\documentclass[dvipsnames,14pt,t]{beamer}
\usepackage{../slides}
\usepackage{../graphics}
\usepackage{../langs}
\usetikzlibrary{arrows}
\usetikzlibrary{shapes}

\setmonofont[Scale=.88]{Consolas}
\newfontfamily{\consolas}{Consolas}

\hfuzz=220pt 

% beamer stuff 
\newcommand{\bl}[1]{\textcolor{blue}{#1}}  
\renewcommand{\slidecaption}{APP 05, King's College London}


\begin{document}

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\begin{frame}[t]
\frametitle{%
  \begin{tabular}{@ {}c@ {}}
  \\
  \LARGE Access Control and \\[-3mm] 
  \LARGE Privacy Policies (5)\\[-6mm] 
  \end{tabular}}\bigskip\bigskip\bigskip

  \normalsize
  \begin{center}
  \begin{tabular}{ll}
  Email:  & christian.urban at kcl.ac.uk\\
  Office: & S1.27 (1st floor Strand Building)\\
  Slides: & KEATS (also homework is there)\\
  \end{tabular}
  \end{center}

\end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%     

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\begin{frame}[c]
\frametitle{Protocols}

Some examples where ``over-the-air'' protocols are used:

\begin{itemize}
\item wifi
\item card readers (you cannot trust the terminals)
\item RFID (passports)
\item car transponders
\end{itemize}\medskip\pause

The point is that we cannot control the network:
An attacker can install a packet sniffer, inject packets,
modify packets, replay messages. 
\end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\begin{frame}[c]
\frametitle{Keyless Car Transponders}

\begin{center}
\includegraphics[scale=0.1]{../pics/keyfob.jpg}
\quad
\includegraphics[scale=0.27]{../pics/startstop.jpg}
\end{center}

\begin{itemize}
\item There are two security mechanisms: one remote central 
locking system and one passive RFID tag (engine immobiliser).
\item How can I get in? How can thieves be kept out? 
How to avoid MITM attacks?
\end{itemize}\medskip

\footnotesize
\hfill Papers: Gone in 360 Seconds: Hijacking with Hitag2,\\
\hfill Dismantling Megamos Crypto: Wirelessly Lockpicking\\
\hfill a Vehicle Immobilizer

\end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\begin{frame}[c]
\frametitle{HTTPS / GSM}

\begin{center}
\includegraphics[scale=0.25]{../pics/barclays.jpg}
\quad
\includegraphics[scale=0.25]{../pics/phone-signal.jpg}
\end{center}

\begin{itemize}
\item I am sitting at Starbuck. How can I be sure I am
really visiting Barclays? I have no control of the access
point.
\item How can I achieve that a secret key is established 
in order to encrypt my conversation? I have no control over
the access point.
\end{itemize}

\end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\begin{frame}[c]
\frametitle{Handshakes}

\begin{itemize}
\item starting a TCP connection between a client and a server
initiates the following three-way handshake protocol:
\end{itemize}

\begin{columns}[t]
\begin{column}{5cm}
\begin{minipage}[t]{4cm}
\begin{center}
\raisebox{-2cm}{\includegraphics[scale=0.5]{../pics/handshake.png}}
\end{center}
\end{minipage}
\end{column}
\begin{column}{5cm}
\begin{tabular}[t]{rl}
Alice:  & Hello server!\\
Server: & I heard you\\
Alice:  & Thanks
\end{tabular}
\end{column}
\end{columns}\pause

\begin{center}
\begin{tabular}{rl}
\bl{$A \rightarrow S$}: & \bl{SYN}\\
\bl{$S \rightarrow A$}: & \bl{SYN-ACK}\\
\bl{$A \rightarrow S$}: & \bl{ACK}\\
\end{tabular}
\end{center}

\only<2>{
\begin{textblock}{3}(11,5)
\begin{bubble}[3.2cm]
SYNflood attacks:\medskip\\
\includegraphics[scale=0.4]{../pics/synflood.png}
\end{bubble}
\end{textblock}}

