\documentclass[dvipsnames,14pt,t]{beamer}
\usepackage{../slides}
\usepackage{../graphics}
\usepackage{../langs}
\usetikzlibrary{arrows}
\usetikzlibrary{shapes}

\setmonofont[Scale=.88]{Consolas}
\newfontfamily{\consolas}{Consolas}

\hfuzz=220pt 

% beamer stuff 
\renewcommand{\slidecaption}{APP 04, King's College London}
\newcommand{\bl}[1]{\textcolor{blue}{#1}}  

\begin{document}

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\begin{frame}[t]
\frametitle{%
  \begin{tabular}{@ {}c@ {}}
  \\
  \LARGE Access Control and \\[-3mm] 
  \LARGE Privacy Policies (4)\\[-6mm] 
  \end{tabular}}\bigskip\bigskip\bigskip

\normalsize
  \begin{center}
  \begin{tabular}{ll}
  Email:  & christian.urban at kcl.ac.uk\\
  Office: & S1.27 (1st floor Strand Building)\\
  Slides: & KEATS (also home work is there)\\
  \end{tabular}
  \end{center}

\end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%     

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\begin{frame}[c]

\begin{center}
\includegraphics[scale=0.45]{../pics/trainwreck.jpg}\\
last week: buffer overflow attacks
\end{center}
  
\end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\begin{frame}[fragile]
\frametitle{D-Link Wifi Router, BOA}
\small

As a proof-of-concept, the following URL allows 
attackers to control the return value saved on 
the stack (the vulnerability is triggered when
executing "/usr/sbin/widget"):

\begin{center}\footnotesize 
\pcode{curl http://<target ip>/post_login.xml?hash=AAA...AAABBBB}
\end{center}

The value of the "hash" HTTP GET parameter consists of
292 occurrences of the \pcode{'A'} character, followed by four 
occurrences of character \pcode{'B'}. In our lab setup, characters 
\pcode{'B'} overwrite the saved program counter (\pcode{\%ra}).\bigskip


\begin{tabular}{@{}ll}
Discovery date: & 06/03/2013\\
Release date:   & 02/08/2013
\end{tabular}



\hfill\url{http://roberto.greyhats.it/advisories/20130801-dlink-dir645.txt} 
\end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\begin{frame}[fragile]
\frametitle{D-Link Backdoors}

D-Link router flaw lets anyone login through "Joel's Backdoor":\medskip

\begin{quote}\rm\small
If you tell your browser to identify itself as Joel's backdoor, instead of (say) 
as Mozilla/5.0 AppleWebKit/536.30.1 Version/6.0.5, you're in without authentication.\medskip
  
"What is this string," I hear you ask?

You will laugh: it is 

\begin{center}
\pcode{xmlset_roodkcableoj28840ybtide}
\end{center}
\end{quote}\bigskip\bigskip

\hfill\footnotesize October 15, 2013\\
\hfill\footnotesize\url{http://www.devttys0.com/2013/10/reverse-engineering-a-d-link-backdoor/}

\end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\begin{frame}[fragile]

CVE-2014-0476 chkrootkit vulnerability 4 Jun'14\medskip

\begin{quote}\rm\small
Hi,

we just found a serious vulnerability in the chkrootkit package, which
may allow local attackers to gain root access to a box in certain
configurations (\pcode{/tmp} not mounted noexec). Steps to reproduce:

\begin{itemize}
\item Put an executable file named \pcode{update} with non-root owner in /tmp (not
mounted noexec, obviously)
\item Run chkrootkit (as uid 0)
\end{itemize}

Result: The file \pcode{/tmp/update} will be executed as root, thus effectively
rooting your box, if malicious content is placed inside the file.

