134 meetings.'' |
159 meetings.'' |
135 \end{itemize} |
160 \end{itemize} |
136 |
161 |
137 \end{frame} |
162 \end{frame} |
138 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
163 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
|
164 |
|
165 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
|
166 \begin{frame}[c] |
|
167 \frametitle{Handshakes} |
|
168 |
|
169 \begin{itemize} |
|
170 \item starting a TCP connection between a client and a server |
|
171 initiates the following three-way handshake protocol: |
|
172 \end{itemize} |
|
173 |
|
174 \begin{columns}[t] |
|
175 \begin{column}{5cm} |
|
176 \begin{minipage}[t]{4cm} |
|
177 \begin{center} |
|
178 \raisebox{-2cm}{\includegraphics[scale=0.5]{../pics/handshake.png}} |
|
179 \end{center} |
|
180 \end{minipage} |
|
181 \end{column} |
|
182 \begin{column}{5cm} |
|
183 \begin{tabular}[t]{rl} |
|
184 Alice: & Hello server!\\ |
|
185 Server: & I heard you\\ |
|
186 Alice: & Thanks |
|
187 \end{tabular} |
|
188 \end{column} |
|
189 \end{columns} |
|
190 |
|
191 \only<2>{ |
|
192 \begin{textblock}{3}(11,5) |
|
193 \begin{bubble}[3.2cm] |
|
194 SYNflood attacks:\medskip\\ |
|
195 \includegraphics[scale=0.4]{../pics/synflood.png} |
|
196 \end{bubble} |
|
197 \end{textblock}} |
|
198 |
|
199 \end{frame} |
|
200 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
|
201 |
|
202 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
|
203 \begin{frame}[t] |
|
204 \frametitle{Protocols} |
|
205 |
|
206 \mbox{} |
|
207 |
|
208 \begin{tabular}{l} |
|
209 {\Large \bl{$A\;\rightarrow\; B : \ldots$}}\\ |
|
210 \onslide<2->{\Large \bl{$B\;\rightarrow\; A : \ldots$}}\\ |
|
211 \onslide<2->{\Large \;\;\;\;\;\bl{$:$}}\bigskip |
|
212 \end{tabular} |
|
213 |
|
214 \begin{itemize} |
|
215 \item by convention \bl{$A$}, \bl{$B$} are named principals \bl{Alice\ldots}\\ |
|
216 but most likely they are programs, which just follow some instructions (they are more like roles)\bigskip |
|
217 \item<2-> indicates one ``protocol run'', or session, which specifies some |
|
218 order in the communication |
|
219 \item<2-> there can be several sessions in parallel (think of wifi routers) |
|
220 \end{itemize} |
|
221 |
|
222 \end{frame} |
|
223 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
|
224 |
|
225 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
|
226 \begin{frame}[c] |
|
227 \frametitle{Handshakes} |
|
228 |
|
229 \begin{itemize} |
|
230 \item starting a TCP connection between a client and a server |
|
231 initiates the following three-way handshake protocol: |
|
232 \end{itemize} |
|
233 |
|
234 \begin{columns}[t] |
|
235 \begin{column}{5cm} |
|
236 \begin{minipage}[t]{4cm} |
|
237 \begin{center} |
|
238 \raisebox{-2cm}{\includegraphics[scale=0.5]{../pics/handshake.png}} |
|
239 \end{center} |
|
240 \end{minipage} |
|
241 \end{column} |
|
242 \begin{column}{5cm} |
|
243 \begin{tabular}[t]{rl} |
|
244 Alice: & Hello server!\\ |
|
245 Server: & I heard you\\ |
|
246 Alice: & Thanks |
|
247 \end{tabular} |
|
248 \end{column} |
|
249 \end{columns} |
|
250 |
|
251 \begin{center} |
|
252 \begin{tabular}{rl} |
|
253 \bl{$A \rightarrow S$}: & \bl{SYN}\\ |
|
254 \bl{$S \rightarrow A$}: & \bl{SYN-ACK}\\ |
|
255 \bl{$A \rightarrow S$}: & \bl{ACK}\\ |
|
256 \end{tabular} |
|
257 \end{center} |
|
258 |
|
259 \end{frame} |
|
260 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
|
261 |
|
262 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
|
263 \begin{frame}[c] |
|
264 \frametitle{\Large Cryptographic Protocol Failures} |
|
265 |
|
266 Ross Anderson and Roger Needham wrote:\bigskip |
|
267 |
|
268 \begin{quote}\rm |
|
269 A lot of the recorded frauds were the result of this kind of |
|
270 blunder, or from management negligence pure and simple. |
|
271 \alert{However, |
|
272 there have been a significant number of cases where the designers |
|
273 protected the right things, used cryptographic algorithms which were |
|
274 not broken, and yet found that their systems were still successfully |
