332 |
320 |
333 \only<2>{ |
321 \only<2>{ |
334 \begin{textblock}{11}(2,5) |
322 \begin{textblock}{11}(2,5) |
335 \begin{bubble}[8cm] |
323 \begin{bubble}[8cm] |
336 \normalsize To prevent this kind of attack, you need additional |
324 \normalsize To prevent this kind of attack, you need additional |
337 policies (don't do such operations as root). |
325 policies (for example don't do such operations as root). |
338 \end{bubble} |
326 \end{bubble} |
339 \end{textblock}} |
327 \end{textblock}} |
340 |
328 |
341 \end{frame} |
329 \end{frame} |
342 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
330 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
343 |
331 |
344 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
332 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
345 \begin{frame}[c] |
333 %\begin{frame}[c] |
346 \frametitle{\begin{tabular}{c}Infamous Security Flaws\\[-1mm] |
334 %\frametitle{\begin{tabular}{c}Infamous Security Flaws\\[-1mm] |
347 in Unix\end{tabular}} |
335 %in Unix\end{tabular}} |
348 |
336 |
349 |
337 |
350 \begin{itemize} |
338 %\begin{itemize} |
351 \item \texttt{lpr} unfortunately runs with root privileges; you had the option to delete files after printing \ldots\pause |
339 %\item \texttt{lpr} unfortunately runs with root privileges; you had the option to delete files after printing \ldots\pause |
352 \item for debugging purposes (FreeBSD) Unix provides a ``core dump'', but allowed to follow links \ldots\pause |
340 %\item for debugging purposes (FreeBSD) Unix provides a ``core dump'', but allowed to follow links \ldots\pause |
353 \item \texttt{mkdir foo} is owned by root\medskip |
341 %\item \texttt{mkdir foo} is owned by root\medskip |
354 \begin{center} |
342 %\begin{center} |
355 \texttt{-rwxr-xr-x 1 root wheel /bin/mkdir} |
343 %\texttt{-rwxr-xr-x 1 root wheel /bin/mkdir} |
356 \end{center}\medskip |
344 %\end{center}\medskip |
357 it first creates an i-node as root and then changes to ownership to the user's id\\ \textcolor{gray}{\small (race condition -- can be automated with a shell script)} |
345 %it first creates an i-node as root and then changes to ownership to the user's id\\ \textcolor{gray}{\small (race condition -- can be automated with a shell script)} |
358 \end{itemize} |
346 %\end{itemize} |
359 |
347 |
360 \only<4->{ |
348 %\only<4->{ |
361 \begin{textblock}{1}(3,7) |
349 %\begin{textblock}{1}(3,7) |
362 \begin{tikzpicture} |
350 %\begin{tikzpicture} |
363 \draw (0,0) node[inner sep=2mm,fill=cream, ultra thick, draw=red, rounded corners=2mm] |
351 %\draw (0,0) node[inner sep=2mm,fill=cream, ultra thick, draw=red, rounded corners=2mm] |
364 {\begin{minipage}{8cm} |
352 %{\begin{minipage}{8cm} |
365 Only failure makes us experts.\\ |
353 %Only failure makes us experts.\\ |
366 \hfill\small-- Theo de Raadt (OpenBSD, OpenSSH) |
354 %\hfill\small-- Theo de Raadt (OpenBSD, OpenSSH) |
367 \end{minipage}}; |
355 %\end{minipage}}; |
368 \end{tikzpicture} |
356 %\end{tikzpicture} |
369 \end{textblock}} |
357 %\end{textblock}} |
370 |
358 |
371 \end{frame} |
359 %\end{frame} |
372 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
360 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
373 |
361 |
374 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
362 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
375 \begin{frame}[c] |
363 \begin{frame}[c] |
376 \frametitle{Subtleties} |
364 \frametitle{Subtleties} |
881 |
923 |
882 \end{frame} |
924 \end{frame} |
883 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