\end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\begin{frame}[c]
\frametitle{Authentication}

\begin{columns} 
\begin{column}{8cm}
\begin{minipage}[t]{7.5cm}
\begin{center}
\raisebox{-2cm}{\includegraphics[scale=0.4]{../pics/dogs.jpg}}
\end{center}
\end{minipage}
\end{column}
\begin{column}{5cm}
\begin{minipage}[t]{4.5cm}
\begin{tabular}{l}
Knock Knock!\\
Who's there?\\
Alice.\\
Alice who?
\end{tabular}
\end{minipage}
\end{column}
\end{columns}

\end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\begin{frame}[c]
\frametitle{Authentication Protocols}

Alice (\bl{$A$}) and Bob (\bl{$B$}) share a secret key
\bl{$K_{AB}$}\bigskip

Passwords:

\begin{center}
\bl{$A \rightarrow B: K_{AB}$} 
\end{center}\pause\bigskip

Problems: Eavesdropper can capture the secret and replay it;
\bl{$B$} cannot confirm the identity of \bl{$A$}  

\end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\begin{frame}[c]
\frametitle{Authentication Protocols}

Alice (\bl{$A$}) and Bob (\bl{$B$}) share a secret key
\bl{$K_{AB}$}\bigskip

Simple Challenge Response:

\begin{center}
\begin{tabular}{lll}
\bl{$A \rightarrow B:$} & \bl{Hi I am A}\\
\bl{$B \rightarrow A:$} & \bl{$N$} & (challenge)\\
\bl{$A \rightarrow B:$} & \bl{$\{N\}_{K_{AB}}$}\\
\end{tabular} 
\end{center}\pause

\begin{itemize}
\item cannot replay since next time will be another challenge
\item \bl{$B$} authenticates \bl{$A$}, but \bl{$A$} does not 
authenticate \bl{$B$} (be Eve in the middle, intercept 
messages from \bl{$A$} and ignore last)
\end{itemize}

\end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\begin{frame}[c]
\frametitle{Authentication Protocols}

Alice (\bl{$A$}) and Bob (\bl{$B$}) share a secret key \bl{$K_{AB}$}\bigskip

Mutual Challenge Response:

\begin{center}
\begin{tabular}{ll}
\bl{$A \rightarrow B:$} & \bl{$N_A$}\\
\bl{$B \rightarrow A:$} & \bl{$\{N_A, N_B\}_{K_{AB}}$}\\
\bl{$A \rightarrow B:$} & \bl{$N_B$}\\
\end{tabular} 
\end{center}


\end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   


%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\begin{frame}[c]
\frametitle{Nonces}

\begin{enumerate}
\item I generate a nonce (random number) and send it to you encrypted with a key we share
\item you increase it by one, encrypt it under a key I know and send
it back to me
\end{enumerate}


I can infer:

\begin{itemize}
\item you must have received my message
\item you could only have generated your answer after I send you my initial
message
\item if only you and me know the key, the message must have come from you
\end{itemize}

\end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\mode<presentation>{
\begin{frame}[c]

\begin{center}
\begin{tabular}{ll}
\bl{$A \rightarrow B$:} & \bl{$N_A$}\\  
\bl{$B \rightarrow A$:} & \bl{$\{N_A, N_B\}_{K_{ab}}$}\\
\bl{$A \rightarrow B$:} & \bl{$N_B$}\\
\end{tabular}
\end{center}

The attack (let $A$ decrypt her own messages):

\begin{center}
\begin{tabular}{ll}
\bl{$A \rightarrow E$:} & \bl{$N_A$}\\ 
\textcolor{gray}{$E \rightarrow A$:} & \textcolor{gray}{$N_A$}\\ 
\textcolor{gray}{$A \rightarrow E$:} & \textcolor{gray}{$\{N_A, N_A'\}_{K_{AB}}$}\\
\bl{$E \rightarrow A$:} & \bl{$\{N_A, N_A'\}_{K_{AB}}$}\\
\bl{$A \rightarrow E$:} & \bl{$N_A' \;\;(= N_B)$}\\
\end{tabular}
\end{center}\pause

\small Solutions: \bl{$K_{AB} \not= K_{BA}$} or include an id in the second message
\end{frame}}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%     

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
  \mode<presentation>{
  \begin{frame}[c]
  \frametitle{Encryption to the Rescue?}


 \begin{itemize}
 \item \bl{$A \,\rightarrow\, B :  \{A, N_A\}_{K_{AB}}$}\hspace{1cm} encrypted\bigskip 
 \item \bl{$B\,\rightarrow\, A : \{N_A, K'_{AB}\}_{K_{AB}}$}\bigskip
 \item \bl{$A \,\rightarrow\, B : \{N_A\}_{K'_{AB}}$}\bigskip
 \end{itemize}\pause
 
means you need to send separate ``Hello'' signals (bad), or worse 
share a single key between many entities
\end{frame}}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%      

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\mode<presentation>{
\begin{frame}[c]
\frametitle{Trusted Third Party}

Simple protocol for establishing a secure connection via a mutually
trusted 3rd party (server):

\begin{center}
\begin{tabular}{r@ {\hspace{1mm}}l}
\bl{$A \rightarrow S :$} & \bl{$A, B$}\\
\bl{$S \rightarrow A :$} & \bl{$\{K_{AB}\}_{K_{AS}}$} and \bl{$\{\{K_{AB}\}_{K_{BS}} \}_{K_{AS}}$}\\
\bl{$A \rightarrow B :$} & \bl{$\{K_{AB}\}_{K_{BS}} $}\\
\bl{$A \rightarrow B :$} & \bl{$\{m\}_{K_{AB}}$}\\
\end{tabular}
\end{center}

\end{frame}}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   


%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\mode<presentation>{
\begin{frame}[c]
\frametitle{Protocol Attacks}

\begin{itemize}
\item replay attacks
\item reflection attacks
\item man-in-the-middle attacks
\item timing attacks
\item parallel session attacks
\item binding attacks (public key protocols)
\item changing environment / changing assumptions\bigskip

\item (social engineering attacks)
\end{itemize}
\end{frame}}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   


 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\mode<presentation>{
\begin{frame}[c]
\frametitle{Public-Key Infrastructure}

\begin{itemize}
\item the idea is to have a certificate authority (CA)
\item you go to the CA to identify yourself
\item CA: ``I, the CA, have verified that public key 
  \bl{$P^{pub}_{Bob}$} belongs to Bob''\bigskip
\item CA must be trusted by everybody
\item What happens if CA issues a false certificate? Who pays in case of loss? (VeriSign 
explicitly limits liability to \$100.)
\end{itemize}

\end{frame}}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   



%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\begin{frame}[c]
\frametitle{Person-in-the-Middle}

``Normal'' protocol run:\bigskip

\begin{itemize}
\item \bl{$A$} sends public key  to \bl{$B$}
\item \bl{$B$} sends public key  to \bl{$A$}
\item \bl{$A$} sends message encrypted with \bl{$B$}'s public key, \bl{$B$} decrypts it
with its private key
\item \bl{$B$} sends message encrypted with \bl{$A$}'s public key, \bl{$A$} decrypts it
with its private key
\end{itemize}

\end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\mode<presentation>{
\begin{frame}[c]
\frametitle{Person-in-the-Middle}

Attack:

\begin{itemize}
\item \bl{$A$} sends public key  to \bl{$B$}  --- \bl{$C$} intercepts this message and send his own public key
\item \bl{$B$} sends public key  to \bl{$A$} --- \bl{$C$} intercepts this message and send his own public key
\item \bl{$A$} sends message encrypted with \bl{$C$}'s public key, \bl{$C$} decrypts it
with its private key, re-encrypts with \bl{$B$}'s public key 
\item similar
\end{itemize}

\end{frame}}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\begin{frame}[c]
\frametitle{Person-in-the-Middle}