|
275 attacked.} |
|
276 \end{quote} |
|
277 |
|
278 \end{frame} |
|
279 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
|
280 |
|
281 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
|
282 \begin{frame}<1-3>[c] |
|
283 \frametitle{Oyster Cards} |
|
284 |
|
285 \includegraphics[scale=0.4]{../pics/oysterc.jpg} |
|
286 |
|
287 \begin{itemize} |
|
288 \item good example of a bad protocol\\ (security by obscurity)\bigskip |
|
289 \item<3-> {\it``Breaching security on Oyster cards should not |
|
290 allow unauthorised use for more than a day, as TfL promises to turn |
|
291 off any cloned cards within 24 hours\ldots''} |
|
292 \end{itemize} |
|
293 |
|
294 \only<2>{ |
|
295 \begin{textblock}{12}(0.5,0.5) |
|
296 \begin{bubble}[11cm]\footnotesize |
|
297 {\bf Wirelessly Pickpocketing a Mifare Classic Card}\medskip |
|
298 |
|
299 The Mifare Classic is the most widely used contactless smartcard on the |
|
300 market. The stream cipher CRYPTO1 used by the Classic has recently been |
|
301 reverse engineered and serious attacks have been proposed. The most serious |
|
302 of them retrieves a secret key in under a second. In order to clone a card, |
|
303 previously proposed attacks require that the adversary either has access to |
|
304 an eavesdropped communication session or executes a message-by-message |
|
305 man-in-the-middle attack between the victim and a legitimate |
|
306 reader. Although this is already disastrous from a cryptographic point of |
|
307 view, system integrators maintain that these attacks cannot be performed |
|
308 undetected.\smallskip |
|
309 |
|
310 This paper proposes four attacks that can be executed by an adversary having |
|
311 only wireless access to just a card (and not to a legitimate reader). The |
|
312 most serious of them recovers a secret key in less than a second on ordinary |
|
313 hardware. Besides the cryptographic weaknesses, we exploit other weaknesses |
|
314 in the protocol stack. A vulnerability in the computation of parity bits |
|
315 allows an adversary to establish a side channel. Another vulnerability |
|
316 regarding nested authentications provides enough plaintext for a speedy |
|
317 known-plaintext attack.\hfill{}(a paper from 2009) |
|
318 \end{bubble} |
|
319 \end{textblock}} |
|
320 |
|
321 \end{frame} |
|
322 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
|
323 |
|
324 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
|
325 \begin{frame}<1->[t] |
|
326 \frametitle{Another Example} |
|
327 |
|
328 In an email from Ross Anderson\bigskip\small |
|
329 |
|
330 \begin{tabular}{l} |
|
331 From: Ross Anderson <Ross.Anderson@cl.cam.ac.uk>\\ |
|
332 Sender: cl-security-research-bounces@lists.cam.ac.uk\\ |
|
333 To: cl-security-research@lists.cam.ac.uk\\ |
|
334 Subject: Birmingham case\\ |
|
335 Date: Tue, 13 Aug 2013 15:13:17 +0100\\ |
|
336 \end{tabular} |
|
337 |
|
338 |
|
339 \only<2>{ |
|
340 \begin{textblock}{12}(0.5,0.8) |
|
341 \begin{bubble}[11cm] |
|
342 \footnotesize |
|
343 As you may know, Volkswagen got an injunction against the University of |
|
344 Birmingham suppressing the publication of the design of a weak cipher |
|
345 used in the remote key entry systems in its recent-model cars. The paper |
|
346 is being given today at Usenix, minus the cipher design.\medskip |
|
347 |
|
348 I've been contacted by Birmingham University's lawyers who seek to prove |
|
349 that the cipher can be easily obtained anyway. They are looking for a |
|
350 student who will download the firmware from any newish VW, disassemble |
|
351 it and look for the cipher. They'd prefer this to be done by a student |
|
352 rather than by a professor to emphasise how easy it is.\medskip |
|
353 |
|
354 Volkswagen's argument was that the Birmingham people had reversed a |
|
355 locksmithing tool produced by a company in Vietnam, and since their key |
|
356 fob chip is claimed to be tamper-resistant, this must have involved a |
|
357 corrupt insider at VW or at its supplier Thales. Birmingham's argument |
