--- a/slides/slides04.tex Wed Oct 14 10:27:07 2015 +0100
+++ b/slides/slides04.tex Thu Oct 15 01:41:33 2015 +0100
@@ -45,13 +45,32 @@
\end{center}
\begin{itemize}
-\item no ``cheating'' needed for format string attacks;
-\item the main point, no real cheating (Facebook no; printer, router
-etc yes)
-\end{itemize}
+\item no ``cheating'' needed for format string attacks
+\item the main point: no cheating to start with
+\end{itemize}
+
\end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\begin{frame}[c]
+
+\begin{bubble}[10cm]\small How do we implement BOAs? On a
+webpage login, for example Facebook, we can't do this. The
+script will not let us enter hexadecimal numbers where email
+or username is required and plus it will have a max length,
+like 32 characters only. In this case, what can we do, since
+the method you showed us wouldn't work?
+\end{bubble}\bigskip\bigskip\pause
+
+\begin{itemize}
+\item Facebook no
+\item printers, routers, cars, IoT etc likely
+\end{itemize}
+
+
+\end{frame}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\begin{frame}[c]
@@ -155,7 +174,7 @@
\hspace{8mm}
\begin{bubble}[8cm]
-\alert{principle of least privilege:}\\
+\alert{\bf principle of least privilege:}\\
users and programs should only have as much privilege as they need to
accomplish a task
\end{bubble}
@@ -316,10 +335,30 @@
\end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\begin{frame}[c]
+\frametitle{Subtleties}
+
+
+\begin{itemize}
+\item<1-> Can Bob write \pcode{file}?
+\item<2-> What if Bob is member of \pcode{staff}?
+\end{itemize}\bigskip
+
+\begin{center}
+${\underbrace{\Large\texttt{-}}_{\text{\makebox[0mm]{directory}}}}
+ \;{\underbrace{\Large\texttt{r{}-{}-}}_{\text{user}}}\,
+ {\underbrace{\Large\texttt{r{}w{}-}}_{\text{group}}}\,
+ {\underbrace{\Large\texttt{r{}w{}x}}_{\text{other}}}\;\;\;
+ \Large\texttt{bob}\;\;\texttt{staff}\;\;\texttt{file}$
+\end{center}
+
+\end{frame}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\begin{frame}[c]
-\frametitle{Login Process}
+\frametitle{Login Processes}
\begin{itemize}
@@ -366,64 +405,6 @@
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\begin{frame}[c]
-\frametitle{\Large Discretionary Access Control}
-
-\begin{itemize}
-\item Access to objects (files, directories, devices, etc.) is
-permitted based on user identity. Each object is owned by a
-user. Owners can specify freely (at their discretion) how they want to
-share their objects with other users, by specifying which other users
-can have which form of access to their objects.\medskip
-
-\item Discretionary access control is implemented on any modern multi-user
-OS (Unix, Windows NT, etc.).
-\end{itemize}
-
-\end{frame}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\begin{frame}[c]
-\frametitle{\Large Mandatory Access Control}
-
-\begin{itemize}
-\item Access to objects is controlled by a system-wide policy, for
- example to prevent certain flows of information. In some forms, the
- system maintains security labels for both objects and subjects
- (processes, users) based on which access is granted or
- denied. Labels can change as the result of an access. Security
- policies are enforced without the cooperation of users or
- programs.\medskip
-
-\item This is implemented in banking or military operating system
- versions (SELinux).
-\end{itemize}
-
-\end{frame}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\begin{frame}[c]
-\frametitle{\Large Discretionary Access Control}
-
-In its most generic form usually given by an \alert{Access Control
- Matrix} of the form
-
-\begin{center}
-\begin{tabular}{r|c|c|c}
- & /mail/jane & edit.exe & postfix \\\hline
-jane & r, w & r, x & r, x\\\hline
-john & $\varnothing$ & r, w, x& r, x\\\hline
-postfix & a & $\varnothing$ & r, x\\
-\end{tabular}
-\end{center}
-
-access privileges: {\bf r}ead, {\bf w}rite, e{\bf x}ecute, {\bf a}ppend
-\end{frame}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\begin{frame}[c]
\small
\lstinputlisting[language={},numbers=none,xleftmargin=-6mm]{lst}
@@ -450,21 +431,43 @@
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\begin{frame}[c]
-\frametitle{Mandatory Access Control}
+\frametitle{\Large Discretionary Access Control}
+
\small
-
\begin{itemize}
-\item Restrictions to allowed information flows are not decided at the
- user's discretion (as with Unix \pcode{chmod}), but instead enforced
- by system policies.