If an attacker knows you are periodically running chkrootkit (like in
cron.daily) and has write access to \pcode{/tmp} (not mounted noexec), he may
easily take advantage of this.
\end{quote}
\mbox{}\\[-10mm]

\hfill\footnotesize\url{http://seclists.org/oss-sec/2014/q2/430}

\end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\begin{frame}[c]
\frametitle{Access Control in Unix}

\begin{itemize}
\item access control provided by the OS
\item authenticate principals (login)
\item mediate access to files, ports, processes according to \alert{roles} (user ids)\\
\item roles get attached with privileges\bigskip\\%
\hspace{8mm}
\begin{bubble}[8cm]
\alert{principle of least privilege:}\\
users and programs should only have as much privilege as they need 
\end{bubble}
\end{itemize}

\end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%     

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\mode<presentation>{
\begin{frame}[c]
\frametitle{Access Control in Unix (2)}


\begin{itemize}
\item privileges are specified by file access permissions (``everything is a file'')\medskip 
\item there are 9 (plus 2) bits that specify the permissions of a file

\begin{center}
\begin{tabular}{l}
\texttt{\$ ls -la}\\
\texttt{-rwxrw-r-{}- \hspace{3mm} foo\_file.txt}
\end{tabular}
\end{center}
\end{itemize}

\end{frame}}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\begin{frame}[c]
\frametitle{Login Process}


\begin{itemize}
\item login processes run under UID $=$ \pcode{0}\medskip 
\begin{center}
\texttt{ps -axl | grep login}
\end{center}\medskip

\item after login, shells run under UID $=$ user (e.g.~501)\medskip
\begin{center}
\texttt{id cu}
\end{center}\medskip\pause

\item non-root users are not allowed to change the UID --- would break 
access control
\item but needed for example for \texttt{passwd}
\end{itemize}

\end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\begin{frame}[c]
\frametitle{Setuid and Setgid}

The solution is that Unix file permissions are 9 + \underline{2 Bits}:
\alert{Setuid} and \alert{Setgid} Bits

\begin{itemize}
\item When a file with setuid is executed, the resulting process will
  assume the UID given to the owner of the file.
\item This enables users to create processes as root (or another
  user).\bigskip

\item Essential for changing passwords, for example.
\end{itemize}

\begin{center}
\texttt{chmod 4755 fobar\_file}
\end{center}

\end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%  

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\begin{frame}[c]
\frametitle{Access Control}

\begin{itemize}
\item \bl{Discretionary Access Control:}\mbox{}\medskip\\

\small Access to objects (files, directories, devices, etc.) is permitted 
based on user identity. Each object is owned by a user. Owners can 
specify freely (at their discretion) how they want to share their objects 
with other users, by specifying which other users can have which 
form of access to their objects.\medskip

Discretionary access control is implemented on any multi-user OS 
(Unix, Windows NT, etc.).
\end{itemize}

\end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\begin{frame}[c]
\frametitle{Access Control}

\begin{itemize}
\item \bl{Mandatory Access Control:}\mbox{}\medskip\\

\small Access to objects is controlled by a system-wide policy, for example 
to prevent certain flows of information. In some forms, the system maintains 
security labels for both objects and subjects (processes, users), based on 
which access is granted or denied. Labels can change as the result of an 
access. Security policies are enforced without the cooperation of users or 
application programs.\medskip

This is implemented today in special military operating system versions
(SELinux).
\end{itemize}

\end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\begin{frame}[c]
\frametitle{\Large Discretionary Access Control}

In its most generic form usually given by an Access Control Matrix 
of the form

\begin{center}
\begin{tabular}{r|c|c|c}
                 & /mail/jane & edit.exe & sendmail \\\hline
jane          & r, w & r, x & r, x\\\hline
john          & $\varnothing$ & r, w, x&  r, x\\\hline
sendmail  & a & $\varnothing$ &  r, x\\
\end{tabular}
\end{center}

access privileges: {\bf r}ead, {\bf w}rite, e{\bf x}ecute, {\bf a}ppend
\end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\begin{frame}[c]
\small

\lstinputlisting[numbers=none,xleftmargin=-6mm]{lst}


\begin{center}
\begin{tabular}{ll}
Members of group staff: & ping, bob, emma\\ 
Members of group students: & emma\\
\end{tabular}
\end{center}

\begin{center}
\begin{tabular}{@{\hspace{-7mm}}r|c|c|c|c|c@{}}
        & manual.txt & report.txt & microedit & src/code.c & src/code.h \\\hline
ping & & & & &\\\hline
bob & & & & &\\\hline
emma   & & & & &\\
\end{tabular}
\end{center}

\end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\begin{frame}[c]
\frametitle{Mandatory Access Control}
\small

\begin{itemize}
\item Restrictions to allowed information flows are not decided at the
  user's discretion (as with Unix \pcode{chmod}), but instead enforced
  by system policies.

\item Mandatory access control mechanisms are aimed in particular at
  preventing policy violations by untrusted application software,
  which typically have at least the same access privileges as the
  invoking user.\medskip

Simple example: Air Gap Security. Uses completely separate network
and computer hardware for different application classes.
\end{itemize}

\end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   


%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\begin{frame}[c]
\frametitle{The Bell/LaPadula Model}

\begin{itemize}
\item Formal policy model for mandatory access control in a military
  multi-level security environment. All subjects (processes, users,
  terminals, files, windows, connections) are labeled
  with a confidentiality level, e.g.
\begin{center}
unclassified < confidential < secret < top secret
\end{center}\medskip

\item The system policy automatically prevents the flow of information
  from high-level objects to lower levels. A process that reads top
  secret data becomes tagged as top secret by the operating system, as
  will be all files into which it writes afterwards.
%Each user has a maximum allowed confidentiality level specified and
%cannot receive data beyond that level. A selected set of trusted
%subjects is allowed to bypass the restrictions, in order to permit
%the declassification of information.
\end{itemize}

\end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
  \begin{frame}[c]
  \frametitle{Bell-LaPadula}
  \small
  
  \begin{itemize}
  \item \alert{Read Rule}: A principal \bl{$P$} can read an object \bl{$O$} if and only if
  \bl{$P$}'s security level is at least as high as \bl{$O$}'s.
  \item \alert{Write Rule}: A principal \bl{$P$} can write an object \bl{$O$} if and only if
  \bl{$O$}'s security level is at least as high as \bl{$P$}'s.\medskip

  \item Meta-Rule: All principals in a system should have a sufficiently high security level
  in order to access an object.
  \end{itemize}\bigskip

  This restricts information flow $\Rightarrow$ military\bigskip\bigskip\pause

  Bell-LaPadula: {\bf `no read up'} - {\bf `no write down'}

  \end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
  \begin{frame}[c]
  \frametitle{\begin{tabular}{c}Principle of\\[-2mm] Least Privilege\end{tabular}}
  
  \begin{bubble}[10cm]
  A principal should have as few privileges as possible to access a resource.
  \end{bubble}\bigskip\bigskip
  \small

  \begin{itemize}
  \item Bob ($T\!S$) and Alice ($S$) want to communicate
  \item[] $\Rightarrow$ Bob should lower his security level
  \end{itemize}

  \end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
  \begin{frame}[c]
  \frametitle{Biba Policy}
  \small
  
  Data Integrity (rather than data confidentiality)

  \begin{itemize}
  \item Biba: {\bf `no read down'} - {\bf `no write up'}
  \item \alert{Read Rule}: A principal \bl{$P$} can read an object \bl{$O$} if and only if
  \bl{$P$}'s security level is lower or equal than \bl{$O$}'s.
  \item \alert{Write Rule}: A principal \bl{$P$} can write an object \bl{$O$} if and only if
  \bl{$O$}'s security level is lower or equal than \bl{$P$}'s.
  \end{itemize}\bigskip\bigskip\pause

  E.g.~Firewalls: you can read from inside the firewall, but not from outside\\
  Phishing: you can look at an approved PDF, but not one from a random email\\

  \end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\begin{frame}[c]
\frametitle{Security Levels (2)}

\begin{itemize}
\item Bell-La Padula preserves data secrecy, but not data
  integrity\bigskip\pause

\item Biba model is for data integrity  

\begin{itemize}
\item read: your own level and above
\item write: your own level and below
\end{itemize}
\end{itemize}

\end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\begin{frame}[c]
\frametitle{Shared Access Control}

\begin{center}
\includegraphics[scale=0.7]{../pics/pointsplane.jpg}
\end{center}

\begin{textblock}{11}(10.5,10.5)
\small
To take an action you\\[-1mm] 
need at least either:
\begin{itemize}
\item 1 CEO\\[-5mm]
\item 2 MDs, or\\[-5mm]
\item 3 Ds
\end{itemize}
\end{textblock}

\end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\begin{frame}[c]
\frametitle{\Large Lessons from Access Control}

Not just restricted to Unix:

\begin{itemize}
\item if you have too many roles (i.e.~too finegrained AC), then 
	hierarchy is too complex\\
	\textcolor{gray}{you invite situations like\ldots lets be root}\bigskip

\item you can still abuse the system\ldots\bigskip\pause

\item 
  policies (a finite system)\\
  computer system (infinite)\medskip\\
Q: Does your policy ensure that a tainted file cannot affect your
core system files?

\end{itemize}

\end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
  \begin{frame}[t]
  \frametitle{Protocols}
 
\mbox{} 
  
\begin{tabular}{l}
{\Large \bl{$A\;\rightarrow\; B : \ldots$}}\\
\onslide<2->{\Large \bl{$B\;\rightarrow\; A : \ldots$}}\\
\onslide<2->{\Large \;\;\;\;\;\bl{$:$}}\bigskip
\end{tabular}  
  
 \begin{itemize}
 \item by convention \bl{$A$}, \bl{$B$} are named principals \bl{Alice\ldots}\\
 but most likely they are programs, which just follow some instructions (they are more like roles)\bigskip
\item<2-> indicates one ``protocol run'', or session,  which specifies some 
order in the communication
\item<2-> there can be several sessions in parallel (think of wifi routers) 
\end{itemize} 
  
  \end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   
  
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\begin{frame}[c]
\frametitle{\Large Cryptographic Protocol Failures}

Ross Anderson and Roger Needham wrote:\bigskip

\begin{quote}\rm
\alert{A lot of the recorded frauds were the result of this kind of
  blunder, or from management negligence pure and simple.} However,
there have been a significant number of cases where the designers
protected the right things, used cryptographic algorithms which were
not broken, and yet found that their systems were still successfully
attacked.
\end{quote}

\end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%  

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
  \begin{frame}<1-3>[c]
  \frametitle{Oyster Cards}

  \includegraphics[scale=0.4]{../pics/oysterc.jpg}

  \begin{itemize}
  \item good example of a bad protocol\\ (security by obscurity)\bigskip
  \item<3->  ``Breaching security on Oyster cards should not 
  allow unauthorised use for more than a day, as TfL promises to turn 
  off any cloned cards within 24 hours\ldots''
  \end{itemize}

  \only<2>{
  \begin{textblock}{12}(0.5,0.5)
  \begin{bubble}[11cm]\footnotesize
  {\bf Wirelessly Pickpocketing a Mifare Classic Card}\medskip

  The Mifare Classic is the most widely used contactless smartcard on the
  market. The stream cipher CRYPTO1 used by the Classic has recently been
  reverse engineered and serious attacks have been proposed. The most serious
  of them retrieves a secret key in under a second. In order to clone a card,
  previously proposed attacks require that the adversary either has access to
  an eavesdropped communication session or executes a message-by-message
  man-in-the-middle attack between the victim and a legitimate
  reader. Although this is already disastrous from a cryptographic point of
  view, system integrators maintain that these attacks cannot be performed
  undetected.\smallskip

  This paper proposes four attacks that can be executed by an adversary having
  only wireless access to just a card (and not to a legitimate reader). The
  most serious of them recovers a secret key in less than a second on ordinary
  hardware. Besides the cryptographic weaknesses, we exploit other weaknesses
  in the protocol stack. A vulnerability in the computation of parity bits
  allows an adversary to establish a side channel. Another vulnerability
  regarding nested authentications provides enough plaintext for a speedy
  known-plaintext attack.\hfill{}(a paper from 2009)
  \end{bubble}
  \end{textblock}}

  \end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%     

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\begin{frame}<1->[t]
\frametitle{Another Example}

In an email from Ross Anderson\bigskip\small	

\begin{tabular}{l}
From: Ross Anderson <Ross.Anderson@cl.cam.ac.uk>\\
Sender: cl-security-research-bounces@lists.cam.ac.uk\\
To: cl-security-research@lists.cam.ac.uk\\
Subject: Birmingham case\\
Date: Tue, 13 Aug 2013 15:13:17 +0100\\
\end{tabular}


\only<2>{
\begin{textblock}{12}(0.5,0.8)
\begin{bubble}[11cm]
\footnotesize
As you may know, Volkswagen got an injunction against the University of
Birmingham suppressing the publication of the design of a weak cipher
used in the remote key entry systems in its recent-model cars. The paper
is being given today at Usenix, minus the cipher design.\medskip

I've been contacted by Birmingham University's lawyers who seek to prove
that the cipher can be easily obtained anyway. They are looking for a
student who will download the firmware from any newish VW, disassemble
it and look for the cipher. They'd prefer this to be done by a student
rather than by a professor to emphasise how easy it is.\medskip

Volkswagen's argument was that the Birmingham people had reversed a
locksmithing tool produced by a company in Vietnam, and since their key
fob chip is claimed to be tamper-resistant, this must have involved a
corrupt insider at VW or at its supplier Thales. Birmingham's argument
is that this is nonsense as the cipher is easy to get hold of. Their
lawyers feel this argument would come better from an independent
outsider.\medskip

Let me know if you're interested in having a go, and I'll put you in
touch

Ross
\end{bubble}
\end{textblock}}

\end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%     

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\mode<presentation>{
\begin{frame}[c]
\frametitle{Authentication Protocols}


Alice (\bl{$A$}) and Bob (\bl{$B$}) share a secret key \bl{$K_{AB}$}\bigskip

Passwords:

\begin{center}
\bl{$B \rightarrow A: K_{AB}$} 
\end{center}\pause\bigskip

Problem: Eavesdropper can capture the secret and replay it; \bl{$A$} cannot confirm the
identity of \bl{$B$}  

\end{frame}}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\mode<presentation>{
\begin{frame}[c]
\frametitle{Authentication Protocols}

Alice (\bl{$A$}) and Bob (\bl{$B$}) share a secret key \bl{$K_{AB}$}\bigskip

Simple Challenge Response:

\begin{center}
\begin{tabular}{ll}
\bl{$A \rightarrow B:$} & \bl{$N$}\\
\bl{$B \rightarrow A:$} & \bl{$\{N\}_{K_{AB}}$}\\
\end{tabular} 
\end{center}


\end{frame}}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\mode<presentation>{
\begin{frame}[c]
\frametitle{Authentication Protocols}

Alice (\bl{$A$}) and Bob (\bl{$B$}) share a secret key \bl{$K_{AB}$}\bigskip

Mutual Challenge Response:

\begin{center}
\begin{tabular}{ll}
\bl{$A \rightarrow B:$} & \bl{$N_A$}\\
\bl{$B \rightarrow A:$} & \bl{$\{N_A, N_B\}_{K_{AB}}$}\\
\bl{$A \rightarrow B:$} & \bl{$N_B$}\\
\end{tabular} 
\end{center}

%\pause
%An attacker \bl{$E$} can launch an impersonation attack by
%intercepting all messages for \bl{$B$} and make \bl{$A$} decrypt her
%own challenges.

\end{frame}}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\begin{frame}[c]
\frametitle{Nonces}

\begin{enumerate}
\item I generate a nonce (random number) and send it to you encrypted with a key we share
\item you increase it by one, encrypt it under a key I know and send
it back to me
\end{enumerate}


I can infer:

\begin{itemize}
\item you must have received my message
\item you could only have generated your answer after I send you my initial
message
\item if only you and me know the key, the message must have come from you
\end{itemize}

\end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\mode<presentation>{
\begin{frame}[c]

\begin{center}
\begin{tabular}{ll}
\bl{$A \rightarrow B$:} & \bl{$N_a$}\\  
\bl{$B \rightarrow A$:} & \bl{$\{N_a, N_b\}_{K_{ab}}$}\\
\bl{$A \rightarrow B$:} & \bl{$N_b$}\\
\end{tabular}
\end{center}

The attack (let $A$ decrypt her own messages):

\begin{center}
\begin{tabular}{ll}
\bl{$A \rightarrow E$:} & \bl{$N_a$}\\ 
\textcolor{gray}{$E \rightarrow A$:} & \textcolor{gray}{$N_a$}\\ 
\textcolor{gray}{$A \rightarrow E$:} & \textcolor{gray}{$\{N_a, N_a\}_{K_{ab}}$}\\
\bl{$E \rightarrow A$:} & \bl{$\{N_a, N_a\}_{K_{ab}}$}\\
\bl{$A \rightarrow E$:} & \bl{$N_a \;\;(= N_b)$}\\
\end{tabular}
\end{center}\pause

\small Solutions: \bl{$K_{ab} \not= K_{ba}$} or include an id in the second message
\end{frame}}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%     

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
  \mode<presentation>{
  \begin{frame}[c]
  \frametitle{Encryption to the Rescue?}


 \begin{itemize}
 \item \bl{$A \,\rightarrow\, B :  \{A, N_A\}_{K_{AB}}$}\hspace{1cm} encrypted\bigskip 
 \item \bl{$B\,\rightarrow\, A : \{N_A, K'_{AB}\}_{K_{AB}}$}\bigskip
 \item \bl{$A \,\rightarrow\, B : \{N_A\}_{K'_{AB}}$}\bigskip
 \end{itemize}\pause
 
means you need to send separate ``Hello'' signals (bad), or worse 
share a single key between many entities
\end{frame}}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%      

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\mode<presentation>{
\begin{frame}[c]
\frametitle{Protocol Attacks}

\begin{itemize}
\item replay attacks
\item reflection attacks
\item man-in-the-middle attacks
\item timing attacks
\item parallel session attacks
\item binding attacks (public key protocols)
\item changing environment / changing assumptions\bigskip

\item (social engineering attacks)
\end{itemize}
\end{frame}}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   


 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\mode<presentation>{
\begin{frame}[c]
\frametitle{Public-Key Infrastructure}

\begin{itemize}
\item the idea is to have a certificate authority (CA)
\item you go to the CA to identify yourself
\item CA: ``I, the CA, have verified that public key \bl{$P^{pub}_{Bob}$} belongs to Bob''\bigskip
\item CA must be trusted by everybody
\item What happens if CA issues a false certificate? Who pays in case of loss? (VeriSign 
explicitly limits liability to \$100.)
\end{itemize}

\end{frame}}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\mode<presentation>{
\begin{frame}[c]
\frametitle{Person-in-the-Middle}

``Normal'' protocol run:\bigskip

\begin{itemize}
\item \bl{$A$} sends public key  to \bl{$B$}
\item \bl{$B$} sends public key  to \bl{$A$}
\item \bl{$A$} sends message encrypted with \bl{$B$}'s public key, \bl{$B$} decrypts it
with its private key
\item \bl{$B$} sends message encrypted with \bl{$A$}'s public key, \bl{$A$} decrypts it
with its private key
\end{itemize}

\end{frame}}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\mode<presentation>{
\begin{frame}[c]
\frametitle{Person-in-the-Middle}

Attack:

\begin{itemize}
\item \bl{$A$} sends public key  to \bl{$B$}  --- \bl{$C$} intercepts this message and send his own public key
\item \bl{$B$} sends public key  to \bl{$A$} --- \bl{$C$} intercepts this message and send his own public key
\item \bl{$A$} sends message encrypted with \bl{$C$}'s public key, \bl{$C$} decrypts it
with its private key, re-encrypts with \bl{$B$}'s public key 
\item similar for other direction
\end{itemize}

\end{frame}}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\mode<presentation>{
\begin{frame}[c]
\frametitle{Person-in-the-Middle}

Prevention:

\begin{itemize}
\item \bl{$A$} sends public key  to \bl{$B$}
\item \bl{$B$} sends public key  to \bl{$A$}
\item \bl{$A$} encrypts message with \bl{$B$}'s public key, send's {\bf half} of the message
\item \bl{$B$} encrypts message with \bl{$A$}'s public key, send's {\bf half} of the message
\item \bl{$A$} sends other half, \bl{$B$} can now decrypt entire message
\item \bl{$B$} sends other half, \bl{$A$} can now decrypt entire message
\end{itemize}\pause

\bl{$C$} would have to invent a totally new message

\end{frame}}
 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
  
 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\mode<presentation>{
\begin{frame}[c]
\frametitle{Binding Attacks}

with public-private keys it is important that the public key is \alert{bound} 
to the right owner (verified by a certification authority \bl{$CA$})

\begin{center}
\begin{tabular}{l}
\bl{$A \rightarrow CA :$} \bl{$A, B, N_A$}\\
\bl{$CA \rightarrow A :$} \bl{$CA, \{CA, A, N_A, K^{pub}_{B}\}_{K^{pub}_{A}}$}\\
\end{tabular}
\end{center}\bigskip

\bl{$A$} knows \bl{$K^{priv}_A$} and can verify the message came from \bl{$CA$}
in response to \bl{$A$}'s message and trusts \bl{$K^{pub}_{B}$} is \bl{$B$}'s public key