|
358 is that this is nonsense as the cipher is easy to get hold of. Their |
|
359 lawyers feel this argument would come better from an independent |
|
360 outsider.\medskip |
|
361 |
|
362 Let me know if you're interested in having a go, and I'll put you in |
|
363 touch |
|
364 |
|
365 Ross |
|
366 \end{bubble} |
|
367 \end{textblock}} |
|
368 |
|
369 \end{frame} |
|
370 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
|
371 |
|
372 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
|
373 \begin{frame}[c] |
|
374 \frametitle{Authentication Protocols} |
|
375 |
|
376 |
|
377 Alice (\bl{$A$}) and Bob (\bl{$B$}) share a secret key \bl{$K_{AB}$}\bigskip |
|
378 |
|
379 Passwords: |
|
380 |
|
381 \begin{center} |
|
382 \bl{$B \rightarrow A: K_{AB}$} |
|
383 \end{center}\pause\bigskip |
|
384 |
|
385 Problem: Eavesdropper can capture the secret and replay it; \bl{$A$} cannot confirm the |
|
386 identity of \bl{$B$} |
|
387 |
|
388 \end{frame} |
|
389 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
|
390 |
|
391 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
|
392 \begin{frame}[c] |
|
393 \frametitle{Authentication?} |
|
394 |
|
395 \begin{center} |
|
396 \raisebox{-2cm}{\includegraphics[scale=0.4]{../pics/dogs.jpg}} |
|
397 \end{center} |
|
398 |
|
399 \end{frame} |
|
400 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
|
401 |
|
402 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
|
403 \begin{frame}[c] |
|
404 \frametitle{Authentication Protocols} |
|
405 |
|
406 Alice (\bl{$A$}) and Bob (\bl{$B$}) share a secret key \bl{$K_{AB}$}\bigskip |
|
407 |
|
408 Simple Challenge Response: |
|
409 |
|
410 \begin{center} |
|
411 \begin{tabular}{ll} |
|
412 \bl{$A \rightarrow B:$} & \bl{$N$}\\ |
|
413 \bl{$B \rightarrow A:$} & \bl{$\{N\}_{K_{AB}}$}\\ |
|
414 \end{tabular} |
|
415 \end{center} |
|
416 |
|
417 |
|
418 \end{frame} |
|
419 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
|
420 |
|
421 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
|
422 \begin{frame}[c] |
|
423 \frametitle{Authentication Protocols} |
|
424 |
|
425 Alice (\bl{$A$}) and Bob (\bl{$B$}) share a secret key \bl{$K_{AB}$}\bigskip |
|
426 |
|
427 Mutual Challenge Response: |
|
428 |
|
429 \begin{center} |
|
430 \begin{tabular}{ll} |
|
431 \bl{$A \rightarrow B:$} & \bl{$N_A$}\\ |
|
432 \bl{$B \rightarrow A:$} & \bl{$\{N_A, N_B\}_{K_{AB}}$}\\ |
|
433 \bl{$A \rightarrow B:$} & \bl{$N_B$}\\ |
|
434 \end{tabular} |
|
435 \end{center} |
|
436 |
|
437 %\pause |
|
438 %An attacker \bl{$E$} can launch an impersonation attack by |
|
439 %intercepting all messages for \bl{$B$} and make \bl{$A$} decrypt her |
|
440 %own challenges. |
|
441 |
|
442 \end{frame} |
|
443 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
|
444 |
|
445 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
|
446 \begin{frame}[c] |
|
447 \frametitle{Nonces} |
|
448 |
|
449 \begin{enumerate} |
|
450 \item I generate a nonce (random number) and send it to you encrypted with a key we share |
|
451 \item you increase it by one, encrypt it under a key I know and send |
|
452 it back to me |
|
453 \end{enumerate}\medskip |
|
454 |
|
455 |
|
456 I can infer: |
|
457 |
|
458 \begin{itemize} |
|
459 \item you must have received my message |
|
460 \item you could only have generated your answer after I send you my initial |
|
461 message |
|
462 \item if only you and me know the key, the message must have come from you |
|
463 \end{itemize} |
|
464 |
|
465 \end{frame} |
|
466 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
|
467 |
|
468 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
|
469 \begin{frame}[c] |
|
470 |
|
471 \begin{center} |
|
472 \begin{tabular}{ll} |
|
473 \bl{$A \rightarrow B$:} & \bl{$N_A$}\\ |
|
474 \bl{$B \rightarrow A$:} & \bl{$\{N_A, N_B\}_{K_{AB}}$}\\ |
|
475 \bl{$A \rightarrow B$:} & \bl{$N_B$}\\ |
|
476 \end{tabular} |
|
477 \end{center} |
|
478 |
|
479 The attack (let $A$ decrypt her own messages): |
|
480 |
