255 \begin{frame}[c] |
257 \begin{frame}[c] |
256 \frametitle{Encryption to the Rescue?} |
258 \frametitle{Encryption to the Rescue?} |
257 |
259 |
258 |
260 |
259 \begin{itemize} |
261 \begin{itemize} |
260 \item \bl{$A \,\text{sends}\, B : \{A, N_A\}_{K_{AB}}$}\hspace{1cm} encryption\bigskip |
262 \item \bl{$A \,\text{sends}\, B : \{A, N_A\}_{K_{AB}}$}\hspace{1cm} encrypted\bigskip |
261 \item \bl{$B\,\text{sends}\, A : \{N_A, K'_{AB}\}_{K_{AB}}$}\bigskip |
263 \item \bl{$B\,\text{sends}\, A : \{N_A, K'_{AB}\}_{K_{AB}}$}\bigskip |
262 \item \bl{$A \,\text{sends}\, B : \{N_A\}_{K'_{AB}}$}\bigskip |
264 \item \bl{$A \,\text{sends}\, B : \{N_A\}_{K'_{AB}}$}\bigskip |
263 \end{itemize}\pause |
265 \end{itemize}\pause |
264 |
266 |
265 means you need to send a separate ``Hello'' signal (bad), or worse |
267 means you need to send a separate ``Hello'' signal (bad), or worse |
266 share a single key between many entities |
268 share a single key between many entities |
267 \end{frame}} |
269 \end{frame}} |
268 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
270 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
269 |
271 |
270 |
272 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
271 |
273 \mode<presentation>{ |
272 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
274 \begin{frame}[c] |
273 \mode<presentation>{ |
275 \frametitle{Protocol Attacks} |
274 \begin{frame}[c] |
|
275 \frametitle{Possible Kinds of Attacks} |
|
276 |
276 |
277 \begin{itemize} |
277 \begin{itemize} |
|
278 \item replay attacks |
278 \item reflection attacks |
279 \item reflection attacks |
279 \item man-in-the-middle attacks |
280 \item man-in-the-middle attacks |
280 \item replay attacks |
|
281 \item timing attacks |
281 \item timing attacks |
|
282 \item parallel session attacks |
|
283 \item binding attacks (public key protocols) |
282 \item changing environment / changing assumptions |
284 \item changing environment / changing assumptions |
283 \end{itemize} |
285 \end{itemize} |
284 \end{frame}} |
286 \end{frame}} |
285 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
287 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
286 |
288 |
287 \end{document} |
289 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
|
290 \mode<presentation>{ |
|
291 \begin{frame}[c] |
|
292 \frametitle{Replay Attacks} |
|
293 |
|
294 Schroeder-Needham protocol: exchange of a symmetric key with a trusted 3rd-party \bl{$S$}: |
|
295 |
|
296 \begin{center} |
|
297 \begin{tabular}{r@ {\hspace{1mm}}l} |
|
298 \bl{$A \rightarrow S :$} & \bl{$A, B, N_A$}\\ |
|
299 \bl{$S \rightarrow A :$} & \bl{$\{N_A, B, K_{AB},\{K_{AB}, A\}_{K_{BS}} \}_{K_{AS}}$}\\ |
|
300 \bl{$A \rightarrow B :$} & \bl{$\{K_{AB}, A\}_{K_{BS}} $}\\ |
|
301 \bl{$B \rightarrow A :$} & \bl{$\{N_B\}_{K_{AB}}$}\\ |
|
302 \bl{$A \rightarrow B :$} & \bl{$\{N_B-1\}_{K_{AB}}$}\\ |
|
303 \end{tabular} |
|
304 \end{center}\bigskip\pause |
|
305 |
|
306 at the end both \bl{$A$} and \bl{$B$} should be in the possession of the secret key |
|
307 \bl{$K_{AB}$} and know that the other principal has the key |
|
308 |
|
309 \end{frame}} |
|
310 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
|
311 |
|
312 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
|
313 \mode<presentation>{ |
|
314 \begin{frame}[c] |
|
315 |
|
316 \begin{center} |
|