\end{frame}}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   



%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\mode<presentation>{
\begin{frame}[c]
\frametitle{Binding Attacks}

\begin{center}
\begin{tabular}{l}
\bl{$A \rightarrow I(CA) :$} \bl{$A, B, N_A$}\\
\bl{$I(A) \rightarrow CA :$} \bl{$A, I, N_A$}\\
\bl{$CA \rightarrow I(A) :$} \bl{$CA, \{CA, A, N_A, K^{pub}_{I}\}_{K^{pub}_{A}}$}\\
\bl{$I(CA) \rightarrow A :$} \bl{$CA, \{CA, A, N_A, K^{pub}_{I}\}_{K^{pub}_{A}}$}\\
\end{tabular}
\end{center}\pause

\bl{$A$} now encrypts messages for \bl{$B$} with the public key of \bl{$I$}
(which happily decrypts them with its private key)

\end{frame}}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   

  
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\mode<presentation>{
\begin{frame}[c]
\frametitle{Replay Attacks}

Schroeder-Needham protocol: exchange of a symmetric key with a trusted 3rd-party \bl{$S$}: 

\begin{center}
\begin{tabular}{r@ {\hspace{1mm}}l}
\bl{$A \rightarrow S :$} & \bl{$A, B, N_A$}\\
\bl{$S \rightarrow A :$} & \bl{$\{N_A, B, K_{AB},\{K_{AB}, A\}_{K_{BS}} \}_{K_{AS}}$}\\
\bl{$A \rightarrow B :$} & \bl{$\{K_{AB}, A\}_{K_{BS}} $}\\
\bl{$B \rightarrow A :$} & \bl{$\{N_B\}_{K_{AB}}$}\\
\bl{$A \rightarrow B :$} & \bl{$\{N_B-1\}_{K_{AB}}$}\\
\end{tabular}
\end{center}\bigskip\pause

at the end of the protocol both \bl{$A$} and \bl{$B$} should be in the possession of the secret key
\bl{$K_{AB}$} and know that the other principal has the key

\end{frame}}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   


%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\mode<presentation>{
\begin{frame}[c]

\begin{center}
\begin{tabular}{l}
\bl{$A \rightarrow S :$} \bl{$A, B, N_A$}\\
\bl{$S \rightarrow A :$} \bl{$\{N_A, B, K_{AB},\{K_{AB}, A\}_{K_{BS}} \}_{K_{AS}}$}\\
\bl{$A \rightarrow B :$} \bl{$\{K_{AB}, A\}_{K_{BS}} $}\\
\bl{$B \rightarrow A :$} \bl{$\{N_B\}_{K_{AB}}$}\\
\bl{$A \rightarrow B :$} \bl{$\{N_B-1\}_{K_{AB}}$}\pause\\
\hspace{5cm}compromise \bl{$K_{AB}$}\pause\\
\bl{$A \rightarrow S :$} \bl{$A, B, N'_A$}\\
\bl{$S \rightarrow A :$} \bl{$\{N'_A, B, K'_{AB},\{K'_{AB}, A\}_{K_{BS}} \}_{K_{AS}}$}\pause\\
\bl{$I(A) \rightarrow B :$} \bl{$\{K_{AB}, A\}_{K_{BS}} $}\hspace{0.5cm} replay of older run\pause\\
\bl{$B \rightarrow I(A) :$} \bl{$\{N'_B\}_{K_{AB}}$}\\
\bl{$I(A) \rightarrow B :$} \bl{$\{N'_B-1\}_{K_{AB}}$}\
\end{tabular}
\end{center}\pause

\bl{$B$} believes it is following the correct protocol,
intruder \bl{$I$} can form the correct response because it knows \bl{$K_{AB}$} and
talks to \bl{$B$} masquerading as \bl{$A$}
\end{frame}}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\mode<presentation>{
\begin{frame}[c]
\frametitle{Time-Stamps}