|
481 \begin{center} |
|
482 \begin{tabular}{ll} |
|
483 \bl{$A \rightarrow E$:} & \bl{$N_A$}\\ |
|
484 \textcolor{gray}{$E \rightarrow A$:} & \textcolor{gray}{$N_A$}\\ |
|
485 \textcolor{gray}{$A \rightarrow E$:} & \textcolor{gray}{$\{N_A, N_A'\}_{K_{AB}}$}\\ |
|
486 \bl{$E \rightarrow A$:} & \bl{$\{N_A, N_A'\}_{K_{AB}}$}\\ |
|
487 \bl{$A \rightarrow E$:} & \bl{$N_A' \;\;(= N_B)$}\\ |
|
488 \end{tabular} |
|
489 \end{center}\pause |
|
490 |
|
491 \small Solutions: \bl{$K_{AB} \not= K_{BA}$} or include an id in the second message |
|
492 \end{frame} |
|
493 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
|
494 |
|
495 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
|
496 \begin{frame}[c] |
|
497 \frametitle{Encryption to the Rescue?} |
|
498 |
|
499 |
|
500 \begin{itemize} |
|
501 \item \bl{$A \,\rightarrow\, B : \{A, N_A\}_{K_{AB}}$}\hspace{1cm} encrypted\bigskip |
|
502 \item \bl{$B\,\rightarrow\, A : \{N_A, K'_{AB}\}_{K_{AB}}$}\bigskip |
|
503 \item \bl{$A \,\rightarrow\, B : \{N_A\}_{K'_{AB}}$}\bigskip |
|
504 \end{itemize}\pause |
|
505 |
|
506 means you need to send separate ``Hello'' signals (bad), or worse |
|
507 share a single key between many entities |
|
508 \end{frame} |
|
509 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
|
510 |
|
511 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
|
512 \begin{frame}[c] |
|
513 \frametitle{Protocol Attacks} |
|
514 |
|
515 \begin{itemize} |
|
516 \item replay attacks |
|
517 \item reflection attacks |
|
518 \item man-in-the-middle attacks |
|
519 \item timing attacks |
|
520 \item parallel session attacks |
|
521 \item binding attacks (public key protocols) |
|
522 \item changing environment / changing assumptions\bigskip |
|
523 |
|
524 \item (social engineering attacks) |
|
525 \end{itemize} |
|
526 \end{frame} |
|
527 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
|
528 |
|
529 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
|
530 \begin{frame}[c] |
|
531 \frametitle{Public-Key Infrastructure} |
|
532 |
|
533 \begin{itemize} |
|
534 \item the idea is to have a certificate authority (CA) |
|
535 \item you go to the CA to identify yourself |
|
536 \item CA: ``I, the CA, have verified that public key \bl{$P^{pub}_{Bob}$} belongs to Bob''\bigskip |
|
537 \item CA must be trusted by everybody |
|
538 \item What happens if CA issues a false certificate? Who pays in case of loss? (VeriSign |
|
539 explicitly limits liability to \$100.) |
|
540 \end{itemize} |
|
541 |
|
542 \end{frame} |
|
543 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
|
544 |
|
545 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
|
546 \begin{frame}[c] |
|
547 \frametitle{Man-in-the-Middle} |
|
548 |
|
549 ``Normal'' protocol run:\bigskip |
|
550 |
|
551 \begin{itemize} |
|
552 \item \bl{$A$} sends public key to \bl{$B$} |
|
553 \item \bl{$B$} sends public key to \bl{$A$} |
|
554 \item \bl{$A$} sends message encrypted with \bl{$B$}'s public key, \bl{$B$} decrypts it |
|
555 with its private key |
|
556 \item \bl{$B$} sends message encrypted with \bl{$A$}'s public key, \bl{$A$} decrypts it |
|
557 with its private key |
|
558 \end{itemize} |
|
559 |
|
560 \end{frame} |
|
561 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
|
562 |
|
563 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
|
564 \begin{frame}[c] |
|
565 \frametitle{Man-in-the-Middle} |
|
566 |
|
567 Attack: |
|
568 |
|
569 \begin{itemize} |
|
570 \item \bl{$A$} sends public key to \bl{$B$} --- \bl{$C$} intercepts this message and send his own public key |
|
571 \item \bl{$B$} sends public key to \bl{$A$} --- \bl{$C$} intercepts this message and send his own public key |
|
572 \item \bl{$A$} sends message encrypted with \bl{$C$}'s public key, \bl{$C$} decrypts it |
|
573 with its private key, re-encrypts with \bl{$B$}'s public key |
|
574 \item similar for other direction |
|
575 \end{itemize} |
|
576 |
|
577 \end{frame} |
|
578 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
|
579 |
|