317 \begin{tabular}{l} |
|
318 \bl{$A \rightarrow S :$} \bl{$A, B, N_A$}\\ |
|
319 \bl{$S \rightarrow A :$} \bl{$\{N_A, B, K_{AB},\{K_{AB}, A\}_{K_{BS}} \}_{K_{AS}}$}\\ |
|
320 \bl{$A \rightarrow B :$} \bl{$\{K_{AB}, A\}_{K_{BS}} $}\\ |
|
321 \bl{$B \rightarrow A :$} \bl{$\{N_B\}_{K_{AB}}$}\\ |
|
322 \bl{$A \rightarrow B :$} \bl{$\{N_B-1\}_{K_{AB}}$}\pause\\ |
|
323 \hspace{5cm}compromise \bl{$K_{AB}$}\pause\\ |
|
324 \bl{$A \rightarrow S :$} \bl{$A, B, N'_A$}\\ |
|
325 \bl{$S \rightarrow A :$} \bl{$\{N'_A, B, K'_{AB},\{K'_{AB}, A\}_{K_{BS}} \}_{K_{AS}}$}\pause\\ |
|
326 \bl{$I(A) \rightarrow B :$} \bl{$\{K_{AB}, A\}_{K_{BS}} $}\hspace{0.5cm} replay of older run\pause\\ |
|
327 \bl{$B \rightarrow I(A) :$} \bl{$\{N'_B\}_{K_{AB}}$}\\ |
|
328 \bl{$I(A) \rightarrow B :$} \bl{$\{N'_B-1\}_{K_{AB}}$}\ |
|
329 \end{tabular} |
|
330 \end{center}\pause |
|
331 |
|
332 \bl{$B$} believes it is following the correct protocol, |
|
333 intruder \bl{$I$} can form the correct response because it knows \bl{$K_{AB}$} and |
|
334 talk to \bl{$B$} masquerading as \bl{$A$} |
|
335 \end{frame}} |
|
336 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
|
337 |
|
338 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
|
339 \mode<presentation>{ |
|
340 \begin{frame}[c] |
|
341 \frametitle{Replay Attacks} |
|
342 |
|
343 Andrew Secure RPC protocol: exchanging a new key |
|
344 between \bl{$A$} and \bl{$B$} |
|
345 |
|
346 \begin{center} |
|
347 \begin{tabular}{l} |
|
348 \bl{$A \rightarrow B :$} \bl{$A, \{N_A\}_{K_{AB}}$}\\ |
|
349 \bl{$B \rightarrow A :$} \bl{$\{N_A+1, N_B\}_{K_{AB}}$}\\ |
|
350 \bl{$A \rightarrow B :$} \bl{$\{N_B+1\}_{K_{AB}}$}\\ |
|
351 \bl{$B \rightarrow A :$} \bl{$\{K^{new}_{AB}, N^{new}_B\}_{K_{AB}}$}\\ |
|
352 \end{tabular} |
|
353 \end{center}\bigskip\pause |
|
354 |
|
355 Assume nonces are represented as bit-sequences of the same length |
|
356 \begin{center} |
|
357 \begin{tabular}{@{}l@{}} |
|
358 \bl{$A \rightarrow B :$} \bl{$A, \{N_A\}_{K_{AB}}$}\\ |
|
359 \bl{$B \rightarrow A :$} \bl{$\{N_A+1, N_B\}_{K_{AB}}$}\\ |
|
360 \bl{$A \rightarrow I(B) :$} \bl{$\{N_B+1\}_{K_{AB}}$}\hspace{0.5mm}intercepts\\ |
|
361 \bl{$I(B) \rightarrow A :$} \bl{$\{N_A+1, N_B\}_{K_{AB}}$}\hspace{0.5mm}resend 2nd msg\\ |
|
362 \end{tabular} |
|
363 \end{center} |
|
364 \end{frame}} |
|
365 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
|
366 |
|
367 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
|
368 \mode<presentation>{ |
|
369 \begin{frame}[c] |
|
370 \frametitle{Binding Attacks} |
|
371 |
|
372 with public-private keys it is important that the public key is \alert{bound} |
|
373 to the right owner (verified by a certification authority \bl{$CA$}) |
|
374 |
|
375 \begin{center} |
|
376 \begin{tabular}{l} |
|
377 \bl{$A \rightarrow CA :$} \bl{$A, B, N_A$}\\ |
|
378 \bl{$CA \rightarrow A :$} \bl{$CA, \{CA, A, N_A, K^{pub}_{B}\}_{K^{pub}_{A}}$}\\ |
|
379 \end{tabular} |
|
380 \end{center}\bigskip |
|
381 |
|
382 \bl{$A$} knows \bl{$K^{prig}_A$} and can verify the message came from \bl{$CA$} |
|
383 in response to \bl{$A$}'s message and trusts \bl{$K^{pub}_{B}$} is \bl{$B$}'s public key |
|
384 |
|
385 |
|
386 \end{frame}} |
|
387 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
|
388 |
|
389 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
|
390 \mode<presentation>{ |
|
391 \begin{frame}[c] |