925 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
884 |
926 |
885 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
927 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
886 \begin{frame}<1->[t] |
928 % \begin{frame}<1->[t] |
887 \frametitle{Another Example} |
929 % \frametitle{Another Example} |
888 |
930 |
889 In an email from Ross Anderson\bigskip\small |
931 % In an email from Ross Anderson\bigskip\small |
890 |
932 |
891 \begin{tabular}{l} |
933 % \begin{tabular}{l} |
892 From: Ross Anderson <Ross.Anderson@cl.cam.ac.uk>\\ |
934 % From: Ross Anderson <Ross.Anderson@cl.cam.ac.uk>\\ |
893 Sender: cl-security-research-bounces@lists.cam.ac.uk\\ |
935 % Sender: cl-security-research-bounces@lists.cam.ac.uk\\ |
894 To: cl-security-research@lists.cam.ac.uk\\ |
936 % To: cl-security-research@lists.cam.ac.uk\\ |
895 Subject: Birmingham case\\ |
937 % Subject: Birmingham case\\ |
896 Date: Tue, 13 Aug 2013 15:13:17 +0100\\ |
938 % Date: Tue, 13 Aug 2013 15:13:17 +0100\\ |
897 \end{tabular} |
939 % \end{tabular} |
898 |
940 |
899 |
941 |
900 \only<2>{ |
942 % \only<2>{ |
901 \begin{textblock}{12}(0.5,0.8) |
943 % \begin{textblock}{12}(0.5,0.8) |
902 \begin{bubble}[11cm] |
944 % \begin{bubble}[11cm] |
903 \footnotesize |
945 % \footnotesize |
904 As you may know, Volkswagen got an injunction against the University of |
946 % As you may know, Volkswagen got an injunction against the University of |
905 Birmingham suppressing the publication of the design of a weak cipher |
947 % Birmingham suppressing the publication of the design of a weak cipher |
906 used in the remote key entry systems in its recent-model cars. The paper |
948 % used in the remote key entry systems in its recent-model cars. The paper |
907 is being given today at Usenix, minus the cipher design.\medskip |
949 % is being given today at Usenix, minus the cipher design.\medskip |
908 |
950 |
909 I've been contacted by Birmingham University's lawyers who seek to prove |
951 % I've been contacted by Birmingham University's lawyers who seek to prove |
910 that the cipher can be easily obtained anyway. They are looking for a |
952 % that the cipher can be easily obtained anyway. They are looking for a |
911 student who will download the firmware from any newish VW, disassemble |
953 % student who will download the firmware from any newish VW, disassemble |
912 it and look for the cipher. They'd prefer this to be done by a student |
954 % it and look for the cipher. They'd prefer this to be done by a student |
913 rather than by a professor to emphasise how easy it is.\medskip |
955 % rather than by a professor to emphasise how easy it is.\medskip |
914 |
956 |
915 Volkswagen's argument was that the Birmingham people had reversed a |
957 % Volkswagen's argument was that the Birmingham people had reversed a |
916 locksmithing tool produced by a company in Vietnam, and since their key |
958 % locksmithing tool produced by a company in Vietnam, and since their key |
917 fob chip is claimed to be tamper-resistant, this must have involved a |
959 % fob chip is claimed to be tamper-resistant, this must have involved a |
918 corrupt insider at VW or at its supplier Thales. Birmingham's argument |
960 % corrupt insider at VW or at its supplier Thales. Birmingham's argument |
919 is that this is nonsense as the cipher is easy to get hold of. Their |
961 % is that this is nonsense as the cipher is easy to get hold of. Their |
920 lawyers feel this argument would come better from an independent |
