623 |
623 |
624 \item (social engineering attacks) |
624 \item (social engineering attacks) |
625 \end{itemize} |
625 \end{itemize} |
626 \end{frame}} |
626 \end{frame}} |
627 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
627 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
|
628 |
|
629 |
|
630 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
|
631 \mode<presentation>{ |
|
632 \begin{frame}[c] |
|
633 \frametitle{Public-Key Infrastructure} |
|
634 |
|
635 \begin{itemize} |
|
636 \item the idea is to have a certificate authority (CA) |
|
637 \item you go to the CA to identify yourself |
|
638 \item CA: ``I, the CA, have verified that public key \bl{$P^{pub}_{Bob}$} belongs to Bob''\bigskip |
|
639 \item CA must be trusted by everybody |
|
640 \item What happens if CA issues a false certificate? Who pays in case of loss? (VeriSign |
|
641 explicitly limits liability to \$100.) |
|
642 \end{itemize} |
|
643 |
|
644 \end{frame}} |
|
645 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
|
646 |
|
647 |
|
648 |
|
649 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
|
650 \mode<presentation>{ |
|
651 \begin{frame}[c] |
|
652 \frametitle{Binding Attacks} |
|
653 |
|
654 with public-private keys it is important that the public key is \alert{bound} |
|
655 to the right owner (verified by a certification authority \bl{$CA$}) |
|
656 |
|
657 \begin{center} |
|
658 \begin{tabular}{l} |
|
659 \bl{$A \rightarrow CA :$} \bl{$A, B, N_A$}\\ |
|
660 \bl{$CA \rightarrow A :$} \bl{$CA, \{CA, A, N_A, K^{pub}_{B}\}_{K^{pub}_{A}}$}\\ |
|
661 \end{tabular} |
|
662 \end{center}\bigskip |
|
663 |
|
664 \bl{$A$} knows \bl{$K^{priv}_A$} and can verify the message came from \bl{$CA$} |
|
665 in response to \bl{$A$}'s message and trusts \bl{$K^{pub}_{B}$} is \bl{$B$}'s public key |
|
666 |
|
667 |
|
668 \end{frame}} |
|
669 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
|
670 |
|
671 |
|
672 |
|
673 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
|
674 \mode<presentation>{ |
|
675 \begin{frame}[c] |
|
676 \frametitle{Binding Attacks} |
|
677 |
|
678 \begin{center} |
|
679 \begin{tabular}{l} |
|
680 \bl{$A \rightarrow I(CA) :$} \bl{$A, B, N_A$}\\ |
|
681 \bl{$I(A) \rightarrow CA :$} \bl{$A, I, N_A$}\\ |
|
682 \bl{$CA \rightarrow I(A) :$} \bl{$CA, \{CA, A, N_A, K^{pub}_{I}\}_{K^{pub}_{A}}$}\\ |
|
683 \bl{$I(CA) \rightarrow A :$} \bl{$CA, \{CA, A, N_A, K^{pub}_{I}\}_{K^{pub}_{A}}$}\\ |
|
684 \end{tabular} |
|
685 \end{center}\pause |
|
686 |
|
687 \bl{$A$} now encrypts messages for \bl{$B$} with the public key of \bl{$I$} |
|
688 (which happily decrypts them with its private key) |
|
689 |
|
690 \end{frame}} |
|
691 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
|
692 |
628 |
693 |
629 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
694 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
630 \mode<presentation>{ |
695 \mode<presentation>{ |
631 \begin{frame}[c] |
696 \begin{frame}[c] |
632 \frametitle{Replay Attacks} |
697 \frametitle{Replay Attacks} |
673 \bl{$B$} believes it is following the correct protocol, |
738 \bl{$B$} believes it is following the correct protocol, |
674 intruder \bl{$I$} can form the correct response because it knows \bl{$K_{AB}$} and |
739 intruder \bl{$I$} can form the correct response because it knows \bl{$K_{AB}$} and |
675 talks to \bl{$B$} masquerading as \bl{$A$} |
740 talks to \bl{$B$} masquerading as \bl{$A$} |
676 \end{frame}} |
741 \end{frame}} |
677 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
742 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
|
743 |
|
744 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
|
745 \mode<presentation>{ |
|
746 \begin{frame}[c] |
|
747 \frametitle{Time-Stamps} |
|
748 |
|
749 The Schroeder-Needham protocol can be fixed by including a time-stamp (e.g., in Kerberos): |
|
750 |
|
751 \begin{center} |
|
752 \begin{tabular}{r@ {\hspace{1mm}}l} |
|
753 \bl{$A \rightarrow S :$} & \bl{$A, B, N_A$}\\ |
|
754 \bl{$S \rightarrow A :$} & \bl{$\{N_A, B, K_{AB},\{K_{AB}, A, T_S\}_{K_{BS}} \}_{K_{AS}}$}\\ |
|
755 \bl{$A \rightarrow B :$} & \bl{$\{K_{AB}, A, T_S\}_{K_{BS}} $}\\ |
|
756 \bl{$B \rightarrow A :$} & \bl{$\{N_B\}_{K_{AB}}$}\\ |
|
757 \bl{$A \rightarrow B :$} & \bl{$\{N_B-1\}_{K_{AB}}$}\\ |
|
758 \end{tabular} |
|
759 \end{center}\bigskip\pause |
|
760 |
|
761 but nothing is for free: then you need to synchronise time and possibly become a victim to |
|
762 timing attacks |
|
763 |
|
764 \end{frame}} |
|
765 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
|
766 |
|
767 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
|
768 \mode<presentation>{ |
|
769 \begin{frame}[t] |
|
770 \frametitle{Changing Environment Attacks} |
|
771 |
|
772 \begin{itemize} |
|
773 \item all protocols rely on some assumptions about the environment |
|
774 (e.g., cryptographic keys cannot be broken)\bigskip\pause |
|
775 \end{itemize} |
|
776 |
|
777 \only<2>{ |
|
778 \begin{itemize} |
|
779 \item in the ``good olden days'' (1960/70) rail transport was cheap, so fraud was not |
|
780 worthwhile |
|
781 \end{itemize}} |
|
782 |
|
783 \only<3>{ |
|
784 \begin{itemize} |
|
785 \item when it got expensive, some people bought cheaper monthly tickets for a suburban |
|
786 station and a nearby one, and one for the destination and a nearby one |
|
787 \item a large investment later all barriers were automatic and tickets could record state |
|
788 \end{itemize}} |
|
789 |
|
790 \only<4>{ |
|
791 \begin{itemize} |
|
792 \item but suddenly the environment changed: rail transport got privatised creating many |
|
793 competing companies |
|
794 potentially cheating each other |
|
795 \item revenue from monthly tickets was distributed according to a formula involving where the ticket was bought\ldots |
|
796 \end{itemize}} |
|
797 |
|
798 \only<5>{ |
|
799 \begin{itemize} |
|
800 \item apart from bad outsiders (passengers), you also have bad insiders (rail companies) |
|
801 \item chaos and litigation ensued |
|
802 \end{itemize}} |
|
803 |
|
804 \end{frame}} |
|
805 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
|
806 |
|
807 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
|
808 \mode<presentation>{ |
|
809 \begin{frame}[c] |
|
810 |
|
811 A Man-in-the-middle attack in real life: |
|
812 |
|
813 \begin{itemize} |
|
814 \item the card only says yes or no to the terminal if the PIN is correct |
|
815 \item trick the card in thinking transaction is verified by signature |
|
816 \item trick the terminal in thinking the transaction was verified by PIN |
|
817 \end{itemize} |
|
818 |
|
819 \begin{minipage}{1.1\textwidth} |
|
820 \begin{center} |
|
821 \mbox{}\hspace{-6mm}\includegraphics[scale=0.5]{pics/chip-attack.png} |
|
822 \includegraphics[scale=0.3]{pics/chipnpinflaw.png} |
|
823 \end{center} |
|
824 \end{minipage} |
|
825 |
|
826 \end{frame}} |
|
827 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
|
828 |
|
829 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
|
830 \mode<presentation>{ |
|
831 \begin{frame}[c] |
|
832 \frametitle{Problems with EMV} |
|
833 |
|
834 \begin{itemize} |
|
835 \item it is a wrapper for many protocols |
|
836 \item specification by consensus (resulted unmanageable complexity) |
|
837 \item its specification is 700 pages in English plus 2000+ pages for testing, additionally some |
|
838 further parts are secret |
|
839 \item other attacks have been found |
|
840 |
|
841 \item one solution might be to require always online verification of the PIN with the bank |
|
842 \end{itemize} |
|
843 |
|
844 \end{frame}} |
|
845 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
|
846 |
|
847 |
|
848 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
|
849 \mode<presentation>{ |
|
850 \begin{frame}[c] |
|
851 \frametitle{\begin{tabular}{@{}c@{}}Problems with WEP (Wifi)\end{tabular}} |
|
852 |
|
853 \begin{itemize} |
|
854 \item a standard ratified in 1999 |
|
855 \item the protocol was designed by a committee not including cryptographers |
|
856 \item it used the RC4 encryption algorithm which is a stream cipher requiring a unique nonce |
|
857 \item WEP did not allocate enough bits for the nonce |
|
858 \item for authenticating packets it used CRC checksum which can be easily broken |
|
859 \item the network password was used to directly encrypt packages (instead of a key negotiation protocol)\bigskip |
|
860 \item encryption was turned off by default |
|
861 \end{itemize} |
|
862 |
|
863 \end{frame}} |
|
864 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
|
865 |
|
866 |
|
867 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
|
868 \mode<presentation>{ |
|
869 \begin{frame}[c] |
|
870 \frametitle{Protocols are Difficult} |
|
871 |
|
872 \begin{itemize} |
|
873 \item even the systems designed by experts regularly fail\medskip |
|
874 \item try to make everything explicit (you need to authenticate all data you might rely on)\medskip |
|
875 \item the one who can fix a system should also be liable for the losses\medskip |
|
876 \item cryptography is often not {\bf the} answer\bigskip\bigskip |
|
877 \end{itemize} |
|
878 |
|
879 logic is one way protocols are studied in academia |
|
880 (you can use computers to search for attacks) |
|
881 |
|
882 \end{frame}} |
|
883 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
|
884 |
678 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
885 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
679 \mode<presentation>{ |
886 \mode<presentation>{ |
680 \begin{frame}[c] |
887 \begin{frame}[c] |
681 \frametitle{\begin{tabular}{@ {}c@ {}}Schneier: Step 1\end{tabular}} |
888 \frametitle{\begin{tabular}{@ {}c@ {}}Schneier: Step 1\end{tabular}} |
682 |
889 |