sen-material: comparison slides/slides06.tex

equal deleted inserted replaced

-:f99817977494
+:e6e87d5839c0
 \end{itemize}
 \end{frame}
 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\begin{frame}[c]
-\frametitle{Protocols}
-\begin{center}
-\includegraphics[scale=0.11]{../pics/keyfob.jpg}
-\quad
-\includegraphics[scale=0.3025]{../pics/startstop.jpg}
-\end{center}
-\begin{itemize}
-\item Other examples: Wifi, Http-request, TCP-request,
-card readers, RFID (passports)\ldots\medskip\pause
-\item The point is that we cannot control the network: An attacker
-can install a packet sniffer, inject packets, modify packets,
-replay messages\ldots{}fake pretty much everything.
-\end{itemize}
-\end{frame}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\begin{frame}[c]
-\frametitle{Keyless Car Transponders}
-\begin{center}
-\includegraphics[scale=0.1]{../pics/keyfob.jpg}
-\quad
-\includegraphics[scale=0.27]{../pics/startstop.jpg}
-\end{center}
-\begin{itemize}
-\item There are two security mechanisms: one remote central
-locking system and one passive RFID tag (engine immobiliser).
-\item How can I get in? How can thieves be kept out?
-How to avoid MITM attacks?
-\end{itemize}\medskip
-\footnotesize
-\hfill Papers: Gone in 360 Seconds: Hijacking with Hitag2,\\
-\hfill Dismantling Megamos Crypto: Wirelessly Lockpicking\\
-\hfill a Vehicle Immobilizer
-\end{frame}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\begin{frame}[c]
-\frametitle{Public-Key Infrastructure}
-\begin{itemize}
-\item the idea is to have a certificate authority (CA)
-\item you go to the CA to identify yourself
-\item CA: ``I, the CA, have verified that public key \bl{$P^{pub}_{Bob}$} belongs to Bob''\bigskip
-\item CA must be trusted by everybody
-\item What happens if CA issues a false certificate? Who pays in case of loss? (VeriSign
-explicitly limits liability to \$100.)
-\end{itemize}
-\end{frame}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\begin{frame}[c]
-\frametitle{Man-in-the-Middle}
-``Normal'' protocol run:\bigskip
-\begin{itemize}
-\item \bl{$A$} sends public key  to \bl{$B$}
-\item \bl{$B$} sends public key  to \bl{$A$}
-\item \bl{$A$} sends message encrypted with \bl{$B$}'s public key, \bl{$B$} decrypts it
-with its private key
-\item \bl{$B$} sends message encrypted with \bl{$A$}'s public key, \bl{$A$} decrypts it
-with its private key
-\end{itemize}
-\end{frame}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\begin{frame}[c]
-\frametitle{Man-in-the-Middle}
-Attack:
-\begin{itemize}
-\item \bl{$A$} sends public key  to \bl{$B$}  --- \bl{$C$} intercepts this message and send his own public key
-\item \bl{$B$} sends public key  to \bl{$A$} --- \bl{$C$} intercepts this message and send his own public key
-\item \bl{$A$} sends message encrypted with \bl{$C$}'s public key, \bl{$C$} decrypts it
-with its private key, re-encrypts with \bl{$B$}'s public key
-\item similar for other direction
-\end{itemize}
-\end{frame}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\begin{frame}[c]
-\frametitle{Man-in-the-Middle}
-Potential Prevention?
-\begin{itemize}
-\item \bl{$A$} sends public key  to \bl{$B$}
-\item \bl{$B$} sends public key  to \bl{$A$}
-\item \bl{$A$} encrypts message with \bl{$B$}'s public key, send's {\bf half} of the message
-\item \bl{$B$} encrypts message with \bl{$A$}'s public key, send's {\bf half} of the message
-\item \bl{$A$} sends other half, \bl{$B$} can now decrypt entire message
-\item \bl{$B$} sends other half, \bl{$A$} can now decrypt entire message
-\end{itemize}\pause
-%\bl{$C$} would have to invent a totally new message
-\alert{Under which circumstances does this protocol prevent
-MiM-attacks, or does it?}
-\end{frame}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\begin{frame}[c]
-\frametitle{Car Transponder (HiTag2)}
-\begin{enumerate}
-\item \bl{$C$} generates a random number \bl{$N$}
-\item \bl{$C$} calculates \bl{$(F,G) = \{N\}_K$}
-\item \bl{$C \to T$}: \bl{$N, F$}
-\item \bl{$T$} calculates \bl{$(F',G') = \{N\}_K$}
-\item \bl{$T$} checks that \bl{$F = F'$}
-\item \bl{$T \to C$}: \bl{$N, G'$}
-\item \bl{$C$} checks that \bl{$G = G'$}
-\end{enumerate}\pause
-\small
-This process means that the transponder believes the car knows
-the key \bl{$K$}, and the car believes the transponder knows
-the key \bl{$K$}. They have authenticated themselves
-to each other, or have they?
-\end{frame}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\begin{frame}[c]
-A Man-in-the-middle attack in real life:
-\begin{itemize}
-\item the card only says yes to the terminal if the PIN is correct
-\item trick the card in thinking transaction is verified by signature
-\item trick the terminal in thinking the transaction was verified by PIN
-\end{itemize}
-\begin{minipage}{1.1\textwidth}
-\begin{center}
-\mbox{}\hspace{-6mm}\includegraphics[scale=0.5]{../pics/chip-attack.png}
-\includegraphics[scale=0.3]{../pics/chipnpinflaw.png}
-\end{center}
-\end{minipage}
-\end{frame}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\begin{frame}[c]
-\frametitle{Problems with EMV}
-\begin{itemize}
-\item it is a wrapper for many protocols
-\item specification by consensus (resulted unmanageable complexity)
-\item its specification is 700 pages in English plus 2000+ pages for testing, additionally some
-further parts are secret
-\item other attacks have been found
-\end{itemize}
-\end{frame}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\begin{frame}[c]
-\frametitle{Protocols are Difficult}
-\begin{itemize}
-\item even the systems designed by experts regularly fail\medskip
-\item the one who can fix a system should also be liable for the losses\medskip
-\item cryptography is often not the problem\bigskip\bigskip
-\end{itemize}
-\end{frame}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\begin{frame}[c]
-\frametitle{A Simple PK Protocol}
-\begin{center}
-\begin{tabular}{ll@{\hspace{2mm}}l}
-1. & \bl{$A \to B :$} & \bl{$K^{pub}_A$}\smallskip\\
-2. & \bl{$B \to A :$} & \bl{$K^{pub}_B$}\smallskip\\
-3. & \bl{$A \to B :$} & \bl{$\{A,m\}_{K^{pub}_B}$}\smallskip\\
-4. & \bl{$B \to A :$} & \bl{$\{B,m'\}_{K^{pub}_A}$}
-\end{tabular}
-\end{center}\pause\bigskip
-unfortunately there is a simple man-in-the- middle-attack
-\end{frame}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\begin{frame}[c]
-\frametitle{A MITM Attack}
-\begin{center}
-\begin{tabular}{ll@{\hspace{2mm}}l}
-1. & \bl{$A \to E :$} & \bl{$K^{pub}_A$}\smallskip\\
-2. & \bl{$E \to B :$} & \bl{$K^{pub}_E$}\smallskip\\
-3. & \bl{$B \to E :$} & \bl{$K^{pub}_B$}\smallskip\\
-4. & \bl{$E \to A :$} & \bl{$K^{pub}_E$}\smallskip\\
-5. & \bl{$A \to E :$} & \bl{$\{A,m\}_{K^{pub}_E}$}\smallskip\\
-6. & \bl{$E \to B :$} & \bl{$\{E,m\}_{K^{pub}_B}$}\smallskip\\
-7. & \bl{$B \to E :$} & \bl{$\{B,m'\}_{K^{pub}_E}$}\smallskip\\
-8. & \bl{$E \to A :$} & \bl{$\{E,m'\}_{K^{pub}_A}$}
-\end{tabular}
-\end{center}\pause\medskip
-and \bl{$A$} and \bl{$B$} have no chance to detect it
-\end{frame}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\begin{frame}[c]
-\frametitle{Interlock Protocol}
-The interlock protocol (``best bet'' against MITM):
-\begin{center}
-\begin{tabular}{ll@{\hspace{2mm}}l}
-1. & \bl{$A \to B :$} & \bl{$K^{pub}_A$}\\
-2. & \bl{$B \to A :$} & \bl{$K^{pub}_B$}\\
-3. & & \bl{$\{A,m\}_{K^{pub}_B} \;\mapsto\; H_1,H_2$}\\
-& & \bl{$\{B,m'\}_{K^{pub}_A} \;\mapsto\; M_1,M_2$}\\
-4. & \bl{$A \to B :$} & \bl{$H_1$}\\
-5. & \bl{$B \to A :$} & \bl{$\{H_1, M_1\}_{K^{pub}_A}$}\\
-6. & \bl{$A \to B :$} & \bl{$\{H_2, M_1\}_{K^{pub}_B}$}\\
-7. & \bl{$B \to A :$} & \bl{$M_2$}
-\end{tabular}
-\end{center}
-\end{frame}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\begin{frame}[c]
-\frametitle{Splitting Messages}
-\begin{center}
-$\underbrace{\texttt{\Grid{0X1peUVTGJK+H70mMjAM8p}}}_{\bl{\{A,m\}_{K^{pub}_B}}}$
-\end{center}
-\begin{center}
-$\underbrace{\texttt{\Grid{0X1peUVTGJK}}}_{\bl{H_1}}$\quad
-$\underbrace{\texttt{\Grid{+H70mMjAM8p}}}_{\bl{H_2}}$
-\end{center}
-\begin{itemize}
-\item you can also use the even and odd bytes
-\item the point is you cannot decrypt the halves, even if you
-have the key
-\end{itemize}
-\end{frame}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\begin{frame}[c]
-\begin{center}
-\begin{tabular}{l@{\hspace{9mm}}l}
-\begin{tabular}[t]{@{}l@{}}
-\bl{$A \to C : K^{pub}_A$}\\
-\bl{$C \to B : K^{pub}_C$}\\
-\bl{$B \to C : K^{pub}_B$}\\
-\bl{$C \to A : K^{pub}_C$}\medskip\\
-\bl{$\{A,m\}_{K^{pub}_C} \;\mapsto\; H_1,H_2$}\\
-\bl{$\{B,m'\}_{K^{pub}_C} \;\mapsto\; M_1,M_2$}\bigskip\\
-\bl{$\{C,a\}_{K^{pub}_B} \;\mapsto\; C_1,C_2$}\\
-\bl{$\{C,b\}_{K^{pub}_A} \;\mapsto\; D_1,D_2$}
-\end{tabular} &
-\begin{tabular}[t]{@{}l@{}}
-\bl{$A \to C : H_1$}\\
-\bl{$C \to B : C_1$}\\
-\bl{$B \to C : \{C_1, M_1\}_{K^{pub}_C}$}\\
-\bl{$C \to A : \{H_1, D_1\}_{K^{pub}_A}$}\\
-\bl{$A \to C : \{H_2, D_1\}_{K^{pub}_C}$}\\
-\bl{$C \to B : \{C_2, M_1\}_{K^{pub}_B}$}\\
-\bl{$B \to C : M_2$}\\
-\bl{$C \to A : D_2$}
-\end{tabular}
-\end{tabular}
-\end{center}\pause
-\footnotesize
-\bl{$m$} = How is your grandmother? \bl{$m'$} = How is the
-weather today in London?
-\end{frame}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\begin{frame}[c]
-\begin{itemize}
-\item you have to ask something that cannot be imitated
-(requires \bl{$A$} and \bl{$B$} know each other)
-\item what happens if \bl{$m$} and \bl{$m'$} are voice
-messages?\bigskip\pause
-\item So \bl{$C$} can either leave the communication unchanged,
-or invent a complete new conversation
-\end{itemize}
-\end{frame}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\begin{frame}[c]
-\begin{itemize}
-\item the moral: establishing a secure connection from
-``zero'' is almost impossible---you need to rely on some
-established trust\medskip
-\item that is why PKI relies on certificates, which however are
-badly, badly realised
-\end{itemize}
-\end{frame}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
 \begin{frame}[c]
 \frametitle{Trusted Third Parties}

changeset 556	e6e87d5839c0
parent 518	e1fcfba63a31