580 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
|
581 \begin{frame}[c] |
|
582 \frametitle{Man-in-the-Middle} |
|
583 |
|
584 Potential Prevention? |
|
585 |
|
586 \begin{itemize} |
|
587 \item \bl{$A$} sends public key to \bl{$B$} |
|
588 \item \bl{$B$} sends public key to \bl{$A$} |
|
589 \item \bl{$A$} encrypts message with \bl{$B$}'s public key, send's {\bf half} of the message |
|
590 \item \bl{$B$} encrypts message with \bl{$A$}'s public key, send's {\bf half} of the message |
|
591 \item \bl{$A$} sends other half, \bl{$B$} can now decrypt entire message |
|
592 \item \bl{$B$} sends other half, \bl{$A$} can now decrypt entire message |
|
593 \end{itemize}\pause |
|
594 |
|
595 %\bl{$C$} would have to invent a totally new message |
|
596 \alert{Under which circumstances does this protocol prevent |
|
597 MiM-attacks, or does it?} |
|
598 |
|
599 \end{frame} |
|
600 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
|
601 |
|
602 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
|
603 \begin{frame}[c] |
|
604 \frametitle{Car Transponder (HiTag2)} |
|
605 |
|
606 \begin{enumerate} |
|
607 \item \bl{$C$} generates a random number \bl{$N$} |
|
608 \item \bl{$C$} calculates \bl{$(F,G) = \{N\}_K$} |
|
609 \item \bl{$C \to T$}: \bl{$N, F$} |
|
610 \item \bl{$T$} calculates \bl{$(F',G') = \{N\}_K$} |
|
611 \item \bl{$T$} checks that \bl{$F = F'$} |
|
612 \item \bl{$T \to C$}: \bl{$N, G'$} |
|
613 \item \bl{$C$} checks that \bl{$G = G'$} |
|
614 \end{enumerate}\pause |
|
615 |
|
616 \small |
|
617 This process means that the transponder believes the car knows |
|
618 the key \bl{$K$}, and the car believes the transponder knows |
|
619 the key \bl{$K$}. They have authenticated themselves |
|
620 to each other, or have they? |
|
621 |
|
622 \end{frame} |
|
623 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
|
624 |
|
625 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
|
626 \begin{frame}[c] |
|
627 |
|
628 A Man-in-the-middle attack in real life: |
|
629 |
|
630 \begin{itemize} |
|
631 \item the card only says yes to the terminal if the PIN is correct |
|
632 \item trick the card in thinking transaction is verified by signature |
|
633 \item trick the terminal in thinking the transaction was verified by PIN |
|
634 \end{itemize} |
|
635 |
|
636 \begin{minipage}{1.1\textwidth} |
|
637 \begin{center} |
|
638 \mbox{}\hspace{-6mm}\includegraphics[scale=0.5]{../pics/chip-attack.png} |
|
639 \includegraphics[scale=0.3]{../pics/chipnpinflaw.png} |
|
640 \end{center} |
|
641 \end{minipage} |
|
642 |
|
643 \end{frame} |
|
644 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
|
645 |
|
646 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
|
647 \begin{frame}[c] |
|
648 \frametitle{Problems with EMV} |
|
649 |
|
650 \begin{itemize} |
|
651 \item it is a wrapper for many protocols |
|
652 \item specification by consensus (resulted unmanageable complexity) |
|
653 \item its specification is 700 pages in English plus 2000+ pages for testing, additionally some |
|
654 further parts are secret |
|
655 \item other attacks have been found |
|
656 \end{itemize} |
|
657 |
|
658 \end{frame} |
|
659 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
|
660 |
|
661 |
|
662 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
|
663 \begin{frame}[c] |
|
664 \frametitle{Protocols are Difficult} |
|
665 |
|
666 \begin{itemize} |
|
667 \item even the systems designed by experts regularly fail\medskip |
|
668 \item the one who can fix a system should also be liable for the losses\medskip |
|
669 \item cryptography is often not the problem\bigskip\bigskip |
|
670 \end{itemize} |
|
671 |
|
672 \end{frame} |
|
673 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
|
674 |
|
675 |
139 |
676 |
140 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
677 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
141 \begin{frame}[c] |
678 \begin{frame}[c] |
142 \frametitle{A Simple PK Protocol} |
679 \frametitle{A Simple PK Protocol} |
143 |
680 |