962 % lawyers feel this argument would come better from an independent |
921 outsider.\medskip |
963 % outsider.\medskip |
922 |
964 |
923 Let me know if you're interested in having a go, and I'll put you in |
965 % Let me know if you're interested in having a go, and I'll put you in |
924 touch |
966 % touch |
925 |
967 |
926 Ross |
968 % Ross |
927 \end{bubble} |
969 % \end{bubble} |
928 \end{textblock}} |
970 % \end{textblock}} |
929 |
971 |
930 \end{frame} |
972 % \end{frame} |
931 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
973 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
932 |
974 |
933 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
975 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
934 \begin{frame}[c] |
976 \begin{frame}[c] |
935 \frametitle{Authentication Protocols} |
977 \frametitle{Authentication Protocols} |
1157 \alert{Under which circumstances does this protocol prevent |
1199 \alert{Under which circumstances does this protocol prevent |
1158 MiM-attacks, or does it?} |
1200 MiM-attacks, or does it?} |
1159 |
1201 |
1160 \end{frame} |
1202 \end{frame} |
1161 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
1203 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
|
1204 |
|
1205 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
|
1206 \begin{frame}[c] |
|
1207 \frametitle{Splitting Messages} |
|
1208 |
|
1209 \begin{center} |
|
1210 $\underbrace{\texttt{\Grid{0X1peUVTGJK+H70mMjAM8p}}}_{\bl{\{A,m\}_{K^{pub}_B}}}$ |
|
1211 \end{center} |
|
1212 |
|
1213 \begin{center} |
|
1214 $\underbrace{\texttt{\Grid{0X1peUVTGJK}}}_{\bl{H_1}}$\quad |
|
1215 $\underbrace{\texttt{\Grid{+H70mMjAM8p}}}_{\bl{H_2}}$ |
|
1216 \end{center} |
|
1217 |
|
1218 \begin{itemize} |
|
1219 \item you can also use the even and odd bytes |
|
1220 \item the point is you cannot decrypt the halves, even if you |
|
1221 have the key |
|
1222 \end{itemize} |
|
1223 |
|
1224 |
|
1225 \end{frame} |
|
1226 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
|
1227 |
|
1228 |
|
1229 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
|
1230 \begin{frame}[c] |
|
1231 |
|
1232 \begin{center} |
|
1233 \begin{tabular}{l@{\hspace{9mm}}l} |
|
1234 \begin{tabular}[t]{@{}l@{}} |
|
1235 \bl{$A \to C : K^{pub}_A$}\\ |
|
1236 \bl{$C \to B : K^{pub}_C$}\\ |
|
1237 \bl{$B \to C : K^{pub}_B$}\\ |
|
1238 \bl{$C \to A : K^{pub}_C$}\medskip\\ |
|
1239 \bl{$\{A,m\}_{K^{pub}_C} \;\mapsto\; H_1,H_2$}\\ |
|
1240 \bl{$\{B,m'\}_{K^{pub}_C} \;\mapsto\; M_1,M_2$}\bigskip\\ |
|
1241 \bl{$\{C,a\}_{K^{pub}_B} \;\mapsto\; C_1,C_2$}\\ |
|
1242 \bl{$\{C,b\}_{K^{pub}_A} \;\mapsto\; D_1,D_2$} |
|
1243 \end{tabular} & |
|
1244 \begin{tabular}[t]{@{}l@{}} |
|
1245 \bl{$A \to C : H_1$}\\ |
|
1246 \bl{$C \to B : C_1$}\\ |
|
1247 \bl{$B \to C : \{C_1, M_1\}_{K^{pub}_C}$}\\ |
|
1248 \bl{$C \to A : \{H_1, D_1\}_{K^{pub}_A}$}\\ |
|
1249 \bl{$A \to C : \{H_2, D_1\}_{K^{pub}_C}$}\\ |
|
1250 \bl{$C \to B : \{C_2, M_1\}_{K^{pub}_B}$}\\ |
|
1251 \bl{$B \to C : M_2$}\\ |
|
1252 \bl{$C \to A : D_2$} |
|
1253 \end{tabular} |
|
1254 \end{tabular} |
|
1255 \end{center}\pause |
|
1256 |
|
1257 \footnotesize |
|
1258 \bl{$m$} = How is your grandmother? \bl{$m'$} = How is the |
|
1259 weather today in London? |
|
1260 |
|
1261 \end{frame} |
|
1262 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
|
1263 |
|
1264 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
|
1265 \begin{frame}[c] |
|
1266 |
|
1267 \begin{itemize} |
|
1268 \item you have to ask something that cannot be imitated |
|
1269 (requires \bl{$A$} and \bl{$B$} know each other) |
|
1270 \item what happens if \bl{$m$} and \bl{$m'$} are voice |
|
1271 messages?\bigskip\pause |
|
1272 |
|
1273 \item So \bl{$C$} can either leave the communication unchanged, |
|
1274 or invent a complete new conversation |
|
1275 |
|
1276 \end{itemize} |
|
1277 |
|
1278 \end{frame} |
|
1279 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
|
1280 |
1162 |
1281 |
1163 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
1282 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
1164 \begin{frame}[c] |
1283 \begin{frame}[c] |
1165 \frametitle{Car Transponder (HiTag2)} |
1284 \frametitle{Car Transponder (HiTag2)} |
1166 |
1285 |
1204 \end{frame} |
1324 \end{frame} |
1205 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
1325 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
1206 |
1326 |
1207 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
1327 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
1208 \begin{frame}[c] |
1328 \begin{frame}[c] |
1209 \frametitle{Problems with EMV} |
1329 |
1210 |
1330 \begin{itemize} |
1211 \begin{itemize} |
1331 \item the moral: establishing a secure connection from |
1212 \item it is a wrapper for many protocols |
1332 ``zero'' is almost impossible---you need to rely on some |
1213 \item specification by consensus (resulted unmanageable complexity) |
1333 established trust\medskip |
1214 \item its specification is 700 pages in English plus 2000+ pages for testing, additionally some |
1334 |
1215 further parts are secret |
1335 \item that is why PKI relies on certificates, which however are |
1216 \item other attacks have been found |
1336 badly, badly realised |
|
1337 |
|
1338 \end{itemize} |
|
1339 |
|
1340 \end{frame} |
|
1341 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
|
1342 |
|
1343 |
|
1344 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
|
1345 \begin{frame}[c] |
|
1346 \frametitle{Trusted Third Parties} |
|
1347 |
|
1348 Simple protocol for establishing a secure connection via a |
|
1349 mutually trusted 3rd party (server): |
|
1350 |
|
1351 \begin{center} |
|
1352 \begin{tabular}{r@ {\hspace{1mm}}l} |
|
1353 \bl{$A \rightarrow S :$} & \bl{$A, B$}\\ |
|
1354 \bl{$S \rightarrow A :$} & \bl{$\{K_{AB}, \{K_{AB}\}_{K_{BS}} \}_{K_{AS}}$}\\ |
|
1355 \bl{$A \rightarrow B :$} & \bl{$\{K_{AB}\}_{K_{BS}} $}\\ |
|
1356 \bl{$A \rightarrow B :$} & \bl{$\{m\}_{K_{AB}}$}\\ |
|
1357 \end{tabular} |
|
1358 \end{center} |
|
1359 |
|
1360 \end{frame} |
|
1361 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
|
1362 |
|
1363 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
|
1364 \begin{frame}[c] |
|
1365 \frametitle{PKI: The Main Idea} |
|
1366 |
|
1367 \begin{itemize} |
|
1368 \item the idea is to have a certificate authority (CA) |
|
1369 \item you go to the CA to identify yourself |
|
1370 \item CA: ``I, the CA, have verified that public key |
|
1371 \bl{$P^{pub}_{Bob}$} belongs to Bob''\bigskip |
|
1372 \item CA must be trusted by everybody\medskip |
|
1373 \item certificates are time limited, and can be revoked |
|
1374 |
|
1375 \item What happens if CA issues a false certificate? Who pays in case of loss? (VeriSign |
|
1376 explicitly limits liability to \$100.) |
|
1377 \end{itemize} |
|
1378 |
|
1379 \end{frame} |
|
1380 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
|
1381 |
|
1382 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
|
1383 \begin{frame}[c] |
|
1384 \frametitle{PKI: Chains of Trust} |
|
1385 |
|
1386 \begin{center} |
|
1387 \begin{tikzpicture}[scale=1, |
|
1388 node/.style={ |
|
1389 rectangle,rounded corners=3mm, |
|
1390 very thick,draw=black!50,minimum height=18mm, minimum width=23mm, |
|
1391 top color=white,bottom color=black!20}] |
|
1392 |
|
1393 \node (A) at (0,0) [node] {}; |
|
1394 \node [below right] at (A.north west) |
|
1395 {\small\begin{tabular}{@{}l}CA\\Root Cert.\end{tabular}}; |
|
1396 |
|
1397 \node (B) at (4,0) [node] {}; |
|
1398 \node [below right=1mm] at (B.north west) |
|
1399 {\mbox{}\hspace{-1mm}\small |
|
1400 \begin{tabular}{@{}l}Subordinate\\ CA\end{tabular}}; |
|
1401 |
|
1402 \node (C) at (8,0) [node] {}; |
|
1403 \node [below right] at (C.north west) |
|
1404 {\small\begin{tabular}{@{}l}Server\\ Bank.com\end{tabular}}; |
|
1405 |
|
1406 \draw [->,line width=4mm] (A) -- (B); |
|
1407 \draw [->,line width=4mm] (B) -- (C); |
|
1408 |
|
1409 \node (D) at (6,-3) [node] {}; |
|
1410 \node [below right] at (D.north west) |
|
1411 {\small\begin{tabular}{@{}l}Browser\\ Root Store\end{tabular}}; |
|
1412 |
|
1413 \node (E) at (2,-3) [node] {}; |
|
1414 \node [below right] at (E.north west) |
|
1415 {\small\begin{tabular}{@{}l}Browser\\ Vendor\end{tabular}}; |
|
1416 |
|
1417 \draw [->,line width=4mm] (E) -- (D); |
|
1418 \end{tikzpicture} |
|
1419 \end{center} |
|
1420 |
|
1421 \begin{itemize} |
|
1422 \item CAs make almost no money anymore, because of stiff |
|
1423 competition |
|
1424 \item browser companies are not really interested in security; |
|
1425 only in market share |
|
1426 \end{itemize} |
|
1427 |
|
1428 \end{frame} |
|
1429 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
|
1430 |
|
1431 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
|
1432 \begin{frame}[c] |
|
1433 \frametitle{PKI: Weaknesses} |
|
1434 |
|
1435 CAs just cannot win (make any profit):\medskip |
|
1436 |
|
1437 \begin{itemize} |
|
1438 \item there are hundreds of CAs, which issue millions of |
|
1439 certificates and the error rate is small |
|
1440 |
|
1441 \item users (servers) do not want to pay or pay as little as |
|
1442 possible\bigskip |
|
1443 |
|
1444 \item a CA can issue a certificate for any domain not needing |
|
1445 any permission (CAs are meant to undergo audits, |
|
1446 but\ldots DigiNotar) |
|
1447 |
|
1448 \item if a CA has issued many certificates, it ``becomes too |
|
1449 big to fail'' |
|
1450 |
|
1451 \item Can we be sure CAs are not just frontends of some |
|
1452 government organisation? |
|
1453 |
|
1454 \end{itemize} |
|
1455 |
|
1456 \end{frame} |
|
1457 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
|
1458 |
|
1459 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
|
1460 \begin{frame}[c] |
|
1461 \frametitle{PKI: Weaknesses} |
|
1462 |
|
1463 \begin{itemize} |
|
1464 |
|
1465 \item many certificates are issued via Whois, whether you own |
|
1466 the domain\ldots if you hijacked a domain, it is easy to |
|
1467 obtain certificates\medskip |
|
1468 |
|
1469 \item the revocation mechanism does not work (Chrome has given |
|
1470 up on general revocation lists)\medskip |
|
1471 |
|
1472 \item lax approach to validation of certificates |
|
1473 (Have you ever bypassed certification warnings?)\medskip |
|
1474 |
|
1475 \item sometimes you want to actually install invalid |
|
1476 certificates (self-signed) |
|
1477 |
|
1478 \end{itemize} |
|
1479 |
|
1480 \end{frame} |
|
1481 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
|
1482 |
|
1483 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
|
1484 \begin{frame}[c] |
|
1485 \frametitle{PKI: Attacks} |
|
1486 |
|
1487 \begin{itemize} |
|
1488 |
|
1489 \item Go directly after root certificates |
|
1490 \begin{itemize} |
|
1491 \item governments can demand private keys\smallskip |
|
1492 \item 10 years ago it was estimated that breaking a 1024 bit |
|
1493 key takes one year and costs 10 - 30 Mio \$; this is now |
|
1494 reduced to 1 Mio \$ |
|
1495 \end{itemize} |
|
1496 |
|
1497 \item Go after buggy implementations of certificate |
|
1498 validation\smallskip |
|
1499 |
|
1500 \item Social Engineering |
|
1501 \begin{itemize} |
|
1502 \item in 2001 somebody pretended to be |
|
1503 from Microsoft and asked for two code-signing |
|
1504 certificates |
|
1505 \end{itemize}\bigskip |
|
1506 \end{itemize} |
|
1507 |
|
1508 \small The eco-system is completely broken (it relies on |
|
1509 thousands of entities to do the right thing). Maybe DNSSEC |
|
1510 where keys can be attached to domain names is a way out. |
|
1511 |
|
1512 \end{frame} |
|
1513 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
|
1514 |
|
1515 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
|
1516 \begin{frame}[c] |
|
1517 \frametitle{Real Attacks} |
|
1518 |
|
1519 \begin{itemize} |
|
1520 |
|
1521 \item In 2011, DigiNotar (Dutch company) was the first CA that |
|
1522 got compromised comprehensively, and where many |
|
1523 fraudulent certificates were issued to the wild. It |
|
1524 included approximately 300,000 IP addresses, mostly |
|
1525 located in Iran. The attackers (in Iran?) were likely |
|
1526 interested ``only'' in collecting gmail passwords.\medskip |
|
1527 |
|
1528 \item The Flame malware piggy-bagged on this attack by |
|
1529 advertising malicious Windows updates to some targeted |
|
1530 systems (mostly in Iran, Israel, Sudan). |
|
1531 |
|
1532 \end{itemize} |
|
1533 |
|
1534 \end{frame} |
|
1535 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
|
1536 |
|
1537 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
|
1538 \begin{frame}[c] |
|
1539 \frametitle{PKI is Broken} |
|
1540 |
|
1541 \begin{itemize} |
|
1542 |
|
1543 \item PKI and certificates are meant to protect you against |
|
1544 MITM attacks, but if the attack occurs your are |
|
1545 presented with a warning and you need to decide whether |
|
1546 you are under attack.\medskip |
|
1547 |
|
1548 \item Webcontent gets often loaded from 3rd-party servers, |
|
1549 which might not be secured\medskip |
|
1550 |
|
1551 \item Misaligned incentives: browser vendors are not |
|
1552 interested in breaking webpages with invalid |
|
1553 certificates |
|
1554 |
|
1555 \end{itemize} |
|
1556 |
|
1557 \end{frame} |
|
1558 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
|
1559 |
|
1560 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
|
1561 \begin{frame}[c] |
|
1562 |
|
1563 Why are there so many invalid certificates?\bigskip |
|
1564 |
|
1565 \begin{itemize} |
|
1566 |
|
1567 \item insufficient name coverage (www.example.com should |
|
1568 include example.com) |
|
1569 |
|
1570 \item IoT: many appliances have web-based admin interfaces; |
|
1571 the manufacturer cannot know under which IP and domain name |
|
1572 the appliances are run (so cannot install a valid certificate) |
|
1573 |
|
1574 \item expired certificates, or incomplete chains of trust |
|
1575 (servers are supposed to supply them) |
|
1576 |
1217 \end{itemize} |
1577 \end{itemize} |
1218 |
1578 |
1219 \end{frame} |
1579 \end{frame} |
1220 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
1580 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
1221 |
1581 |