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 889 Birmingham suppressing the publication of the design of a weak cipher
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 890 used in the remote key entry systems in its recent-model cars. The paper
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 891 is being given today at Usenix, minus the cipher design.\medskip
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 892
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 893 I've been contacted by Birmingham University's lawyers who seek to prove
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 894 that the cipher can be easily obtained anyway. They are looking for a
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 895 student who will download the firmware from any newish VW, disassemble
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 896 it and look for the cipher. They'd prefer this to be done by a student
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 897 rather than by a professor to emphasise how easy it is.\medskip
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 898
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 899 Volkswagen's argument was that the Birmingham people had reversed a
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 900 locksmithing tool produced by a company in Vietnam, and since their key
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 901 fob chip is claimed to be tamper-resistant, this must have involved a
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 902 corrupt insider at VW or at its supplier Thales. Birmingham's argument
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 903 is that this is nonsense as the cipher is easy to get hold of. Their
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 904 lawyers feel this argument would come better from an independent
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 905 outsider.\medskip
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 906
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 907 Let me know if you're interested in having a go, and I'll put you in
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 908 touch
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 909
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 910 Ross
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 911 \end{bubble}
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 912 \end{textblock}}
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 913
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 914 \end{frame}
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 915 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
118
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 916
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 917 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
243
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 918 \begin{frame}[c]
241
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 919 \frametitle{Authentication Protocols}
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 920
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 921
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 922 Alice (\bl{$A$}) and Bob (\bl{$B$}) share a secret key \bl{$K_{AB}$}\bigskip
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 923
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 924 Passwords:
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 925
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 926 \begin{center}
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 927 \bl{$B \rightarrow A: K_{AB}$}
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 928 \end{center}\pause\bigskip
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 929
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 930 Problem: Eavesdropper can capture the secret and replay it; \bl{$A$} cannot confirm the
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 931 identity of \bl{$B$}
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 932
406
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 933 \end{frame}
241
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 934 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 935
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 936 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
406
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 937 \begin{frame}[c]
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 938 \frametitle{Authentication?}
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 939
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 940 \begin{center}
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 941 \raisebox{-2cm}{\includegraphics[scale=0.4]{../pics/dogs.jpg}}
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 942 \end{center}
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 943
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 944 \end{frame}
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 945 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 946
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 947 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
241
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 948 \begin{frame}[c]
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 949 \frametitle{Authentication Protocols}
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 950
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 951 Alice (\bl{$A$}) and Bob (\bl{$B$}) share a secret key \bl{$K_{AB}$}\bigskip
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 952
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 953 Simple Challenge Response:
118
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 954
105
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 955 \begin{center}
118
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 956 \begin{tabular}{ll}
241
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 957 \bl{$A \rightarrow B:$} & \bl{$N$}\\
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 958 \bl{$B \rightarrow A:$} & \bl{$\{N\}_{K_{AB}}$}\\
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 959 \end{tabular}
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 960 \end{center}
105
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 961
118
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 962
406
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 963 \end{frame}
241
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 964 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
105
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 965
118
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 966 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 967 \begin{frame}[c]
241
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 968 \frametitle{Authentication Protocols}
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 969
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 970 Alice (\bl{$A$}) and Bob (\bl{$B$}) share a secret key \bl{$K_{AB}$}\bigskip
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 971
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 972 Mutual Challenge Response:
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 973
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 974 \begin{center}
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 975 \begin{tabular}{ll}
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 976 \bl{$A \rightarrow B:$} & \bl{$N_A$}\\
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 977 \bl{$B \rightarrow A:$} & \bl{$\{N_A, N_B\}_{K_{AB}}$}\\
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 978 \bl{$A \rightarrow B:$} & \bl{$N_B$}\\
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 979 \end{tabular}
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 980 \end{center}
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 981
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 982 %\pause
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 983 %An attacker \bl{$E$} can launch an impersonation attack by
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 984 %intercepting all messages for \bl{$B$} and make \bl{$A$} decrypt her
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 985 %own challenges.