The Schroeder-Needham protocol can be fixed by including a time-stamp (e.g., in Kerberos):

\begin{center}
\begin{tabular}{r@ {\hspace{1mm}}l}
\bl{$A \rightarrow S :$} & \bl{$A, B, N_A$}\\
\bl{$S \rightarrow A :$} & \bl{$\{N_A, B, K_{AB},\{K_{AB}, A, T_S\}_{K_{BS}} \}_{K_{AS}}$}\\
\bl{$A \rightarrow B :$} & \bl{$\{K_{AB}, A, T_S\}_{K_{BS}} $}\\
\bl{$B \rightarrow A :$} & \bl{$\{N_B\}_{K_{AB}}$}\\
\bl{$A \rightarrow B :$} & \bl{$\{N_B-1\}_{K_{AB}}$}\\
\end{tabular}
\end{center}\bigskip\pause

but nothing is for free: then you need to synchronise time and possibly become a victim to
timing attacks

\end{frame}}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\mode<presentation>{
\begin{frame}[c]

A Man-in-the-middle attack in real life:

\begin{itemize}
\item the card only says yes to the terminal if the PIN is correct
\item trick the card in thinking transaction is verified by signature
\item trick the terminal in thinking the transaction was verified by PIN
\end{itemize}

\begin{minipage}{1.1\textwidth}
\begin{center}
\mbox{}\hspace{-6mm}\includegraphics[scale=0.5]{../pics/chip-attack.png}
\includegraphics[scale=0.3]{../pics/chipnpinflaw.png}
\end{center}
\end{minipage}

\end{frame}}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\mode<presentation>{
\begin{frame}[c]
\frametitle{Problems with EMV}

\begin{itemize}
\item it is a wrapper for many protocols
\item specification by consensus (resulted unmanageable complexity)
\item its specification is 700 pages in English plus 2000+ pages for testing, additionally some 
further parts are secret
\item other attacks have been found
\end{itemize}

\end{frame}}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   


%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\mode<presentation>{
\begin{frame}[c]
\frametitle{\begin{tabular}{@{}c@{}}Problems with WEP (Wifi)\end{tabular}}

\begin{itemize}
\item a standard ratified in 1999
\item the protocol was designed by a committee not including cryptographers
\item it used the RC4 encryption algorithm which is a stream cipher requiring a unique nonce
\item WEP did not allocate enough bits for the nonce
\item for authenticating packets it used CRC checksum which can be easily broken
\item the network password was used to directly encrypt packages (instead of a key negotiation protocol)\bigskip
\item encryption was turned off by default
\end{itemize}

\end{frame}}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   


%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\mode<presentation>{
\begin{frame}[c]
\frametitle{Protocols are Difficult}

\begin{itemize}
\item even the systems designed by experts regularly fail\medskip
\item try to make everything explicit (you need to authenticate all data you might rely on)\medskip
\item the one who can fix a system should also be liable for the losses\medskip
\item cryptography is often not {\bf the} answer\bigskip\bigskip  
\end{itemize}

\end{frame}}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\mode<presentation>{
\begin{frame}[c]
\frametitle{Best Practices}

{\bf Principle 1:} Every message should say what it means: the interpretation of 
a message should not depend on the context.\bigskip\pause

{\bf Principle 2:} If the identity of a principal is essential to the meaning of a message, it is prudent 
to mention the principal’s name explicitly in the message (though difficult).\bigskip


\end{frame}}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\mode<presentation>{
\begin{frame}[c]

{\bf Principle 3:} Be clear about why encryption is being
done. Encryption is not cheap, and not asking precisely why it is
being done can lead to redundancy. Encryption is not synonymous with
security.

\begin{center}
Possible Uses of Encryption

\begin{itemize}
\item Preservation of confidentiality: \bl{$\{X\}_K$} only those that have \bl{$K$} may recover \bl{$X$}.
\item Guarantee authenticity: The partner is indeed some particular principal.
\item Guarantee confidentiality and authenticity: binds two parts of a message --- 
\bl{$\{X,Y\}_K$} is not the same as \bl{$\{X\}_K$} and \bl{$\{Y\}_K$}.
\end{itemize}
\end{center}



\end{frame}}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\mode<presentation>{
\begin{frame}[c]
\frametitle{Best Practices}

{\bf Principle 4:} The protocol designer should know which trust relations his protocol depends on, and why the dependence is necessary. The reasons for particular trust relations being acceptable should be explicit though they will be founded on judgment and policy rather than on logic.\bigskip


Example Certification Authorities: CAs are trusted to certify a key only after proper steps 
have been taken to identify the principal that owns it.

\end{frame}}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   

\end{document}

%%% Local Variables:  
%%% mode: latex
%%% TeX-master: t
%%% End: