--- a/slides08.tex Mon Nov 19 22:39:22 2012 +0000
+++ b/slides08.tex Tue Nov 20 05:22:22 2012 +0000
@@ -209,7 +209,9 @@
\end{tabular}
\end{center}\bigskip
-\onslide<7->{Sounds stupid: ``\ldots answering a question with a counter question''}
+\onslide<7->{Sounds stupid: ``\ldots answering a question with a counter question''\medskip\\
+was originally developed at CMU for terminals to connect to
+workstations (e.g.~file servers)}
\end{frame}}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
@@ -257,7 +259,7 @@
\begin{itemize}
- \item \bl{$A \,\text{sends}\, B : \{A, N_A\}_{K_{AB}}$}\hspace{1cm} encryption\bigskip
+ \item \bl{$A \,\text{sends}\, B : \{A, N_A\}_{K_{AB}}$}\hspace{1cm} encrypted\bigskip
\item \bl{$B\,\text{sends}\, A : \{N_A, K'_{AB}\}_{K_{AB}}$}\bigskip
\item \bl{$A \,\text{sends}\, B : \{N_A\}_{K'_{AB}}$}\bigskip
\end{itemize}\pause
@@ -267,24 +269,205 @@
\end{frame}}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
-
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\mode<presentation>{
\begin{frame}[c]
-\frametitle{Possible Kinds of Attacks}
+\frametitle{Protocol Attacks}
\begin{itemize}
+\item replay attacks
\item reflection attacks
\item man-in-the-middle attacks
-\item replay attacks
\item timing attacks
+\item parallel session attacks
+\item binding attacks (public key protocols)
\item changing environment / changing assumptions
\end{itemize}
\end{frame}}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
- \end{document}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}[c]
+\frametitle{Replay Attacks}
+
+Schroeder-Needham protocol: exchange of a symmetric key with a trusted 3rd-party \bl{$S$}:
+
+\begin{center}
+\begin{tabular}{r@ {\hspace{1mm}}l}
+\bl{$A \rightarrow S :$} & \bl{$A, B, N_A$}\\
+\bl{$S \rightarrow A :$} & \bl{$\{N_A, B, K_{AB},\{K_{AB}, A\}_{K_{BS}} \}_{K_{AS}}$}\\
+\bl{$A \rightarrow B :$} & \bl{$\{K_{AB}, A\}_{K_{BS}} $}\\
+\bl{$B \rightarrow A :$} & \bl{$\{N_B\}_{K_{AB}}$}\\
+\bl{$A \rightarrow B :$} & \bl{$\{N_B-1\}_{K_{AB}}$}\\
+\end{tabular}
+\end{center}\bigskip\pause
+
+at the end both \bl{$A$} and \bl{$B$} should be in the possession of the secret key
+\bl{$K_{AB}$} and know that the other principal has the key
+
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}[c]
+
+\begin{center}
+\begin{tabular}{l}
+\bl{$A \rightarrow S :$} \bl{$A, B, N_A$}\\
+\bl{$S \rightarrow A :$} \bl{$\{N_A, B, K_{AB},\{K_{AB}, A\}_{K_{BS}} \}_{K_{AS}}$}\\
+\bl{$A \rightarrow B :$} \bl{$\{K_{AB}, A\}_{K_{BS}} $}\\
+\bl{$B \rightarrow A :$} \bl{$\{N_B\}_{K_{AB}}$}\\
+\bl{$A \rightarrow B :$} \bl{$\{N_B-1\}_{K_{AB}}$}\pause\\
+\hspace{5cm}compromise \bl{$K_{AB}$}\pause\\
+\bl{$A \rightarrow S :$} \bl{$A, B, N'_A$}\\
+\bl{$S \rightarrow A :$} \bl{$\{N'_A, B, K'_{AB},\{K'_{AB}, A\}_{K_{BS}} \}_{K_{AS}}$}\pause\\
+\bl{$I(A) \rightarrow B :$} \bl{$\{K_{AB}, A\}_{K_{BS}} $}\hspace{0.5cm} replay of older run\pause\\
+\bl{$B \rightarrow I(A) :$} \bl{$\{N'_B\}_{K_{AB}}$}\\
+\bl{$I(A) \rightarrow B :$} \bl{$\{N'_B-1\}_{K_{AB}}$}\
+\end{tabular}
+\end{center}\pause
+
+\bl{$B$} believes it is following the correct protocol,
+intruder \bl{$I$} can form the correct response because it knows \bl{$K_{AB}$} and
+talk to \bl{$B$} masquerading as \bl{$A$}
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}[c]
+\frametitle{Replay Attacks}
+
+Andrew Secure RPC protocol: exchanging a new key
+between \bl{$A$} and \bl{$B$}
+
+\begin{center}
+\begin{tabular}{l}
+\bl{$A \rightarrow B :$} \bl{$A, \{N_A\}_{K_{AB}}$}\\
+\bl{$B \rightarrow A :$} \bl{$\{N_A+1, N_B\}_{K_{AB}}$}\\
+\bl{$A \rightarrow B :$} \bl{$\{N_B+1\}_{K_{AB}}$}\\
+\bl{$B \rightarrow A :$} \bl{$\{K^{new}_{AB}, N^{new}_B\}_{K_{AB}}$}\\
+\end{tabular}
+\end{center}\bigskip\pause
+
+Assume nonces are represented as bit-sequences of the same length
+\begin{center}
+\begin{tabular}{@{}l@{}}
+\bl{$A \rightarrow B :$} \bl{$A, \{N_A\}_{K_{AB}}$}\\
+\bl{$B \rightarrow A :$} \bl{$\{N_A+1, N_B\}_{K_{AB}}$}\\
+\bl{$A \rightarrow I(B) :$} \bl{$\{N_B+1\}_{K_{AB}}$}\hspace{0.5mm}intercepts\\
+\bl{$I(B) \rightarrow A :$} \bl{$\{N_A+1, N_B\}_{K_{AB}}$}\hspace{0.5mm}resend 2nd msg\\
+\end{tabular}
+\end{center}
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}[c]
+\frametitle{Binding Attacks}
+
+with public-private keys it is important that the public key is \alert{bound}
+to the right owner (verified by a certification authority \bl{$CA$})
+
+\begin{center}
+\begin{tabular}{l}
+\bl{$A \rightarrow CA :$} \bl{$A, B, N_A$}\\
+\bl{$CA \rightarrow A :$} \bl{$CA, \{CA, A, N_A, K^{pub}_{B}\}_{K^{pub}_{A}}$}\\
+\end{tabular}
+\end{center}\bigskip
+
+\bl{$A$} knows \bl{$K^{prig}_A$} and can verify the message came from \bl{$CA$}
+in response to \bl{$A$}'s message and trusts \bl{$K^{pub}_{B}$} is \bl{$B$}'s public key
+
+
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}[c]
+\frametitle{Binding Attacks}
+
+\begin{center}
+\begin{tabular}{l}
+\bl{$A \rightarrow I(CA) :$} \bl{$A, B, N_A$}\\
+\bl{$I(A) \rightarrow CA :$} \bl{$A, I, N_A$}\\
+\bl{$CA \rightarrow I(A) :$} \bl{$CA, \{CA, A, N_A, K^{pub}_{I}\}_{K^{pub}_{A}}$}\\
+\bl{$I(CA) \rightarrow A :$} \bl{$CA, \{CA, A, N_A, K^{pub}_{I}\}_{K^{pub}_{A}}$}\\
+\end{tabular}
+\end{center}\pause
+
+\bl{$A$} now encrypts messages for \bl{$B$} with the public key of \bl{$I$}
+(which happily decrypts them with its private key)
+
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}[c]
+\frametitle{``Real-World'' Attacks}
+
+EMV (Europay, MasterCard, Visa) is a standard for payments by credit cards\bigskip
+
+It consists of three phases:
+
+\begin{enumerate}
+\item card authentication phase (the terminal reads the information; signs it with a public key
+and verifies the signed information)
+\item cardholder authentication (PIN; terminal sends PIN to card which verifies it; it can also verify it online
+with the bank)
+\item transaction authorisation (the terminal asks the card to provide an authentication code for the transaction;
+the code is sent to the bank for verification)
+\end{enumerate}
+
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}[c]
+
+A Man-in-the-middle attack
+
+\begin{itemize}
+\item the card only says yes or no to the terminal if the PIN is correct
+\item trick the card in thinking transaction is verified by signature
+\item trick the terminal in thinking the transaction was verified by PIN
+\end{itemize}
+
+\begin{minipage}{1.1\textwidth}
+\begin{center}
+\mbox{}\hspace{-6mm}\includegraphics[scale=0.5]{pics/chip-attack.png}
+\includegraphics[scale=0.3]{pics/chipnpinflaw.png}
+\end{center}
+\end{minipage}
+
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}[c]
+\frametitle{Problems with EMV}
+
+\begin{itemize}
+\item it is a wrapper for many protocols
+\item specification by consensus (resulted unmanageable complexity)
+\item its specification is 700 pages in English plus 2000+ pages for testing, additionally some
+further parts are secret
+\item other attacks have been found
+
+\item one solution might be to require always online verification of the PIN with the bank
+\end{itemize}
+
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+\end{document}
%%% Local Variables:
%%% mode: latex