Prevention:

\begin{itemize}
\item \bl{$A$} sends public key  to \bl{$B$}
\item \bl{$B$} sends public key  to \bl{$A$}
\item \bl{$A$} encrypts message with \bl{$B$}'s public key, send's {\bf half} of the message
\item \bl{$B$} encrypts message with \bl{$A$}'s public key, send's {\bf half} of the message
\item \bl{$A$} sends other half, \bl{$B$} can now decrypt entire message
\item \bl{$B$} sends other half, \bl{$A$} can now decrypt entire message
\end{itemize}\pause

\bl{$C$} would have to invent a totally new message

\end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\begin{frame}[c]
\frametitle{Car Transponder (HiTag2)}

\begin{enumerate}
\item \bl{$C$} generates a random number \bl{$r$}
\item \bl{$C$} calculates \bl{$(F,G) = \{r\}_K$}
\item \bl{$C \to T$}: \bl{$r, F$}
\item \bl{$T$} calculates \bl{$(F',G') = \{r\}_K$}
\item \bl{$T$} checks that \bl{$F = F'$}
\item \bl{$T \to C$}: \bl{$r, G'$}
\item \bl{$C$} checks that \bl{$G = G'$}
\end{enumerate}\pause

\small
This process means that the transponder believes the car knows
the key \bl{$K$}, and the car believes the transponder knows
the key \bl{$K$}. They should have authenticated themselves
to each other.

\end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\begin{frame}[c]
\frametitle{Person-in-the-Middle}

\begin{itemize}
\item Border Gateway Protocol (BGP) --- routers believe 
  their neighbours
\item it is possible to advertise bad routes
\item can be done over continents\bigskip 
\end{itemize}

\hfill\footnotesize\url{http://www.renesys.com/2013/11/mitm-internet-hijacking/}
\end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\mode<presentation>{
\begin{frame}[c]
\frametitle{Best Practices}

{\bf Principle 1:} Every message should say what it means: the interpretation of 
a message should not depend on the context.\bigskip\pause

{\bf Principle 2:} If the identity of a principal is essential to the meaning of a message, it is prudent 
to mention the principal’s name explicitly in the message (though difficult).\bigskip


\end{frame}}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\mode<presentation>{
\begin{frame}[c]
\frametitle{Best Practices}

{\bf Principle 3:} Be clear about why encryption is being
done. Encryption is not wholly cheap, and not asking precisely
why it is being done can lead to redundancy. Encryption is not
synonymous with security.

\small
\begin{center}
Possible Uses of Encryption

\begin{itemize}
\item Preservation of confidentiality: \bl{$\{X\}_K$} only those that have \bl{$K$} may recover \bl{$X$}.
\item Guarantee authenticity: The partner is indeed some particular principal.
\item Guarantee confidentiality and authenticity: binds two parts of a message --- 
\bl{$\{X,Y\}_K$} is not the same as \bl{$\{X\}_K$} and \bl{$\{Y\}_K$}.
\end{itemize}
\end{center}

\end{frame}}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\begin{frame}[c]
\frametitle{Best Practices}

{\bf Principle 4:} The protocol designer should know which trust relations his protocol depends on, and why the dependence is necessary. The reasons for particular trust relations being acceptable should be explicit though they will be founded on judgment and policy rather than on logic.\bigskip


Example Certification Authorities: CAs are trusted to certify a key only after proper steps 
have been taken to identify the principal that owns it.

\end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\mode<presentation>{
\begin{frame}[c]
\frametitle{Formal Methods}

Ross Anderson about the use of Logic:\bigskip

\begin{quote}
Formal methods can be an excellent way of finding 
bugs in security protocol designs as they force the designer 
to make everything explicit and thus confront dif$\!$ficult design 
choices that might otherwise be fudged. 
\end{quote}

\end{frame}}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\begin{frame}[c]
\frametitle{Mid-Term}

\begin{itemize}
\item homework, handouts, programs\ldots
\end{itemize}\bigskip\bigskip\bigskip

\begin{center}
{\huge\bf\alert{Any Questions?}}
\end{center}

\end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   


\end{document}

%%% Local Variables:  
%%% mode: latex
%%% TeX-master: t
%%% End: