384 |
450 |
385 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
451 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
386 \begin{frame}[c] |
452 \begin{frame}[c] |
387 \frametitle{\Large Mandatory Access Control} |
453 \frametitle{\Large Mandatory Access Control} |
388 |
454 |
|
455 \small |
389 \begin{itemize} |
456 \begin{itemize} |
390 \item Access to objects is controlled by a system-wide policy, for |
457 \item Access to objects is controlled by a system-wide policy, for |
391 example to prevent certain flows of information. In some forms, the |
458 example to prevent certain flows of information. In some forms, the |
392 system maintains security labels for both objects and subjects |
459 system maintains security labels for both objects and subjects |
393 (processes, users) based on which access is granted or |
460 (processes, users) based on which access is granted or |
394 denied. Labels can change as the result of an access. Security |
461 denied. Labels can change as the result of an access. Security |
395 policies are enforced without the cooperation of users or |
462 policies are enforced without the cooperation of users or |
396 programs.\medskip |
463 programs.\medskip |
397 |
464 |
398 \item This is implemented in banking or military operating system |
465 \item This is implemented in banking or military operating system |
399 versions (SELinux). |
466 versions (SELinux).\pause |
400 \end{itemize} |
467 \item A simple example: Air Gap Security. Uses a completely separate network |
401 |
468 and computer hardware for different application classes (Bin Laden, Bruce Schneier had |
402 \end{frame} |
469 airgaps).\pause |
403 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
470 \item What do we want to protect: Secrecy or Integrity? |
404 |
|
405 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
|
406 \begin{frame}[c] |
|
407 \frametitle{\Large Discretionary Access Control} |
|
408 |
|
409 In its most generic form usually given by an \alert{Access Control |
|
410 Matrix} of the form |
|
411 |
|
412 \begin{center} |
|
413 \begin{tabular}{r|c|c|c} |
|
414 & /mail/jane & edit.exe & postfix \\\hline |
|
415 jane & r, w & r, x & r, x\\\hline |
|
416 john & $\varnothing$ & r, w, x& r, x\\\hline |
|
417 postfix & a & $\varnothing$ & r, x\\ |
|
418 \end{tabular} |
|
419 \end{center} |
|
420 |
|
421 access privileges: {\bf r}ead, {\bf w}rite, e{\bf x}ecute, {\bf a}ppend |
|
422 \end{frame} |
|
423 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
|
424 |
|
425 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
|
426 \begin{frame}[c] |
|
427 \small |
|
428 |
|
429 \lstinputlisting[language={},numbers=none,xleftmargin=-6mm]{lst} |
|
430 |
|
431 |
|
432 \begin{center} |
|
433 \begin{tabular}{@{\hspace{-24mm}}ll} |
|
434 members of group staff: & ping, bob, emma\\ |
|
435 members of group students: & emma\\ |
|
436 \end{tabular} |
|
437 \end{center} |
|
438 |
|
439 \begin{center} |
|
440 \begin{tabular}{@{\hspace{-7mm}}r|c|c|c|c|c@{}} |
|
441 & manual.txt & report.txt & microedit & src/code.c & src/code.h \\\hline |
|
442 ping & & & & &\\\hline |
|
443 bob & & & & &\\\hline |
|
444 emma & & & & &\\ |
|
445 \end{tabular} |
|
446 \end{center} |
|
447 |
|
448 \end{frame} |
|
449 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
|
450 |
|
451 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
|
452 \begin{frame}[c] |
|
453 \frametitle{Mandatory Access Control} |
|
454 \small |
|
455 |
|
456 \begin{itemize} |
|