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 986
406
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 987 \end{frame}
241
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 988 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 989
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 990 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 991 \begin{frame}[c]
118
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 992 \frametitle{Nonces}
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 993
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 994 \begin{enumerate}
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 995 \item I generate a nonce (random number) and send it to you encrypted with a key we share
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 996 \item you increase it by one, encrypt it under a key I know and send
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 997 it back to me
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 998 \end{enumerate}
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 999
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 1000
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 1001 I can infer:
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 1002
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 1003 \begin{itemize}
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 1004 \item you must have received my message
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 1005 \item you could only have generated your answer after I send you my initial
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 1006 message
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 1007 \item if only you and me know the key, the message must have come from you
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 1008 \end{itemize}
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 1009
241
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 1010 \end{frame}
118
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 1011 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 1012
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 1013 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 1014 \begin{frame}[c]
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 1015
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 1016 \begin{center}
119
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 1017 \begin{tabular}{ll}
244
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 1018 \bl{$A \rightarrow B$:} & \bl{$N_A$}\\
406
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 1019 \bl{$B \rightarrow A$:} & \bl{$\{N_A, N_B\}_{K_{AB}}$}\\
244
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 1020 \bl{$A \rightarrow B$:} & \bl{$N_B$}\\
119
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 1021 \end{tabular}
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 1022 \end{center}
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 1023
241
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 1024 The attack (let $A$ decrypt her own messages):
119
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 1025
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 1026 \begin{center}
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 1027 \begin{tabular}{ll}
244
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 1028 \bl{$A \rightarrow E$:} & \bl{$N_A$}\\
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 1029 \textcolor{gray}{$E \rightarrow A$:} & \textcolor{gray}{$N_A$}\\
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 1030 \textcolor{gray}{$A \rightarrow E$:} & \textcolor{gray}{$\{N_A, N_A'\}_{K_{AB}}$}\\
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 1031 \bl{$E \rightarrow A$:} & \bl{$\{N_A, N_A'\}_{K_{AB}}$}\\
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 1032 \bl{$A \rightarrow E$:} & \bl{$N_A' \;\;(= N_B)$}\\
119
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 1033 \end{tabular}
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 1034 \end{center}\pause
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 1035
244
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 1036 \small Solutions: \bl{$K_{AB} \not= K_{BA}$} or include an id in the second message
406
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 1037 \end{frame}
119
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 1038 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 1039
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 1040 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
406
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 1041 \begin{frame}[c]
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 1042 \frametitle{Encryption to the Rescue?}
119
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 1043
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 1044
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 1045 \begin{itemize}
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 1046 \item \bl{$A \,\rightarrow\, B : \{A, N_A\}_{K_{AB}}$}\hspace{1cm} encrypted\bigskip
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 1047 \item \bl{$B\,\rightarrow\, A : \{N_A, K'_{AB}\}_{K_{AB}}$}\bigskip
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 1048 \item \bl{$A \,\rightarrow\, B : \{N_A\}_{K'_{AB}}$}\bigskip
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 1049 \end{itemize}\pause
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 1050
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 1051 means you need to send separate ``Hello'' signals (bad), or worse
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 1052 share a single key between many entities
406
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 1053 \end{frame}
119
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 1054 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 1055
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 1056 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 1057 \begin{frame}[c]
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 1058 \frametitle{Protocol Attacks}
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 1059
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 1060 \begin{itemize}
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 1061 \item replay attacks
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 1062 \item reflection attacks
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 1063 \item man-in-the-middle attacks
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 1064 \item timing attacks
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 1065 \item parallel session attacks
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 1066 \item binding attacks (public key protocols)
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 1067 \item changing environment / changing assumptions\bigskip
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 1068
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 1069 \item (social engineering attacks)
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 1070 \end{itemize}
406
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 1071 \end{frame}
241
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 1072 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 1073
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 1074 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
252
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 1075 \begin{frame}[c]
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 1076 \frametitle{Public-Key Infrastructure}
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 1077
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 1078 \begin{itemize}
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 1079 \item the idea is to have a certificate authority (CA)
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 1080 \item you go to the CA to identify yourself
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 1081 \item CA: ``I, the CA, have verified that public key \bl{$P^{pub}_{Bob}$} belongs to Bob''\bigskip
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 1082 \item CA must be trusted by everybody
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 1083 \item What happens if CA issues a false certificate? Who pays in case of loss? (VeriSign
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 1084 explicitly limits liability to \$100.)
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 1085 \end{itemize}
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 1086
406
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 1087 \end{frame}
120
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 1088 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 1089
119
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 1090 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 1091 \begin{frame}[c]
406
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 1092 \frametitle{Man-in-the-Middle}
119
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 1093
406
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 1094 ``Normal'' protocol run:\bigskip
119
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 1095
406
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 1096 \begin{itemize}
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 1097 \item \bl{$A$} sends public key to \bl{$B$}
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 1098 \item \bl{$B$} sends public key to \bl{$A$}
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 1099 \item \bl{$A$} sends message encrypted with \bl{$B$}'s public key, \bl{$B$} decrypts it
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 1100 with its private key
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 1101 \item \bl{$B$} sends message encrypted with \bl{$A$}'s public key, \bl{$A$} decrypts it
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 1102 with its private key
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 1103 \end{itemize}
119
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 1104
406
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 1105 \end{frame}
119
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 1106 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 1107
406
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 1108 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 1109 \begin{frame}[c]
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 1110 \frametitle{Man-in-the-Middle}
119
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 1111
406
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 1112 Attack:
119
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 1113
406
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 1114 \begin{itemize}
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 1115 \item \bl{$A$} sends public key to \bl{$B$} --- \bl{$C$} intercepts this message and send his own public key
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 1116 \item \bl{$B$} sends public key to \bl{$A$} --- \bl{$C$} intercepts this message and send his own public key
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 1117 \item \bl{$A$} sends message encrypted with \bl{$C$}'s public key, \bl{$C$} decrypts it
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 1118 with its private key, re-encrypts with \bl{$B$}'s public key
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 1119 \item similar for other direction
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 1120 \end{itemize}
118
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 1121
406
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 1122 \end{frame}
118
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 1123 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
120
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 1124
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 1125 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 1126 \begin{frame}[c]
406
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 1127 \frametitle{Man-in-the-Middle}
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 1128
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 1129 Potential Prevention?
120
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 1130
406
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 1131 \begin{itemize}
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 1132 \item \bl{$A$} sends public key to \bl{$B$}
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 1133 \item \bl{$B$} sends public key to \bl{$A$}
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 1134 \item \bl{$A$} encrypts message with \bl{$B$}'s public key, send's {\bf half} of the message
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 1135 \item \bl{$B$} encrypts message with \bl{$A$}'s public key, send's {\bf half} of the message
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 1136 \item \bl{$A$} sends other half, \bl{$B$} can now decrypt entire message
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 1137 \item \bl{$B$} sends other half, \bl{$A$} can now decrypt entire message
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 1138 \end{itemize}\pause
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 1139
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 1140 %\bl{$C$} would have to invent a totally new message
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 1141 \alert{Under which circumstances does this protocol prevent
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 1142 MiM-attacks, or does it?}
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 1143
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 1144 \end{frame}
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 1145 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
120
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 1146
406
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 1147 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 1148 \begin{frame}[c]
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 1149 \frametitle{Car Transponder (HiTag2)}
120
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 1150
406
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 1151 \begin{enumerate}
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 1152 \item \bl{$C$} generates a random number \bl{$N$}
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 1153 \item \bl{$C$} calculates \bl{$(F,G) = \{N\}_K$}
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 1154 \item \bl{$C \to T$}: \bl{$N, F$}
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 1155 \item \bl{$T$} calculates \bl{$(F',G') = \{N\}_K$}
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 1156 \item \bl{$T$} checks that \bl{$F = F'$}
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 1157 \item \bl{$T \to C$}: \bl{$N, G'$}
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 1158 \item \bl{$C$} checks that \bl{$G = G'$}
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 1159 \end{enumerate}\pause
120
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 1160
406
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 1161 \small
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 1162 This process means that the transponder believes the car knows
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 1163 the key \bl{$K$}, and the car believes the transponder knows
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 1164 the key \bl{$K$}. They have authenticated themselves
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 1165 to each other, or have they?
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 1166
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 1167 \end{frame}
120
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 1168 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 1169
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 1170 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 1171 \begin{frame}[c]
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 1172
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 1173 A Man-in-the-middle attack in real life:
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 1174
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 1175 \begin{itemize}
241
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 1176 \item the card only says yes to the terminal if the PIN is correct
120
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 1177 \item trick the card in thinking transaction is verified by signature
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 1178 \item trick the terminal in thinking the transaction was verified by PIN
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 1179 \end{itemize}
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 1180
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 1181 \begin{minipage}{1.1\textwidth}
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 1182 \begin{center}
241
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 1183 \mbox{}\hspace{-6mm}\includegraphics[scale=0.5]{../pics/chip-attack.png}
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 1184 \includegraphics[scale=0.3]{../pics/chipnpinflaw.png}
120
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 1185 \end{center}
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 1186 \end{minipage}
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 1187
406
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 1188 \end{frame}
120
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 1189 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 1190
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 1191 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 1192 \begin{frame}[c]
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 1193 \frametitle{Problems with EMV}
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 1194
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 1195 \begin{itemize}
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 1196 \item it is a wrapper for many protocols
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 1197 \item specification by consensus (resulted unmanageable complexity)
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 1198 \item its specification is 700 pages in English plus 2000+ pages for testing, additionally some
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 1199 further parts are secret
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 1200 \item other attacks have been found
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 1201 \end{itemize}
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 1202
406
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 1203 \end{frame}
120
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 1204 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 1205
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 1206
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 1207 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 1208 \begin{frame}[c]
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 1209 \frametitle{Protocols are Difficult}
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 1210
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 1211 \begin{itemize}
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 1212 \item even the systems designed by experts regularly fail\medskip
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 1213 \item try to make everything explicit (you need to authenticate all data you might rely on)\medskip
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 1214 \item the one who can fix a system should also be liable for the losses\medskip
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 1215 \item cryptography is often not {\bf the} answer\bigskip\bigskip
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 1216 \end{itemize}
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 1217
406
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 1218 \end{frame}
241
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 1219 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 1220
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 1221 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 1222 \begin{frame}[c]
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 1223 \frametitle{Best Practices}
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 1224
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 1225 {\bf Principle 1:} Every message should say what it means: the interpretation of
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 1226 a message should not depend on the context.\bigskip\pause
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 1227
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 1228 {\bf Principle 2:} If the identity of a principal is essential to the meaning of a message, it is prudent
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 1229 to mention the principal’s name explicitly in the message (though difficult).\bigskip
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 1230
406
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 1231 \end{frame}
120
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 1232 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 1233
43
+ − 1234 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+ − 1235 \begin{frame}[c]
+ − 1236
241
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 1237 {\bf Principle 3:} Be clear about why encryption is being
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 1238 done. Encryption is not cheap, and not asking precisely why it is
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 1239 being done can lead to redundancy. Encryption is not synonymous with
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 1240 security.
105
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 1241
241
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 1242 \begin{center}
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 1243 Possible Uses of Encryption
105
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 1244
241
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 1245 \begin{itemize}
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 1246 \item Preservation of confidentiality: \bl{$\{X\}_K$} only those that have \bl{$K$} may recover \bl{$X$}.
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 1247 \item Guarantee authenticity: The partner is indeed some particular principal.
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 1248 \item Guarantee confidentiality and authenticity: binds two parts of a message ---
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 1249 \bl{$\{X,Y\}_K$} is not the same as \bl{$\{X\}_K$} and \bl{$\{Y\}_K$}.
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 1250 \end{itemize}
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 1251 \end{center}
105
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 1252
406
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 1253 \end{frame}
105
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 1254 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
41
+ − 1255
105
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 1256 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 1257 \begin{frame}[c]
241
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 1258 \frametitle{Best Practices}
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 1259
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 1260 {\bf Principle 4:} The protocol designer should know which trust relations his protocol depends on, and why the dependence is necessary. The reasons for particular trust relations being acceptable should be explicit though they will be founded on judgment and policy rather than on logic.\bigskip
105
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 1261
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 1262
241
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 1263 Example Certification Authorities: CAs are trusted to certify a key only after proper steps
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 1264 have been taken to identify the principal that owns it.
105
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 1265
406
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 1266 \end{frame}
105
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 1267 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
+ − 1268
41
+ − 1269 \end{document}
+ − 1270
+ − 1271 %%% Local Variables:
+ − 1272 %%% mode: latex
+ − 1273 %%% TeX-master: t
+ − 1274 %%% End:
+ − 1275