+\item Access to objects (files, directories, devices, etc.) is
+permitted based on user identity. Each object is owned by a
+user. Owners can specify freely (at their discretion) how they want to
+share their objects with other users, by specifying which other users
+can have which form of access to their objects.\medskip
+
+\item Discretionary access control is implemented on any modern multi-user
+OS (Unix, Windows NT, etc.).
+\end{itemize}
+
+\end{frame}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\item Mandatory access control mechanisms are aimed in particular at
- preventing policy violations by untrusted programs, which typically
- have at least the same access privileges as the invoking
- user.\medskip\pause
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\begin{frame}[c]
+\frametitle{\Large Mandatory Access Control}
-Simple example: Air Gap Security. Uses a completely separate network
-and computer hardware for different application classes.
+\small
+\begin{itemize}
+\item Access to objects is controlled by a system-wide policy, for
+ example to prevent certain flows of information. In some forms, the
+ system maintains security labels for both objects and subjects
+ (processes, users) based on which access is granted or
+ denied. Labels can change as the result of an access. Security
+ policies are enforced without the cooperation of users or
+ programs.\medskip
+
+\item This is implemented in banking or military operating system
+ versions (SELinux).\pause
+\item A simple example: Air Gap Security. Uses a completely separate network
+and computer hardware for different application classes (Bin Laden, Bruce Schneier had
+airgaps).\pause
+\item What do we want to protect: Secrecy or Integrity?
\end{itemize}
\end{frame}
@@ -509,8 +512,8 @@
\item \alert{Write Rule}: A principal \bl{$P$} can write an object \bl{$O$} if and only if
\bl{$O$}'s security level is at least as high as \bl{$P$}'s.\medskip
- \item Meta-Rule: All principals in a system should have a sufficiently high security level
- in order to access an object.
+ %\item Meta-Rule: All principals in a system should have a sufficiently high security level
+ %in order to access an object.
\end{itemize}\bigskip
This restricts information flow $\Rightarrow$ military\bigskip\bigskip\pause
@@ -542,7 +545,7 @@
\frametitle{Biba Policy}
\small
- Data Integrity (rather than data confidentiality)
+ Data Integrity (rather than data secrecy)
\begin{itemize}
\item Biba: {\bf `no read down'} - {\bf `no write up'}
@@ -610,20 +613,118 @@
hierarchy is too complex\\
\textcolor{gray}{you invite situations like\ldots lets be root}\bigskip
-\item you can still abuse the system\ldots\bigskip\pause
-
-\item
- policies (a finite system)\\
- computer system (infinite)\medskip\\
-Q: Does your policy ensure that a tainted file cannot affect your
-core system files?
-
+\item you can still abuse the system\ldots
\end{itemize}
\end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\begin{frame}[c]
+\frametitle{Protocols}
+
+\begin{center}
+\includegraphics[scale=0.11]{../pics/keyfob.jpg}
+\quad
+\includegraphics[scale=0.3025]{../pics/startstop.jpg}
+\end{center}
+
+\begin{itemize}
+\item Other examples: Wifi, Http-request, TCP-request,
+card readers, RFID (passports)\medskip\pause
+
+\item The point is that we cannot control the network: An attacker
+can install a packet sniffer, inject packets, modify packets,
+replay messages\ldots{}fake pretty much everything.