|
392 \frametitle{Binding Attacks} |
|
393 |
|
394 \begin{center} |
|
395 \begin{tabular}{l} |
|
396 \bl{$A \rightarrow I(CA) :$} \bl{$A, B, N_A$}\\ |
|
397 \bl{$I(A) \rightarrow CA :$} \bl{$A, I, N_A$}\\ |
|
398 \bl{$CA \rightarrow I(A) :$} \bl{$CA, \{CA, A, N_A, K^{pub}_{I}\}_{K^{pub}_{A}}$}\\ |
|
399 \bl{$I(CA) \rightarrow A :$} \bl{$CA, \{CA, A, N_A, K^{pub}_{I}\}_{K^{pub}_{A}}$}\\ |
|
400 \end{tabular} |
|
401 \end{center}\pause |
|
402 |
|
403 \bl{$A$} now encrypts messages for \bl{$B$} with the public key of \bl{$I$} |
|
404 (which happily decrypts them with its private key) |
|
405 |
|
406 \end{frame}} |
|
407 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
|
408 |
|
409 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
|
410 \mode<presentation>{ |
|
411 \begin{frame}[c] |
|
412 \frametitle{``Real-World'' Attacks} |
|
413 |
|
414 EMV (Europay, MasterCard, Visa) is a standard for payments by credit cards\bigskip |
|
415 |
|
416 It consists of three phases: |
|
417 |
|
418 \begin{enumerate} |
|
419 \item card authentication phase (the terminal reads the information; signs it with a public key |
|
420 and verifies the signed information) |
|
421 \item cardholder authentication (PIN; terminal sends PIN to card which verifies it; it can also verify it online |
|
422 with the bank) |
|
423 \item transaction authorisation (the terminal asks the card to provide an authentication code for the transaction; |
|
424 the code is sent to the bank for verification) |
|
425 \end{enumerate} |
|
426 |
|
427 \end{frame}} |
|
428 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
|
429 |
|
430 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
|
431 \mode<presentation>{ |
|
432 \begin{frame}[c] |
|
433 |
|
434 A Man-in-the-middle attack |
|
435 |
|
436 \begin{itemize} |
|
437 \item the card only says yes or no to the terminal if the PIN is correct |
|
438 \item trick the card in thinking transaction is verified by signature |
|
439 \item trick the terminal in thinking the transaction was verified by PIN |
|
440 \end{itemize} |
|
441 |
|
442 \begin{minipage}{1.1\textwidth} |
|
443 \begin{center} |
|
444 \mbox{}\hspace{-6mm}\includegraphics[scale=0.5]{pics/chip-attack.png} |
|
445 \includegraphics[scale=0.3]{pics/chipnpinflaw.png} |
|
446 \end{center} |
|
447 \end{minipage} |
|
448 |
|
449 \end{frame}} |
|
450 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
|
451 |
|
452 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
|
453 \mode<presentation>{ |
|
454 \begin{frame}[c] |
|
455 \frametitle{Problems with EMV} |
|
456 |
|
457 \begin{itemize} |
|
458 \item it is a wrapper for many protocols |
|
459 \item specification by consensus (resulted unmanageable complexity) |
|
460 \item its specification is 700 pages in English plus 2000+ pages for testing, additionally some |
|
461 further parts are secret |
|
462 \item other attacks have been found |
|
463 |
|
464 \item one solution might be to require always online verification of the PIN with the bank |
|
465 \end{itemize} |
|
466 |
|
467 \end{frame}} |
|
468 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
|
469 |
|
470 \end{document} |
288 |
471 |
289 %%% Local Variables: |
472 %%% Local Variables: |
290 %%% mode: latex |
473 %%% mode: latex |
291 %%% TeX-master: t |
474 %%% TeX-master: t |
292 %%% End: |
475 %%% End: |