457 \item Restrictions to allowed information flows are not decided at the |
|
458 user's discretion (as with Unix \pcode{chmod}), but instead enforced |
|
459 by system policies. |
|
460 |
|
461 \item Mandatory access control mechanisms are aimed in particular at |
|
462 preventing policy violations by untrusted programs, which typically |
|
463 have at least the same access privileges as the invoking |
|
464 user.\medskip\pause |
|
465 |
|
466 Simple example: Air Gap Security. Uses a completely separate network |
|
467 and computer hardware for different application classes. |
|
468 \end{itemize} |
471 \end{itemize} |
469 |
472 |
470 \end{frame} |
473 \end{frame} |
471 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
474 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
472 |
475 |
608 \begin{itemize} |
611 \begin{itemize} |
609 \item if you have too many roles (i.e.~too finegrained AC), then |
612 \item if you have too many roles (i.e.~too finegrained AC), then |
610 hierarchy is too complex\\ |
613 hierarchy is too complex\\ |
611 \textcolor{gray}{you invite situations like\ldots lets be root}\bigskip |
614 \textcolor{gray}{you invite situations like\ldots lets be root}\bigskip |
612 |
615 |
613 \item you can still abuse the system\ldots\bigskip\pause |
616 \item you can still abuse the system\ldots |
614 |
617 \end{itemize} |
615 \item |
618 |
616 policies (a finite system)\\ |
619 \end{frame} |
617 computer system (infinite)\medskip\\ |
620 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
618 Q: Does your policy ensure that a tainted file cannot affect your |
621 |
619 core system files? |
622 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
620 |
623 \begin{frame}[c] |
621 \end{itemize} |
624 \frametitle{Protocols} |
622 |
625 |
623 \end{frame} |
626 \begin{center} |
624 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
627 \includegraphics[scale=0.11]{../pics/keyfob.jpg} |
625 |
628 \quad |
|
629 \includegraphics[scale=0.3025]{../pics/startstop.jpg} |
|
630 \end{center} |
|
631 |
|
632 \begin{itemize} |
|
633 \item Other examples: Wifi, Http-request, TCP-request, |
|
634 card readers, RFID (passports)\medskip\pause |
|
635 |
|
636 \item The point is that we cannot control the network: An attacker |
|
637 can install a packet sniffer, inject packets, modify packets, |
|
638 replay messages\ldots{}fake pretty much everything. |
|
639 \end{itemize} |
|
640 |
|
641 \end{frame} |
|
642 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
|
643 |
|
644 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
|
645 \begin{frame}[c] |
|
646 \frametitle{Keyless Car Transponders} |
|
647 |
|
648 \begin{center} |
|
649 \includegraphics[scale=0.1]{../pics/keyfob.jpg} |
|
650 \quad |
|
651 \includegraphics[scale=0.27]{../pics/startstop.jpg} |
|
652 \end{center} |
|
653 |
|
654 \begin{itemize} |
|
655 \item There are two security mechanisms: one remote central |
|
656 locking system and one passive RFID tag (engine immobiliser). |
|
657 \item How can I get in? How can thieves be kept out? |
|
658 How to avoid MITM attacks? |
|
659 \end{itemize}\medskip |
|
660 |
|
661 \footnotesize |
|
662 \hfill Papers: Gone in 360 Seconds: Hijacking with Hitag2,\\ |
|
663 \hfill Dismantling Megamos Crypto: Wirelessly Lockpicking\\ |
|
664 \hfill a Vehicle Immobilizer |
|
665 |
|
666 \end{frame} |
|
667 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
|
668 |
|
669 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
|
670 \begin{frame}[c] |
|
671 \frametitle{HTTPS / GSM} |
|
672 |
|
673 \begin{center} |
|
674 \includegraphics[scale=0.25]{../pics/barclays.jpg} |
|
675 \quad |
|
676 \includegraphics[scale=0.25]{../pics/phone-signal.jpg} |
|
677 \end{center} |
|
678 |
|
679 \begin{itemize} |
|
680 \item I am sitting at Starbuck. How can I be sure I am really |
|
681 visiting Barclays? I have no control of the access |
|
682 point. |
|
683 \item How can I achieve that a secret key is established in |
|
684 order to encrypt my mobile conversation? I have no |
|
685 control over the access points. |
|
686 \end{itemize} |
|
687 |
|
688 \end{frame} |
|
689 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
|
690 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
|
691 \begin{frame}[c] |
|
692 \frametitle{Handshakes} |
|
693 |
|
694 \begin{itemize} |
|
695 \item starting a TCP connection between a client and a server |
|
696 initiates the following three-way handshake protocol: |
|
697 \end{itemize} |
|
698 |
|
699 \begin{columns}[t] |
|
700 \begin{column}{5cm} |
|
701 \begin{minipage}[t]{4cm} |
|
702 \begin{center} |
|
703 \raisebox{-2cm}{\includegraphics[scale=0.5]{../pics/handshake.png}} |
|
704 \end{center} |
|
705 \end{minipage} |
|
706 \end{column} |
|
707 \begin{column}{5cm} |
|
708 \begin{tabular}[t]{rl} |
|
709 Alice: & Hello server!\\ |
|
710 Server: & I heard you\\ |
|
711 Alice: & Thanks |
|
712 \end{tabular} |
|
713 \end{column} |
|
714 \end{columns} |
|
715 |
|
716 \only<2>{ |
|
717 \begin{textblock}{3}(11,5) |
|
718 \begin{bubble}[3.2cm] |
|
719 SYNflood attacks:\medskip\\ |
|
720 \includegraphics[scale=0.4]{../pics/synflood.png} |
|
721 \end{bubble} |
|
722 \end{textblock}} |
|
723 |
|
724 \end{frame} |
|
725 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
|
726 |
626 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
727 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
627 \begin{frame}[t] |
728 \begin{frame}[t] |
628 \frametitle{Protocols} |
729 \frametitle{Protocols} |
629 |
730 |
630 \mbox{} |
731 \mbox{} |
646 \end{frame} |
747 \end{frame} |
647 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
748 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
648 |
749 |
649 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
750 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
650 \begin{frame}[c] |
751 \begin{frame}[c] |
|
752 \frametitle{Handshakes} |
|
753 |
|
754 \begin{itemize} |
|
755 \item starting a TCP connection between a client and a server |
|
756 initiates the following three-way handshake protocol: |
|
757 \end{itemize} |
|
758 |
|
759 \begin{columns}[t] |
|
760 \begin{column}{5cm} |
|
761 \begin{minipage}[t]{4cm} |
|
762 \begin{center} |
|
763 \raisebox{-2cm}{\includegraphics[scale=0.5]{../pics/handshake.png}} |
|
764 \end{center} |
|
765 \end{minipage} |
|
766 \end{column} |
|
767 \begin{column}{5cm} |
|
768 \begin{tabular}[t]{rl} |
|
769 Alice: & Hello server!\\ |
|
770 Server: & I heard you\\ |
|
771 Alice: & Thanks |
|
772 \end{tabular} |
|
773 \end{column} |
|
774 \end{columns} |
|
775 |
|
776 \begin{center} |
|
777 \begin{tabular}{rl} |
|
778 \bl{$A \rightarrow S$}: & \bl{SYN}\\ |
|
779 \bl{$S \rightarrow A$}: & \bl{SYN-ACK}\\ |
|
780 \bl{$A \rightarrow S$}: & \bl{ACK}\\ |
|
781 \end{tabular} |
|
782 \end{center} |
|
783 |
|
784 \end{frame} |
|
785 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
|
786 |
|
787 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
|
788 \begin{frame}[c] |
651 \frametitle{\Large Cryptographic Protocol Failures} |
789 \frametitle{\Large Cryptographic Protocol Failures} |
652 |
790 |
653 Ross Anderson and Roger Needham wrote:\bigskip |
791 Ross Anderson and Roger Needham wrote:\bigskip |
654 |
792 |
655 \begin{quote}\rm |
793 \begin{quote}\rm |
656 \alert{A lot of the recorded frauds were the result of this kind of |
794 A lot of the recorded frauds were the result of this kind of |
657 blunder, or from management negligence pure and simple.} However, |
795 blunder, or from management negligence pure and simple. |
|
796 \alert{However, |
658 there have been a significant number of cases where the designers |
797 there have been a significant number of cases where the designers |
659 protected the right things, used cryptographic algorithms which were |
798 protected the right things, used cryptographic algorithms which were |
660 not broken, and yet found that their systems were still successfully |
799 not broken, and yet found that their systems were still successfully |
661 attacked. |
800 attacked.} |
662 \end{quote} |
801 \end{quote} |
663 |
802 |
664 \end{frame} |
803 \end{frame} |
665 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
804 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
666 |
805 |
885 \bl{$A \rightarrow E$:} & \bl{$N_A' \;\;(= N_B)$}\\ |
1012 \bl{$A \rightarrow E$:} & \bl{$N_A' \;\;(= N_B)$}\\ |
886 \end{tabular} |
1013 \end{tabular} |
887 \end{center}\pause |
1014 \end{center}\pause |
888 |
1015 |
889 \small Solutions: \bl{$K_{AB} \not= K_{BA}$} or include an id in the second message |
1016 \small Solutions: \bl{$K_{AB} \not= K_{BA}$} or include an id in the second message |
890 \end{frame}} |
1017 \end{frame} |
891 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
1018 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
892 |
1019 |
893 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
1020 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
894 \mode<presentation>{ |
1021 \begin{frame}[c] |
895 \begin{frame}[c] |
1022 \frametitle{Encryption to the Rescue?} |
896 \frametitle{Encryption to the Rescue?} |
|
897 |
1023 |
898 |
1024 |
899 \begin{itemize} |
1025 \begin{itemize} |
900 \item \bl{$A \,\rightarrow\, B : \{A, N_A\}_{K_{AB}}$}\hspace{1cm} encrypted\bigskip |
1026 \item \bl{$A \,\rightarrow\, B : \{A, N_A\}_{K_{AB}}$}\hspace{1cm} encrypted\bigskip |
901 \item \bl{$B\,\rightarrow\, A : \{N_A, K'_{AB}\}_{K_{AB}}$}\bigskip |
1027 \item \bl{$B\,\rightarrow\, A : \{N_A, K'_{AB}\}_{K_{AB}}$}\bigskip |
902 \item \bl{$A \,\rightarrow\, B : \{N_A\}_{K'_{AB}}$}\bigskip |
1028 \item \bl{$A \,\rightarrow\, B : \{N_A\}_{K'_{AB}}$}\bigskip |
903 \end{itemize}\pause |
1029 \end{itemize}\pause |
904 |
1030 |
905 means you need to send separate ``Hello'' signals (bad), or worse |
1031 means you need to send separate ``Hello'' signals (bad), or worse |
906 share a single key between many entities |
1032 share a single key between many entities |
907 \end{frame}} |
1033 \end{frame} |
908 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
1034 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
909 |
1035 |
910 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
1036 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
911 \mode<presentation>{ |
|
912 \begin{frame}[c] |
1037 \begin{frame}[c] |
913 \frametitle{Protocol Attacks} |
1038 \frametitle{Protocol Attacks} |
914 |
1039 |
915 \begin{itemize} |
1040 \begin{itemize} |
916 \item replay attacks |
1041 \item replay attacks |
976 \item \bl{$A$} sends message encrypted with \bl{$C$}'s public key, \bl{$C$} decrypts it |
1097 \item \bl{$A$} sends message encrypted with \bl{$C$}'s public key, \bl{$C$} decrypts it |
977 with its private key, re-encrypts with \bl{$B$}'s public key |
1098 with its private key, re-encrypts with \bl{$B$}'s public key |
978 \item similar for other direction |
1099 \item similar for other direction |
979 \end{itemize} |
1100 \end{itemize} |
980 |
1101 |
981 \end{frame}} |
1102 \end{frame} |
982 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
1103 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
983 |
1104 |
984 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
1105 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
985 \mode<presentation>{ |
1106 \begin{frame}[c] |
986 \begin{frame}[c] |
1107 \frametitle{Man-in-the-Middle} |
987 \frametitle{Person-in-the-Middle} |
1108 |
988 |
1109 Potential Prevention? |
989 Prevention: |
|
990 |
1110 |
991 \begin{itemize} |
1111 \begin{itemize} |
992 \item \bl{$A$} sends public key to \bl{$B$} |
1112 \item \bl{$A$} sends public key to \bl{$B$} |
993 \item \bl{$B$} sends public key to \bl{$A$} |
1113 \item \bl{$B$} sends public key to \bl{$A$} |
994 \item \bl{$A$} encrypts message with \bl{$B$}'s public key, send's {\bf half} of the message |
1114 \item \bl{$A$} encrypts message with \bl{$B$}'s public key, send's {\bf half} of the message |
995 \item \bl{$B$} encrypts message with \bl{$A$}'s public key, send's {\bf half} of the message |
1115 \item \bl{$B$} encrypts message with \bl{$A$}'s public key, send's {\bf half} of the message |
996 \item \bl{$A$} sends other half, \bl{$B$} can now decrypt entire message |
1116 \item \bl{$A$} sends other half, \bl{$B$} can now decrypt entire message |
997 \item \bl{$B$} sends other half, \bl{$A$} can now decrypt entire message |
1117 \item \bl{$B$} sends other half, \bl{$A$} can now decrypt entire message |
998 \end{itemize}\pause |
1118 \end{itemize}\pause |
999 |
1119 |
1000 \bl{$C$} would have to invent a totally new message |
1120 %\bl{$C$} would have to invent a totally new message |
1001 |
1121 \alert{Under which circumstances does this protocol prevent |
1002 \end{frame}} |
1122 MiM-attacks, or does it?} |
1003 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
1123 |
1004 |
1124 \end{frame} |
1005 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
1125 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
1006 \mode<presentation>{ |
1126 |
1007 \begin{frame}[c] |
1127 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
1008 \frametitle{Public-Key Infrastructure} |
1128 \begin{frame}[c] |
1009 |
1129 \frametitle{Car Transponder (HiTag2)} |
1010 \begin{itemize} |
1130 |
1011 \item the idea is to have a certificate authority (CA) |
1131 \begin{enumerate} |
1012 \item you go to the CA to identify yourself |
1132 \item \bl{$C$} generates a random number \bl{$N$} |
1013 \item CA: ``I, the CA, have verified that public key \bl{$P^{pub}_{Bob}$} belongs to Bob''\bigskip |
1133 \item \bl{$C$} calculates \bl{$(F,G) = \{N\}_K$} |
1014 \item CA must be trusted by everybody |
1134 \item \bl{$C \to T$}: \bl{$N, F$} |
1015 \item What happens if CA issues a false certificate? Who pays in case of loss? (VeriSign |
1135 \item \bl{$T$} calculates \bl{$(F',G') = \{N\}_K$} |
1016 explicitly limits liability to \$100.) |
1136 \item \bl{$T$} checks that \bl{$F = F'$} |
1017 \end{itemize} |
1137 \item \bl{$T \to C$}: \bl{$N, G'$} |
1018 |
1138 \item \bl{$C$} checks that \bl{$G = G'$} |
1019 \end{frame}} |
1139 \end{enumerate}\pause |
1020 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
1140 |
1021 |
1141 \small |
1022 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
1142 This process means that the transponder believes the car knows |
1023 \mode<presentation>{ |
1143 the key \bl{$K$}, and the car believes the transponder knows |
1024 \begin{frame}[c] |
1144 the key \bl{$K$}. They have authenticated themselves |
1025 \frametitle{Binding Attacks} |
1145 to each other, or have they? |
1026 |
1146 |
1027 with public-private keys it is important that the public key is \alert{bound} |
1147 \end{frame} |
1028 to the right owner (verified by a certification authority \bl{$CA$}) |
1148 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
1029 |
1149 |
1030 \begin{center} |
1150 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
1031 \begin{tabular}{l} |
|
1032 \bl{$A \rightarrow CA :$} \bl{$A, B, N_A$}\\ |
|
1033 \bl{$CA \rightarrow A :$} \bl{$CA, \{CA, A, N_A, K^{pub}_{B}\}_{K^{pub}_{A}}$}\\ |
|
1034 \end{tabular} |
|
1035 \end{center}\bigskip |
|
1036 |
|
1037 \bl{$A$} knows \bl{$K^{priv}_A$} and can verify the message came from \bl{$CA$} |
|
1038 in response to \bl{$A$}'s message and trusts \bl{$K^{pub}_{B}$} is \bl{$B$}'s public key |
|
1039 |
|
1040 |
|
1041 \end{frame}} |
|
1042 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
|
1043 |
|
1044 |
|
1045 |
|
1046 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
|
1047 \mode<presentation>{ |
|
1048 \begin{frame}[c] |
|
1049 \frametitle{Binding Attacks} |
|
1050 |
|
1051 \begin{center} |
|
1052 \begin{tabular}{l} |
|
1053 \bl{$A \rightarrow I(CA) :$} \bl{$A, B, N_A$}\\ |
|
1054 \bl{$I(A) \rightarrow CA :$} \bl{$A, I, N_A$}\\ |
|
1055 \bl{$CA \rightarrow I(A) :$} \bl{$CA, \{CA, A, N_A, K^{pub}_{I}\}_{K^{pub}_{A}}$}\\ |
|
1056 \bl{$I(CA) \rightarrow A :$} \bl{$CA, \{CA, A, N_A, K^{pub}_{I}\}_{K^{pub}_{A}}$}\\ |
|
1057 \end{tabular} |
|
1058 \end{center}\pause |
|
1059 |
|
1060 \bl{$A$} now encrypts messages for \bl{$B$} with the public key of \bl{$I$} |
|
1061 (which happily decrypts them with its private key) |
|
1062 |
|
1063 \end{frame}} |
|
1064 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
|
1065 |
|
1066 |
|
1067 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
|
1068 \mode<presentation>{ |
|
1069 \begin{frame}[c] |
|
1070 \frametitle{Replay Attacks} |
|
1071 |
|
1072 Schroeder-Needham protocol: exchange of a symmetric key with a trusted 3rd-party \bl{$S$}: |
|
1073 |
|
1074 \begin{center} |
|
1075 \begin{tabular}{r@ {\hspace{1mm}}l} |
|
1076 \bl{$A \rightarrow S :$} & \bl{$A, B, N_A$}\\ |
|
1077 \bl{$S \rightarrow A :$} & \bl{$\{N_A, B, K_{AB},\{K_{AB}, A\}_{K_{BS}} \}_{K_{AS}}$}\\ |
|
1078 \bl{$A \rightarrow B :$} & \bl{$\{K_{AB}, A\}_{K_{BS}} $}\\ |
|
1079 \bl{$B \rightarrow A :$} & \bl{$\{N_B\}_{K_{AB}}$}\\ |
|
1080 \bl{$A \rightarrow B :$} & \bl{$\{N_B-1\}_{K_{AB}}$}\\ |
|
1081 \end{tabular} |
|
1082 \end{center}\bigskip\pause |
|
1083 |
|
1084 at the end of the protocol both \bl{$A$} and \bl{$B$} should be in the possession of the secret key |
|
1085 \bl{$K_{AB}$} and know that the other principal has the key |
|
1086 |
|
1087 \end{frame}} |
|
1088 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
|
1089 |
|
1090 |
|
1091 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
|
1092 \mode<presentation>{ |
|
1093 \begin{frame}[c] |
|
1094 |
|
1095 \begin{center} |
|
1096 \begin{tabular}{l} |
|
1097 \bl{$A \rightarrow S :$} \bl{$A, B, N_A$}\\ |
|
1098 \bl{$S \rightarrow A :$} \bl{$\{N_A, B, K_{AB},\{K_{AB}, A\}_{K_{BS}} \}_{K_{AS}}$}\\ |
|
1099 \bl{$A \rightarrow B :$} \bl{$\{K_{AB}, A\}_{K_{BS}} $}\\ |
|
1100 \bl{$B \rightarrow A :$} \bl{$\{N_B\}_{K_{AB}}$}\\ |
|
1101 \bl{$A \rightarrow B :$} \bl{$\{N_B-1\}_{K_{AB}}$}\pause\\ |
|
1102 \hspace{5cm}compromise \bl{$K_{AB}$}\pause\\ |
|
1103 \bl{$A \rightarrow S :$} \bl{$A, B, N'_A$}\\ |
|
1104 \bl{$S \rightarrow A :$} \bl{$\{N'_A, B, K'_{AB},\{K'_{AB}, A\}_{K_{BS}} \}_{K_{AS}}$}\pause\\ |
|
1105 \bl{$I(A) \rightarrow B :$} \bl{$\{K_{AB}, A\}_{K_{BS}} $}\hspace{0.5cm} replay of older run\pause\\ |
|
1106 \bl{$B \rightarrow I(A) :$} \bl{$\{N'_B\}_{K_{AB}}$}\\ |
|
1107 \bl{$I(A) \rightarrow B :$} \bl{$\{N'_B-1\}_{K_{AB}}$}\ |
|
1108 \end{tabular} |
|
1109 \end{center}\pause |
|
1110 |
|
1111 \bl{$B$} believes it is following the correct protocol, |
|
1112 intruder \bl{$I$} can form the correct response because it knows \bl{$K_{AB}$} and |
|
1113 talks to \bl{$B$} masquerading as \bl{$A$} |
|
1114 \end{frame}} |
|
1115 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
|
1116 |
|
1117 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
|
1118 \mode<presentation>{ |
|
1119 \begin{frame}[c] |
|
1120 \frametitle{Time-Stamps} |
|
1121 |
|
1122 The Schroeder-Needham protocol can be fixed by including a time-stamp (e.g., in Kerberos): |
|
1123 |
|
1124 \begin{center} |
|
1125 \begin{tabular}{r@ {\hspace{1mm}}l} |
|
1126 \bl{$A \rightarrow S :$} & \bl{$A, B, N_A$}\\ |
|
1127 \bl{$S \rightarrow A :$} & \bl{$\{N_A, B, K_{AB},\{K_{AB}, A, T_S\}_{K_{BS}} \}_{K_{AS}}$}\\ |
|
1128 \bl{$A \rightarrow B :$} & \bl{$\{K_{AB}, A, T_S\}_{K_{BS}} $}\\ |
|
1129 \bl{$B \rightarrow A :$} & \bl{$\{N_B\}_{K_{AB}}$}\\ |
|
1130 \bl{$A \rightarrow B :$} & \bl{$\{N_B-1\}_{K_{AB}}$}\\ |
|
1131 \end{tabular} |
|
1132 \end{center}\bigskip\pause |
|
1133 |
|
1134 but nothing is for free: then you need to synchronise time and possibly become a victim to |
|
1135 timing attacks |
|
1136 |
|
1137 \end{frame}} |
|
1138 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
|
1139 |
|
1140 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
|
1141 \mode<presentation>{ |
|
1142 \begin{frame}[c] |
1151 \begin{frame}[c] |
1143 |
1152 |
1144 A Man-in-the-middle attack in real life: |
1153 A Man-in-the-middle attack in real life: |
1145 |
1154 |
1146 \begin{itemize} |
1155 \begin{itemize} |
1170 \item its specification is 700 pages in English plus 2000+ pages for testing, additionally some |
1178 \item its specification is 700 pages in English plus 2000+ pages for testing, additionally some |
1171 further parts are secret |
1179 further parts are secret |
1172 \item other attacks have been found |
1180 \item other attacks have been found |
1173 \end{itemize} |
1181 \end{itemize} |
1174 |
1182 |
1175 \end{frame}} |
1183 \end{frame} |
1176 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
1184 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
1177 |
1185 |
1178 |
1186 |
1179 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
1187 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
1180 \mode<presentation>{ |
|
1181 \begin{frame}[c] |
|
1182 \frametitle{\begin{tabular}{@{}c@{}}Problems with WEP (Wifi)\end{tabular}} |
|
1183 |
|
1184 \begin{itemize} |
|
1185 \item a standard ratified in 1999 |
|
1186 \item the protocol was designed by a committee not including cryptographers |
|
1187 \item it used the RC4 encryption algorithm which is a stream cipher requiring a unique nonce |
|
1188 \item WEP did not allocate enough bits for the nonce |
|
1189 \item for authenticating packets it used CRC checksum which can be easily broken |
|
1190 \item the network password was used to directly encrypt packages (instead of a key negotiation protocol)\bigskip |
|
1191 \item encryption was turned off by default |
|
1192 \end{itemize} |
|
1193 |
|
1194 \end{frame}} |
|
1195 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
|
1196 |
|
1197 |
|
1198 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
|
1199 \mode<presentation>{ |
|
1200 \begin{frame}[c] |
1188 \begin{frame}[c] |
1201 \frametitle{Protocols are Difficult} |
1189 \frametitle{Protocols are Difficult} |
1202 |
1190 |
1203 \begin{itemize} |
1191 \begin{itemize} |
1204 \item even the systems designed by experts regularly fail\medskip |
1192 \item even the systems designed by experts regularly fail\medskip |
1205 \item try to make everything explicit (you need to authenticate all data you might rely on)\medskip |
1193 \item try to make everything explicit (you need to authenticate all data you might rely on)\medskip |
1206 \item the one who can fix a system should also be liable for the losses\medskip |
1194 \item the one who can fix a system should also be liable for the losses\medskip |
1207 \item cryptography is often not {\bf the} answer\bigskip\bigskip |
1195 \item cryptography is often not {\bf the} answer\bigskip\bigskip |
1208 \end{itemize} |
1196 \end{itemize} |
1209 |
1197 |
1210 \end{frame}} |
1198 \end{frame} |
1211 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
1199 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
1212 |
1200 |
1213 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
1201 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
1214 \mode<presentation>{ |
|
1215 \begin{frame}[c] |
1202 \begin{frame}[c] |
1216 \frametitle{Best Practices} |
1203 \frametitle{Best Practices} |
1217 |
1204 |
1218 {\bf Principle 1:} Every message should say what it means: the interpretation of |
1205 {\bf Principle 1:} Every message should say what it means: the interpretation of |
1219 a message should not depend on the context.\bigskip\pause |
1206 a message should not depend on the context.\bigskip\pause |
1220 |
1207 |
1221 {\bf Principle 2:} If the identity of a principal is essential to the meaning of a message, it is prudent |
1208 {\bf Principle 2:} If the identity of a principal is essential to the meaning of a message, it is prudent |
1222 to mention the principal’s name explicitly in the message (though difficult).\bigskip |
1209 to mention the principal’s name explicitly in the message (though difficult).\bigskip |
1223 |
1210 |
1224 |
1211 \end{frame} |
1225 \end{frame}} |
1212 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
1226 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
1213 |
1227 |
1214 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
1228 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
|
1229 \mode<presentation>{ |
|
1230 \begin{frame}[c] |
1215 \begin{frame}[c] |
1231 |
1216 |
1232 {\bf Principle 3:} Be clear about why encryption is being |
1217 {\bf Principle 3:} Be clear about why encryption is being |
1233 done. Encryption is not cheap, and not asking precisely why it is |
1218 done. Encryption is not cheap, and not asking precisely why it is |
1234 being done can lead to redundancy. Encryption is not synonymous with |
1219 being done can lead to redundancy. Encryption is not synonymous with |