+\end{itemize}
+
+\end{frame}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\begin{frame}[c]
+\frametitle{Keyless Car Transponders}
+
+\begin{center}
+\includegraphics[scale=0.1]{../pics/keyfob.jpg}
+\quad
+\includegraphics[scale=0.27]{../pics/startstop.jpg}
+\end{center}
+
+\begin{itemize}
+\item There are two security mechanisms: one remote central
+locking system and one passive RFID tag (engine immobiliser).
+\item How can I get in? How can thieves be kept out?
+How to avoid MITM attacks?
+\end{itemize}\medskip
+
+\footnotesize
+\hfill Papers: Gone in 360 Seconds: Hijacking with Hitag2,\\
+\hfill Dismantling Megamos Crypto: Wirelessly Lockpicking\\
+\hfill a Vehicle Immobilizer
+
+\end{frame}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\begin{frame}[c]
+\frametitle{HTTPS / GSM}
+
+\begin{center}
+\includegraphics[scale=0.25]{../pics/barclays.jpg}
+\quad
+\includegraphics[scale=0.25]{../pics/phone-signal.jpg}
+\end{center}
+
+\begin{itemize}
+\item I am sitting at Starbuck. How can I be sure I am really
+ visiting Barclays? I have no control of the access
+ point.
+\item How can I achieve that a secret key is established in
+ order to encrypt my mobile conversation? I have no
+ control over the access points.
+\end{itemize}
+
+\end{frame}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\begin{frame}[c]
+\frametitle{Handshakes}
+
+\begin{itemize}
+\item starting a TCP connection between a client and a server
+initiates the following three-way handshake protocol:
+\end{itemize}
+
+\begin{columns}[t]
+\begin{column}{5cm}
+\begin{minipage}[t]{4cm}
+\begin{center}
+\raisebox{-2cm}{\includegraphics[scale=0.5]{../pics/handshake.png}}
+\end{center}
+\end{minipage}
+\end{column}
+\begin{column}{5cm}
+\begin{tabular}[t]{rl}
+Alice: & Hello server!\\
+Server: & I heard you\\
+Alice: & Thanks
+\end{tabular}
+\end{column}
+\end{columns}
+
+\only<2>{
+\begin{textblock}{3}(11,5)
+\begin{bubble}[3.2cm]
+SYNflood attacks:\medskip\\
+\includegraphics[scale=0.4]{../pics/synflood.png}
+\end{bubble}
+\end{textblock}}
+
+\end{frame}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\begin{frame}[t]
\frametitle{Protocols}
@@ -648,17 +749,55 @@
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\begin{frame}[c]
+\frametitle{Handshakes}
+
+\begin{itemize}
+\item starting a TCP connection between a client and a server
+initiates the following three-way handshake protocol:
+\end{itemize}
+
+\begin{columns}[t]
+\begin{column}{5cm}
+\begin{minipage}[t]{4cm}
+\begin{center}
+\raisebox{-2cm}{\includegraphics[scale=0.5]{../pics/handshake.png}}
+\end{center}
+\end{minipage}
+\end{column}
+\begin{column}{5cm}
+\begin{tabular}[t]{rl}
+Alice: & Hello server!\\
+Server: & I heard you\\
+Alice: & Thanks
+\end{tabular}
+\end{column}
+\end{columns}
+
+\begin{center}
+\begin{tabular}{rl}
+\bl{$A \rightarrow S$}: & \bl{SYN}\\
+\bl{$S \rightarrow A$}: & \bl{SYN-ACK}\\
+\bl{$A \rightarrow S$}: & \bl{ACK}\\
+\end{tabular}
+\end{center}
+
+\end{frame}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\begin{frame}[c]
\frametitle{\Large Cryptographic Protocol Failures}
Ross Anderson and Roger Needham wrote:\bigskip
\begin{quote}\rm
-\alert{A lot of the recorded frauds were the result of this kind of
- blunder, or from management negligence pure and simple.} However,
+A lot of the recorded frauds were the result of this kind of
+ blunder, or from management negligence pure and simple.
+ \alert{However,
there have been a significant number of cases where the designers
protected the right things, used cryptographic algorithms which were
not broken, and yet found that their systems were still successfully
-attacked.
+attacked.}
\end{quote}
\end{frame}
@@ -757,26 +896,6 @@
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\begin{frame}[c]
-\frametitle{\Large Cryptographic Protocol Failures}
-
-Ross Anderson and Roger Needham wrote:\bigskip
-
-\begin{quote}\rm
-A lot of the recorded frauds were the result of this kind of blunder,
-or from management negligence pure and simple. \alert{However, there
- have been a significant number of cases where the designers
- protected the right things, used cryptographic algorithms which were
- not broken, and yet found that their systems were still successfully
- attacked.}
-\end{quote}
-
-\end{frame}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
-\begin{frame}[c]
\frametitle{Authentication Protocols}
@@ -791,11 +910,21 @@
Problem: Eavesdropper can capture the secret and replay it; \bl{$A$} cannot confirm the
identity of \bl{$B$}
-\end{frame}}
+\end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
+\begin{frame}[c]
+\frametitle{Authentication?}
+
+\begin{center}
+\raisebox{-2cm}{\includegraphics[scale=0.4]{../pics/dogs.jpg}}
+\end{center}
+
+\end{frame}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\begin{frame}[c]
\frametitle{Authentication Protocols}
@@ -811,11 +940,10 @@
\end{center}
-\end{frame}}
+\end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
\begin{frame}[c]
\frametitle{Authentication Protocols}
@@ -836,7 +964,7 @@
%intercepting all messages for \bl{$B$} and make \bl{$A$} decrypt her
%own challenges.
-\end{frame}}
+\end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
@@ -863,13 +991,12 @@
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
\begin{frame}[c]
\begin{center}
\begin{tabular}{ll}
\bl{$A \rightarrow B$:} & \bl{$N_A$}\\
-\bl{$B \rightarrow A$:} & \bl{$\{N_A, N_B\}_{K_{ab}}$}\\
+\bl{$B \rightarrow A$:} & \bl{$\{N_A, N_B\}_{K_{AB}}$}\\
\bl{$A \rightarrow B$:} & \bl{$N_B$}\\
\end{tabular}
\end{center}
@@ -887,13 +1014,12 @@
\end{center}\pause
\small Solutions: \bl{$K_{AB} \not= K_{BA}$} or include an id in the second message
-\end{frame}}
+\end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
- \mode<presentation>{
- \begin{frame}[c]
- \frametitle{Encryption to the Rescue?}
+\begin{frame}[c]
+\frametitle{Encryption to the Rescue?}
\begin{itemize}
@@ -904,11 +1030,10 @@
means you need to send separate ``Hello'' signals (bad), or worse
share a single key between many entities
-\end{frame}}
+\end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
\begin{frame}[c]
\frametitle{Protocol Attacks}
@@ -923,87 +1048,10 @@
\item (social engineering attacks)
\end{itemize}
-\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
-
- %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
-\begin{frame}[c]
-\frametitle{Public-Key Infrastructure}
-
-\begin{itemize}
-\item the idea is to have a certificate authority (CA)
-\item you go to the CA to identify yourself
-\item CA: ``I, the CA, have verified that public key \bl{$P^{pub}_{Bob}$} belongs to Bob''\bigskip
-\item CA must be trusted by everybody
-\item What happens if CA issues a false certificate? Who pays in case of loss? (VeriSign
-explicitly limits liability to \$100.)
-\end{itemize}
-
-\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
-\begin{frame}[c]
-\frametitle{Person-in-the-Middle}
-
-``Normal'' protocol run:\bigskip
-
-\begin{itemize}
-\item \bl{$A$} sends public key to \bl{$B$}
-\item \bl{$B$} sends public key to \bl{$A$}
-\item \bl{$A$} sends message encrypted with \bl{$B$}'s public key, \bl{$B$} decrypts it
-with its private key
-\item \bl{$B$} sends message encrypted with \bl{$A$}'s public key, \bl{$A$} decrypts it
-with its private key
-\end{itemize}
-
-\end{frame}}
+\end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
-\begin{frame}[c]
-\frametitle{Person-in-the-Middle}
-
-Attack:
-
-\begin{itemize}
-\item \bl{$A$} sends public key to \bl{$B$} --- \bl{$C$} intercepts this message and send his own public key
-\item \bl{$B$} sends public key to \bl{$A$} --- \bl{$C$} intercepts this message and send his own public key
-\item \bl{$A$} sends message encrypted with \bl{$C$}'s public key, \bl{$C$} decrypts it
-with its private key, re-encrypts with \bl{$B$}'s public key
-\item similar for other direction
-\end{itemize}
-
-\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
-\begin{frame}[c]
-\frametitle{Person-in-the-Middle}
-
-Prevention:
-
-\begin{itemize}
-\item \bl{$A$} sends public key to \bl{$B$}
-\item \bl{$B$} sends public key to \bl{$A$}
-\item \bl{$A$} encrypts message with \bl{$B$}'s public key, send's {\bf half} of the message
-\item \bl{$B$} encrypts message with \bl{$A$}'s public key, send's {\bf half} of the message
-\item \bl{$A$} sends other half, \bl{$B$} can now decrypt entire message
-\item \bl{$B$} sends other half, \bl{$A$} can now decrypt entire message
-\end{itemize}\pause
-
-\bl{$C$} would have to invent a totally new message
-
-\end{frame}}
- %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
\begin{frame}[c]
\frametitle{Public-Key Infrastructure}
@@ -1016,129 +1064,90 @@
explicitly limits liability to \$100.)
\end{itemize}
-\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
- %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
-\begin{frame}[c]
-\frametitle{Binding Attacks}
-
-with public-private keys it is important that the public key is \alert{bound}
-to the right owner (verified by a certification authority \bl{$CA$})
-
-\begin{center}
-\begin{tabular}{l}
-\bl{$A \rightarrow CA :$} \bl{$A, B, N_A$}\\
-\bl{$CA \rightarrow A :$} \bl{$CA, \{CA, A, N_A, K^{pub}_{B}\}_{K^{pub}_{A}}$}\\
-\end{tabular}
-\end{center}\bigskip
-
-\bl{$A$} knows \bl{$K^{priv}_A$} and can verify the message came from \bl{$CA$}
-in response to \bl{$A$}'s message and trusts \bl{$K^{pub}_{B}$} is \bl{$B$}'s public key
-
-
-\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
-
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
-\begin{frame}[c]
-\frametitle{Binding Attacks}
-
-\begin{center}
-\begin{tabular}{l}
-\bl{$A \rightarrow I(CA) :$} \bl{$A, B, N_A$}\\
-\bl{$I(A) \rightarrow CA :$} \bl{$A, I, N_A$}\\
-\bl{$CA \rightarrow I(A) :$} \bl{$CA, \{CA, A, N_A, K^{pub}_{I}\}_{K^{pub}_{A}}$}\\
-\bl{$I(CA) \rightarrow A :$} \bl{$CA, \{CA, A, N_A, K^{pub}_{I}\}_{K^{pub}_{A}}$}\\
-\end{tabular}
-\end{center}\pause
-
-\bl{$A$} now encrypts messages for \bl{$B$} with the public key of \bl{$I$}
-(which happily decrypts them with its private key)
-
-\end{frame}}
+\end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
\begin{frame}[c]
-\frametitle{Replay Attacks}
+\frametitle{Man-in-the-Middle}
-Schroeder-Needham protocol: exchange of a symmetric key with a trusted 3rd-party \bl{$S$}:
+``Normal'' protocol run:\bigskip
-\begin{center}
-\begin{tabular}{r@ {\hspace{1mm}}l}
-\bl{$A \rightarrow S :$} & \bl{$A, B, N_A$}\\
-\bl{$S \rightarrow A :$} & \bl{$\{N_A, B, K_{AB},\{K_{AB}, A\}_{K_{BS}} \}_{K_{AS}}$}\\
-\bl{$A \rightarrow B :$} & \bl{$\{K_{AB}, A\}_{K_{BS}} $}\\
-\bl{$B \rightarrow A :$} & \bl{$\{N_B\}_{K_{AB}}$}\\
-\bl{$A \rightarrow B :$} & \bl{$\{N_B-1\}_{K_{AB}}$}\\
-\end{tabular}
-\end{center}\bigskip\pause
+\begin{itemize}
+\item \bl{$A$} sends public key to \bl{$B$}
+\item \bl{$B$} sends public key to \bl{$A$}
+\item \bl{$A$} sends message encrypted with \bl{$B$}'s public key, \bl{$B$} decrypts it
+with its private key
+\item \bl{$B$} sends message encrypted with \bl{$A$}'s public key, \bl{$A$} decrypts it
+with its private key
+\end{itemize}
-at the end of the protocol both \bl{$A$} and \bl{$B$} should be in the possession of the secret key
-\bl{$K_{AB}$} and know that the other principal has the key
-
-\end{frame}}
+\end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\begin{frame}[c]
+\frametitle{Man-in-the-Middle}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
-\begin{frame}[c]
+Attack:
-\begin{center}
-\begin{tabular}{l}
-\bl{$A \rightarrow S :$} \bl{$A, B, N_A$}\\
-\bl{$S \rightarrow A :$} \bl{$\{N_A, B, K_{AB},\{K_{AB}, A\}_{K_{BS}} \}_{K_{AS}}$}\\
-\bl{$A \rightarrow B :$} \bl{$\{K_{AB}, A\}_{K_{BS}} $}\\
-\bl{$B \rightarrow A :$} \bl{$\{N_B\}_{K_{AB}}$}\\
-\bl{$A \rightarrow B :$} \bl{$\{N_B-1\}_{K_{AB}}$}\pause\\
-\hspace{5cm}compromise \bl{$K_{AB}$}\pause\\
-\bl{$A \rightarrow S :$} \bl{$A, B, N'_A$}\\
-\bl{$S \rightarrow A :$} \bl{$\{N'_A, B, K'_{AB},\{K'_{AB}, A\}_{K_{BS}} \}_{K_{AS}}$}\pause\\
-\bl{$I(A) \rightarrow B :$} \bl{$\{K_{AB}, A\}_{K_{BS}} $}\hspace{0.5cm} replay of older run\pause\\
-\bl{$B \rightarrow I(A) :$} \bl{$\{N'_B\}_{K_{AB}}$}\\
-\bl{$I(A) \rightarrow B :$} \bl{$\{N'_B-1\}_{K_{AB}}$}\
-\end{tabular}
-\end{center}\pause
+\begin{itemize}
+\item \bl{$A$} sends public key to \bl{$B$} --- \bl{$C$} intercepts this message and send his own public key
+\item \bl{$B$} sends public key to \bl{$A$} --- \bl{$C$} intercepts this message and send his own public key
+\item \bl{$A$} sends message encrypted with \bl{$C$}'s public key, \bl{$C$} decrypts it
+with its private key, re-encrypts with \bl{$B$}'s public key
+\item similar for other direction
+\end{itemize}
-\bl{$B$} believes it is following the correct protocol,
-intruder \bl{$I$} can form the correct response because it knows \bl{$K_{AB}$} and
-talks to \bl{$B$} masquerading as \bl{$A$}
-\end{frame}}
+\end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
\begin{frame}[c]
-\frametitle{Time-Stamps}
+\frametitle{Man-in-the-Middle}
+
+Potential Prevention?
-The Schroeder-Needham protocol can be fixed by including a time-stamp (e.g., in Kerberos):
+\begin{itemize}
+\item \bl{$A$} sends public key to \bl{$B$}
+\item \bl{$B$} sends public key to \bl{$A$}
+\item \bl{$A$} encrypts message with \bl{$B$}'s public key, send's {\bf half} of the message
+\item \bl{$B$} encrypts message with \bl{$A$}'s public key, send's {\bf half} of the message
+\item \bl{$A$} sends other half, \bl{$B$} can now decrypt entire message
+\item \bl{$B$} sends other half, \bl{$A$} can now decrypt entire message
+\end{itemize}\pause
+
+%\bl{$C$} would have to invent a totally new message
+\alert{Under which circumstances does this protocol prevent
+MiM-attacks, or does it?}
+
+\end{frame}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\begin{center}
-\begin{tabular}{r@ {\hspace{1mm}}l}
-\bl{$A \rightarrow S :$} & \bl{$A, B, N_A$}\\
-\bl{$S \rightarrow A :$} & \bl{$\{N_A, B, K_{AB},\{K_{AB}, A, T_S\}_{K_{BS}} \}_{K_{AS}}$}\\
-\bl{$A \rightarrow B :$} & \bl{$\{K_{AB}, A, T_S\}_{K_{BS}} $}\\
-\bl{$B \rightarrow A :$} & \bl{$\{N_B\}_{K_{AB}}$}\\
-\bl{$A \rightarrow B :$} & \bl{$\{N_B-1\}_{K_{AB}}$}\\
-\end{tabular}
-\end{center}\bigskip\pause
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\begin{frame}[c]
+\frametitle{Car Transponder (HiTag2)}
-but nothing is for free: then you need to synchronise time and possibly become a victim to
-timing attacks
+\begin{enumerate}
+\item \bl{$C$} generates a random number \bl{$N$}
+\item \bl{$C$} calculates \bl{$(F,G) = \{N\}_K$}
+\item \bl{$C \to T$}: \bl{$N, F$}
+\item \bl{$T$} calculates \bl{$(F',G') = \{N\}_K$}
+\item \bl{$T$} checks that \bl{$F = F'$}
+\item \bl{$T \to C$}: \bl{$N, G'$}
+\item \bl{$C$} checks that \bl{$G = G'$}
+\end{enumerate}\pause
-\end{frame}}
+\small
+This process means that the transponder believes the car knows
+the key \bl{$K$}, and the car believes the transponder knows
+the key \bl{$K$}. They have authenticated themselves
+to each other, or have they?
+
+\end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
\begin{frame}[c]
A Man-in-the-middle attack in real life:
@@ -1156,11 +1165,10 @@
\end{center}
\end{minipage}
-\end{frame}}
+\end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
\begin{frame}[c]
\frametitle{Problems with EMV}
@@ -1172,31 +1180,11 @@
\item other attacks have been found
\end{itemize}
-\end{frame}}
+\end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
-\begin{frame}[c]
-\frametitle{\begin{tabular}{@{}c@{}}Problems with WEP (Wifi)\end{tabular}}
-
-\begin{itemize}
-\item a standard ratified in 1999
-\item the protocol was designed by a committee not including cryptographers
-\item it used the RC4 encryption algorithm which is a stream cipher requiring a unique nonce
-\item WEP did not allocate enough bits for the nonce
-\item for authenticating packets it used CRC checksum which can be easily broken
-\item the network password was used to directly encrypt packages (instead of a key negotiation protocol)\bigskip
-\item encryption was turned off by default
-\end{itemize}
-
-\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
\begin{frame}[c]
\frametitle{Protocols are Difficult}
@@ -1207,11 +1195,10 @@
\item cryptography is often not {\bf the} answer\bigskip\bigskip
\end{itemize}
-\end{frame}}
+\end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
\begin{frame}[c]
\frametitle{Best Practices}
@@ -1221,12 +1208,10 @@
{\bf Principle 2:} If the identity of a principal is essential to the meaning of a message, it is prudent
to mention the principal’s name explicitly in the message (though difficult).\bigskip
-
-\end{frame}}
+\end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
\begin{frame}[c]
{\bf Principle 3:} Be clear about why encryption is being
@@ -1245,13 +1230,10 @@
\end{itemize}
\end{center}
-
-
-\end{frame}}
+\end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
\begin{frame}[c]
\frametitle{Best Practices}
@@ -1261,7 +1243,7 @@
Example Certification Authorities: CAs are trusted to certify a key only after proper steps
have been taken to identify the principal that owns it.
-\end{frame}}
+\end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\end{document}