\documentclass[dvipsnames,14pt,t]{beamer}
\usepackage{../slides}
\usepackage{../graphics}
\usepackage{../langs}
\usetikzlibrary{arrows}
\usetikzlibrary{shapes}
\setmonofont[Scale=.88]{Consolas}
\newfontfamily{\consolas}{Consolas}
\hfuzz=220pt
% beamer stuff
\renewcommand{\slidecaption}{SEN 04, King's College London}
\newcommand{\bl}[1]{\textcolor{blue}{#1}}
\begin{document}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\begin{frame}[t]
\frametitle{%
\begin{tabular}{@ {}c@ {}}
\\
\LARGE Security Engineering (4)\\[-3mm]
\end{tabular}}\bigskip\bigskip\bigskip
\normalsize
\begin{center}
\begin{tabular}{ll}
Email: & christian.urban at kcl.ac.uk\\
Office: & N7.07 (North Wing, Bush House)\\
Slides: & KEATS (also home work is there)\\
\end{tabular}
\end{center}
\end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\begin{frame}[c]
\begin{center}
\includegraphics[scale=0.34]{../pics/trainwreck.jpg}\\
last week: buffer overflow attacks
\end{center}
\begin{itemize}
%\item no ``cheating'' needed for format string attacks
\item required some cheating on modern OS
\item the main point: no cheating in practice\pause
\item one class of attacks not mentioned last week
\end{itemize}
\end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\begin{frame}[c]
\frametitle{Format String Vulnerability}
\small
\texttt{string} is nowhere used:\bigskip
{\footnotesize\lstinputlisting[language=C]{../progs/C4.c}}\bigskip
this vulnerability can be used to read out the stack and even
modify it
\end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\begin{frame}[c]
\frametitle{Case-In-Point: Android}
\begin{itemize}
\item a list of common Android vulnerabilities
(5 BOAs out of 35 vulnerabilities; all from 2013 and later):
\begin{center}
\url{http://androidvulnerabilities.org/}
\end{center}\bigskip
\item a paper that attempts to measure the security of Android phones:
\begin{quote}\small\it ``We find that on average 87.7\% of Android
devices are exposed to at least one of 11 known critical
vulnerabilities\ldots''
\end{quote}
\begin{center}\small
\makebox[0mm]
{\url{https://www.cl.cam.ac.uk/~drt24/papers/spsm-scoring.pdf}}
\end{center}
\end{itemize}
\end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%\begin{frame}[c]
%
%A student asked:
%
%\begin{bubble}[10cm]\small How do we implement BOAs? On a
%webpage login, for example Facebook, we can't do this.
%I am sure the script will stop us even before we reach the
%server. The
%script will not let us enter hexadecimal numbers where email
%or username is required and plus it will have a max length,
%like 32 characters only. In this case, what can we do, since
%the method you showed us wouldn't work?
%\end{bubble}\bigskip\bigskip\pause
%\begin{itemize}
%\item Facebook no
%\item printers, routers, cars, IoT etc likely\pause
%\item I do not want to teach you hacking, rather defending
%\end{itemize}
%
%\end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\begin{frame}[c]
\frametitle{Survey}
\end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%\begin{frame}[c]
%
%\begin{center}
%\includegraphics[scale=0.45]{../pics/trainwreck.jpg}\\
%last week: buffer overflow attacks
%\end{center}
%
%\end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\begin{frame}[c]
\frametitle{\begin{tabular}{c}\LARGE Two General Counter\\[-1mm]
\LARGE Measures against BOAs etc\end{tabular}}
Both try to reduce the attack surface (trusted computing base):\bigskip
\begin{itemize}
\item \alert{\bf unikernels} -- the idea is to not have
an operating system at all
\item all functionality of the server is implemented in a
single, stand-alone program
\item all functionality an operating system would normally
provide (network stack, file system) is available through
libraries
\item the best known unikernel is MirageOS using Ocaml
(\url{https://mirage.io})
\end{itemize}
\end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\begin{frame}[c]
\frametitle{\begin{tabular}{c}Network Applications:\\[-1mm]
Privilege Separation\end{tabular}}
\begin{center}
\begin{tikzpicture}[scale=1]
\draw[line width=1mm] (-.3, 0) rectangle (1.5,2);
\draw (4.7,1) node {Internet};
\draw (-2.7,1.7) node {\footnotesize Application};
\draw (0.6,1.7) node {\footnotesize Interface};
\draw (0.6,-0.4) node {\footnotesize \begin{tabular}{c}unprivileged\\[-1mm] process\end{tabular}};
\draw (-2.7,-0.4) node {\footnotesize \begin{tabular}{c}privileged\\[-1mm] process\end{tabular}};
\draw[line width=1mm] (-1.8, 0) rectangle (-3.6,2);
\draw[white] (1.7,1) node (X) {};
\draw[white] (3.7,1) node (Y) {};
\draw[red, <->, line width = 2mm] (X) -- (Y);
\draw[red, <->, line width = 1mm] (-0.6,1) -- (-1.6,1);
\end{tikzpicture}
\end{center}
\begin{itemize}
\item the idea is make the attack surface smaller and mitigate the
consequences of an attack
\end{itemize}
\end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\begin{frame}[c]
\frametitle{Access Control in Unix}
\begin{itemize}
\item access control provided by the OS
\item authenticate principals
\item mediate access to files, ports, processes etc according to
\alert{roles} (user ids)\\
\item roles get attached with privileges (some special roles: root)\bigskip\\
\hspace{8mm}
\begin{bubble}[8cm]
\alert{\bf principle of least privilege:}\\
users and programs should only have as much privilege as they need to
accomplish a task
\end{bubble}
\end{itemize}
\end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\begin{frame}[c]
\frametitle{Access Control in Unix (2)}
\begin{itemize}
\item privileges are specified by file access permissions (``everything is a file'')\medskip
\item there are 9 (plus 2) bits that specify the permissions of a file
\end{itemize}
\begin{center}
${\underbrace{\LARGE\texttt{-}}_{\text{\makebox[0mm]{directory}}}}
\;{\underbrace{\LARGE\texttt{r{}-{}-}}_{\text{user}}}\,
{\underbrace{\LARGE\texttt{r{}w{}-}}_{\text{group}}}\,
{\underbrace{\LARGE\texttt{r{}w{}x}}_{\text{other}}}\;\;\;
\LARGE\texttt{bob}\;\;\texttt{staff}\;\;\texttt{file}$
\end{center}
\end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\begin{frame}[c]
\frametitle{Unix-Style Access Control}
\small
\begin{itemize}
\item
Q: ``I am using Windows. Why should I care?'' \\
A: In Windows you have similar AC:
\begin{center}
\begin{tabular}{l}
administrators group\\
\hspace{5mm}(has complete control over the machine)\\
authenticated users\\
server operators\\
power users\\
network configuration operators
\end{tabular}
\end{center}\medskip
\item Modern versions of Windows have more fine-grained AC than Unix;
they do not have a setuid bit, but have \texttt{runas} (asks for a
password).\pause
\item OS-provided access control can \alert{\bf add} to your security.
(defence in depth)
\end{itemize}
\end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\begin{frame}[c]
\frametitle{Weaknesses of Unix AC}
Not just restricted to Unix:
\begin{itemize}
\item if you have too many roles (i.e.~too finegrained AC), then
hierarchy is too complex\\ \textcolor{gray}{you invite situations
like\ldots let's be root}\bigskip
\item you can still abuse the system\ldots
\end{itemize}
\end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\begin{frame}[c]
\frametitle{A ``Cron''-Attack}
The idea is to trick a privileged person to do something on your
behalf:
\begin{itemize}
\item root:\\\texttt{rm /tmp/*/*}\bigskip\bigskip\pause
\footnotesize
\begin{minipage}{1.1\textwidth}
\textcolor{gray}{the shell behind the scenes:}\\
\textcolor{gray}{\texttt{rm /tmp/dir$_1$/file$_1$ /tmp/dir$_1$/file$_2$ /tmp/dir$_2$/file$_1$ \ldots}}\bigskip\\
\textcolor{gray}{this takes time}
\end{minipage}
\end{itemize}
\end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\begin{frame}[c]
\frametitle{A ``Cron''-Attack}
\begin{enumerate}
\item attacker \textcolor{gray}{(creates a fake passwd file)}\\
\texttt{mkdir /tmp/a; cat > /tmp/a/passwd}\medskip
\item root \textcolor{gray}{(does the daily cleaning)}\\
\texttt{rm /tmp/*/*}\medskip\\
\hspace{2cm}\textcolor{gray}{\small records that \texttt{/tmp/a/passwd}}\\
\hspace{2cm}\textcolor{gray}{\small should be deleted, but does not do it yet}\medskip\\
\item attacker \textcolor{gray}{(meanwhile deletes the fake passwd file, and establishes a link to
the real passwd file)}\\
\texttt{rm /tmp/a/passwd; rmdir /tmp/a;}\\\texttt{ln -s /etc /tmp/a}\\
\item root now deletes the real passwd file
\end{enumerate}
\only<2>{
\begin{textblock}{11}(2,5)
\begin{bubble}[8cm]
\normalsize To prevent this kind of attack, you need additional
policies (don't do such operations as root).
\end{bubble}
\end{textblock}}
\end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\begin{frame}[c]
\frametitle{\begin{tabular}{c}Infamous Security Flaws\\[-1mm]
in Unix\end{tabular}}
\begin{itemize}
\item \texttt{lpr} unfortunately runs with root privileges; you had the option to delete files after printing \ldots\pause
\item for debugging purposes (FreeBSD) Unix provides a ``core dump'', but allowed to follow links \ldots\pause
\item \texttt{mkdir foo} is owned by root\medskip
\begin{center}
\texttt{-rwxr-xr-x 1 root wheel /bin/mkdir}
\end{center}\medskip
it first creates an i-node as root and then changes to ownership to the user's id\\ \textcolor{gray}{\small (race condition -- can be automated with a shell script)}
\end{itemize}
\only<4->{
\begin{textblock}{1}(3,7)
\begin{tikzpicture}
\draw (0,0) node[inner sep=2mm,fill=cream, ultra thick, draw=red, rounded corners=2mm]
{\begin{minipage}{8cm}
Only failure makes us experts.\\
\hfill\small-- Theo de Raadt (OpenBSD, OpenSSH)
\end{minipage}};
\end{tikzpicture}
\end{textblock}}
\end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\begin{frame}[c]
\frametitle{Subtleties}
\begin{itemize}
\item<1-> Can Bob write \pcode{file}?
\item<2-> What if Bob is member of \pcode{staff}?
\end{itemize}\bigskip
\begin{center}
${\underbrace{\Large\texttt{-}}_{\text{\makebox[0mm]{directory}}}}
\;{\underbrace{\Large\texttt{r{}-{}-}}_{\text{user}}}\,
{\underbrace{\Large\texttt{r{}w{}-}}_{\text{group}}}\,
{\underbrace{\Large\texttt{r{}w{}x}}_{\text{other}}}\;\;\;
\Large\texttt{bob}\;\;\texttt{staff}\;\;\texttt{file}$
\end{center}
\end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\begin{frame}[c]
\frametitle{Login Processes}
\begin{itemize}
\item login processes run under UID $=$ \pcode{0}\medskip
\begin{center}
\texttt{ps -axl | grep login}
\end{center}\medskip
\item after login, shells run under UID $=$ user (e.g.~501)\medskip
\begin{center}
\texttt{id cu}
\end{center}\medskip\pause
\item non-root users are not allowed to change the UID --- would break
access control
\item but needed for example for accessing \texttt{passwd}
\end{itemize}
\end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\begin{frame}[c]
\frametitle{Setuid and Setgid}
The solution is that Unix file permissions are 9 + \underline{2 Bits}:
\alert{\bf Setuid} and \alert{\bf Setgid} bits
\begin{itemize}
\item When a file with setuid is executed, the resulting process will
assume the UID given to the \underline{owner} of the file.
\item This enables users to create processes as root (or another
user).\bigskip
\item Essential for changing passwords, for example.
\end{itemize}
\begin{center}
\texttt{chmod 4755 fobar\_file}
\end{center}
\end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\begin{frame}[c]
\small
\lstinputlisting[language={},numbers=none,xleftmargin=-6mm]{lst}
\begin{center}
\begin{tabular}{@{\hspace{-24mm}}ll}
members of group staff: & ping, bob, emma\\
members of group students: & emma\\
\end{tabular}
\end{center}
\begin{center}
\begin{tabular}{@{\hspace{-7mm}}r|c|c|c|c|c@{}}
& manual.txt & report.txt & microedit & src/code.c & src/code.h \\\hline
ping & & & & &\\\hline
bob & & & & &\\\hline
emma & & & & &\\
\end{tabular}
\end{center}
\end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\begin{frame}[c]
\frametitle{\Large Discretionary Access Control}
\small
\begin{itemize}
\item Access to objects (files, directories, devices, etc.) is
permitted based on user identity. Each object is owned by a
user. Owners can specify freely (at their discretion) how they want to
share their objects with other users, by specifying which other users
can have which form of access to their objects.\medskip
\item Discretionary access control is implemented on any modern multi-user
OS (Unix, Windows NT, etc.).
\end{itemize}
\end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\begin{frame}[c]
\frametitle{\Large Mandatory Access Control}
\small
\begin{itemize}
\item Access to objects is controlled by a system-wide policy, for
example to prevent certain flows of information. In some forms, the
system maintains security labels for both objects and subjects
(processes, users) based on which access is granted or
denied. Labels can change as the result of an access. Security
policies are enforced without the cooperation of users or
programs.\medskip
\item This is implemented in banking or military operating system
versions (SELinux).\pause
\item A simple example: Air Gap Security. Uses a completely separate network
and computer hardware for different application classes (Bin Laden, Bruce Schneier had
airgaps).\pause
\item What do we want to protect: Secrecy or Integrity?
\end{itemize}
\end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\begin{frame}[c]
\frametitle{The Bell-LaPadula Model}
\small
\begin{itemize}
\item Formal policy model for mandatory access control in a military
multi-level security environment. All subjects (processes, users,
terminals, files, windows, connections) are labeled
with a confidentiality level, e.g.
\begin{center}
unclassified < confidential < secret < top secret
\end{center}\medskip
\item The system policy automatically prevents the flow of information
from high-level objects to lower levels. A process that reads top
secret data becomes tagged as top secret by the operating system, as
will be all files into which it writes afterwards.
%Each user has a maximum allowed confidentiality level specified and
%cannot receive data beyond that level. A selected set of trusted
%subjects is allowed to bypass the restrictions, in order to permit
%the declassification of information.
\end{itemize}
\end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\begin{frame}[c]
\frametitle{Bell-LaPadula}
\small
\begin{itemize}
\item \alert{Read Rule}: A principal \bl{$P$} can read an object \bl{$O$} if and only if
\bl{$P$}'s security level is at least as high as \bl{$O$}'s.
\item \alert{Write Rule}: A principal \bl{$P$} can write an object \bl{$O$} if and only if
\bl{$O$}'s security level is at least as high as \bl{$P$}'s.\medskip
%\item Meta-Rule: All principals in a system should have a sufficiently high security level
%in order to access an object.
\end{itemize}\bigskip
This restricts information flow $\Rightarrow$ military\bigskip\bigskip\pause
Bell-LaPadula: {\bf `no read up'} - {\bf `no write down'}
\end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\begin{frame}[c]
\frametitle{\begin{tabular}{c}Principle of\\[-2mm] Least Privilege\end{tabular}}
\begin{bubble}[10cm]
A principal should have as few privileges as possible to access a resource.
\end{bubble}\bigskip\bigskip
\small
\begin{itemize}
\item Bob ($T\!S$) and Alice ($S$) want to communicate
\item[] $\Rightarrow$ Bob should lower his security level
\end{itemize}
\end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\begin{frame}[c]
\frametitle{Biba Policy}
\small
Data Integrity (rather than data secrecy)
\begin{itemize}
\item Biba: {\bf `no read down'} - {\bf `no write up'}
\item \alert{Read Rule}: A principal \bl{$P$} can read an object \bl{$O$} if and only if
\bl{$P$}'s security level is lower or equal than \bl{$O$}'s.
\item \alert{Write Rule}: A principal \bl{$P$} can write an object \bl{$O$} if and only if
\bl{$O$}'s security level is lower or equal than \bl{$P$}'s.
\end{itemize}\bigskip\bigskip\pause
E.g.~Firewalls: you can read from inside the firewall, but not from outside\\
Phishing: you can look at an approved PDF, but not one from a random email\\
\end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\begin{frame}[c]
\frametitle{Security Levels (2)}
\begin{itemize}
\item Bell-La Padula preserves data secrecy, but not data
integrity\bigskip\pause
\item Biba model is for data integrity
\begin{itemize}
\item read: your own level and above
\item write: your own level and below
\end{itemize}
\end{itemize}
\end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\begin{frame}[c]
\frametitle{Shared Access Control}
\begin{center}
\includegraphics[scale=0.7]{../pics/pointsplane.jpg}
\end{center}
\begin{textblock}{11}(10.5,10.5)
\small
To take an action you\\[-1mm]
need at least either:
\begin{itemize}
\item 1 CEO\\[-5mm]
\item 2 MDs, or\\[-5mm]
\item 3 Ds
\end{itemize}
\end{textblock}
\end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\begin{frame}[c]
\frametitle{\Large Lessons from Access Control}
Not just restricted to Unix:
\begin{itemize}
\item if you have too many roles (i.e.~too finegrained AC), then
hierarchy is too complex\\
\textcolor{gray}{you invite situations like\ldots lets be root}\bigskip
\item you can still abuse the system\ldots
\end{itemize}
\end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\begin{frame}[c]
\frametitle{Protocols}
\begin{center}
\includegraphics[scale=0.11]{../pics/keyfob.jpg}
\quad
\includegraphics[scale=0.3025]{../pics/startstop.jpg}
\end{center}
\begin{itemize}
\item Other examples: Wifi, Http-request, TCP-request,
card readers, RFID (passports)\ldots\medskip\pause
\item The point is that we cannot control the network: An attacker
can install a packet sniffer, inject packets, modify packets,
replay messages\ldots{}fake pretty much everything.
\end{itemize}
\end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\begin{frame}[c]
\frametitle{Keyless Car Transponders}
\begin{center}
\includegraphics[scale=0.1]{../pics/keyfob.jpg}
\quad
\includegraphics[scale=0.27]{../pics/startstop.jpg}
\end{center}
\begin{itemize}
\item There are two security mechanisms: one remote central
locking system and one passive RFID tag (engine immobiliser).
\item How can I get in? How can thieves be kept out?
How to avoid MITM attacks?
\end{itemize}\medskip
\footnotesize
\hfill Papers: Gone in 360 Seconds: Hijacking with Hitag2,\\
\hfill Dismantling Megamos Crypto: Wirelessly Lockpicking\\
\hfill a Vehicle Immobilizer
\end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\begin{frame}[c]
\frametitle{HTTPS / GSM}
\begin{center}
\includegraphics[scale=0.25]{../pics/barclays.jpg}
\quad
\includegraphics[scale=0.25]{../pics/phone-signal.jpg}
\end{center}
\begin{itemize}
\item I am sitting at Starbuck. How can I be sure I am really
visiting Barclays? I have no control of the access
point.
\item How can I achieve that a secret key is established in
order to encrypt my mobile conversation? I have no
control over the access points.
\end{itemize}
\end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\begin{frame}[c]
\frametitle{Handshakes}
\begin{itemize}
\item starting a TCP connection between a client and a server
initiates the following three-way handshake protocol:
\end{itemize}
\begin{columns}[t]
\begin{column}{5cm}
\begin{minipage}[t]{4cm}
\begin{center}
\raisebox{-2cm}{\includegraphics[scale=0.5]{../pics/handshake.png}}
\end{center}
\end{minipage}
\end{column}
\begin{column}{5cm}
\begin{tabular}[t]{rl}
Alice: & Hello server!\\
Server: & I heard you\\
Alice: & Thanks
\end{tabular}
\end{column}
\end{columns}
\only<2>{
\begin{textblock}{3}(11,5)
\begin{bubble}[3.2cm]
SYNflood attacks:\medskip\\
\includegraphics[scale=0.4]{../pics/synflood.png}
\end{bubble}
\end{textblock}}
\end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\begin{frame}[t]
\frametitle{Protocols}
\mbox{}
\begin{tabular}{l}
{\Large \bl{$A\;\rightarrow\; B : \ldots$}}\\
\onslide<2->{\Large \bl{$B\;\rightarrow\; A : \ldots$}}\\
\onslide<2->{\Large \;\;\;\;\;\bl{$:$}}\bigskip
\end{tabular}
\begin{itemize}
\item by convention \bl{$A$}, \bl{$B$} are named principals \bl{Alice\ldots}\\
but most likely they are programs, which just follow some instructions (they are more like roles)\bigskip
\item<2-> indicates one ``protocol run'', or session, which specifies some
order in the communication
\item<2-> there can be several sessions in parallel (think of wifi routers)
\end{itemize}
\end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\begin{frame}[c]
\frametitle{Handshakes}
\begin{itemize}
\item starting a TCP connection between a client and a server
initiates the following three-way handshake protocol:
\end{itemize}
\begin{columns}[t]
\begin{column}{5cm}
\begin{minipage}[t]{4cm}
\begin{center}
\raisebox{-2cm}{\includegraphics[scale=0.5]{../pics/handshake.png}}
\end{center}
\end{minipage}
\end{column}
\begin{column}{5cm}
\begin{tabular}[t]{rl}
Alice: & Hello server!\\
Server: & I heard you\\
Alice: & Thanks
\end{tabular}
\end{column}
\end{columns}
\begin{center}
\begin{tabular}{rl}
\bl{$A \rightarrow S$}: & \bl{SYN}\\
\bl{$S \rightarrow A$}: & \bl{SYN-ACK}\\
\bl{$A \rightarrow S$}: & \bl{ACK}\\
\end{tabular}
\end{center}
\end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\begin{frame}[c]
\frametitle{\Large Cryptographic Protocol Failures}
Ross Anderson and Roger Needham wrote:\bigskip
\begin{quote}\rm
A lot of the recorded frauds were the result of this kind of
blunder, or from management negligence pure and simple.
\alert{However,
there have been a significant number of cases where the designers
protected the right things, used cryptographic algorithms which were
not broken, and yet found that their systems were still successfully
attacked.}
\end{quote}
\end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\begin{frame}<1-3>[c]
\frametitle{Oyster Cards}
\includegraphics[scale=0.4]{../pics/oysterc.jpg}
\begin{itemize}
\item good example of a bad protocol\\ (security by obscurity)\bigskip
\item<3-> {\it``Breaching security on Oyster cards should not
allow unauthorised use for more than a day, as TfL promises to turn
off any cloned cards within 24 hours\ldots''}
\end{itemize}
\only<2>{
\begin{textblock}{12}(0.5,0.5)
\begin{bubble}[11cm]\footnotesize
{\bf Wirelessly Pickpocketing a Mifare Classic Card}\medskip
The Mifare Classic is the most widely used contactless smartcard on the
market. The stream cipher CRYPTO1 used by the Classic has recently been
reverse engineered and serious attacks have been proposed. The most serious
of them retrieves a secret key in under a second. In order to clone a card,
previously proposed attacks require that the adversary either has access to
an eavesdropped communication session or executes a message-by-message
man-in-the-middle attack between the victim and a legitimate
reader. Although this is already disastrous from a cryptographic point of
view, system integrators maintain that these attacks cannot be performed
undetected.\smallskip
This paper proposes four attacks that can be executed by an adversary having
only wireless access to just a card (and not to a legitimate reader). The
most serious of them recovers a secret key in less than a second on ordinary
hardware. Besides the cryptographic weaknesses, we exploit other weaknesses
in the protocol stack. A vulnerability in the computation of parity bits
allows an adversary to establish a side channel. Another vulnerability
regarding nested authentications provides enough plaintext for a speedy
known-plaintext attack.\hfill{}(a paper from 2009)
\end{bubble}
\end{textblock}}
\end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\begin{frame}<1->[t]
\frametitle{Another Example}
In an email from Ross Anderson\bigskip\small
\begin{tabular}{l}
From: Ross Anderson <Ross.Anderson@cl.cam.ac.uk>\\
Sender: cl-security-research-bounces@lists.cam.ac.uk\\
To: cl-security-research@lists.cam.ac.uk\\
Subject: Birmingham case\\
Date: Tue, 13 Aug 2013 15:13:17 +0100\\
\end{tabular}
\only<2>{
\begin{textblock}{12}(0.5,0.8)
\begin{bubble}[11cm]
\footnotesize
As you may know, Volkswagen got an injunction against the University of
Birmingham suppressing the publication of the design of a weak cipher
used in the remote key entry systems in its recent-model cars. The paper
is being given today at Usenix, minus the cipher design.\medskip
I've been contacted by Birmingham University's lawyers who seek to prove
that the cipher can be easily obtained anyway. They are looking for a
student who will download the firmware from any newish VW, disassemble
it and look for the cipher. They'd prefer this to be done by a student
rather than by a professor to emphasise how easy it is.\medskip
Volkswagen's argument was that the Birmingham people had reversed a
locksmithing tool produced by a company in Vietnam, and since their key
fob chip is claimed to be tamper-resistant, this must have involved a
corrupt insider at VW or at its supplier Thales. Birmingham's argument
is that this is nonsense as the cipher is easy to get hold of. Their
lawyers feel this argument would come better from an independent
outsider.\medskip
Let me know if you're interested in having a go, and I'll put you in
touch
Ross
\end{bubble}
\end{textblock}}
\end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\begin{frame}[c]
\frametitle{Authentication Protocols}
Alice (\bl{$A$}) and Bob (\bl{$B$}) share a secret key \bl{$K_{AB}$}\bigskip
Passwords:
\begin{center}
\bl{$B \rightarrow A: K_{AB}$}
\end{center}\pause\bigskip
Problem: Eavesdropper can capture the secret and replay it; \bl{$A$} cannot confirm the
identity of \bl{$B$}
\end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\begin{frame}[c]
\frametitle{Authentication?}
\begin{center}
\raisebox{-2cm}{\includegraphics[scale=0.4]{../pics/dogs.jpg}}
\end{center}
\end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\begin{frame}[c]
\frametitle{Authentication Protocols}
Alice (\bl{$A$}) and Bob (\bl{$B$}) share a secret key \bl{$K_{AB}$}\bigskip
Simple Challenge Response:
\begin{center}
\begin{tabular}{ll}
\bl{$A \rightarrow B:$} & \bl{$N$}\\
\bl{$B \rightarrow A:$} & \bl{$\{N\}_{K_{AB}}$}\\
\end{tabular}
\end{center}
\end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\begin{frame}[c]
\frametitle{Authentication Protocols}
Alice (\bl{$A$}) and Bob (\bl{$B$}) share a secret key \bl{$K_{AB}$}\bigskip
Mutual Challenge Response:
\begin{center}
\begin{tabular}{ll}
\bl{$A \rightarrow B:$} & \bl{$N_A$}\\
\bl{$B \rightarrow A:$} & \bl{$\{N_A, N_B\}_{K_{AB}}$}\\
\bl{$A \rightarrow B:$} & \bl{$N_B$}\\
\end{tabular}
\end{center}
%\pause
%An attacker \bl{$E$} can launch an impersonation attack by
%intercepting all messages for \bl{$B$} and make \bl{$A$} decrypt her
%own challenges.
\end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\begin{frame}[c]
\frametitle{Nonces}
\begin{enumerate}
\item I generate a nonce (random number) and send it to you encrypted with a key we share
\item you increase it by one, encrypt it under a key I know and send
it back to me
\end{enumerate}
I can infer:
\begin{itemize}
\item you must have received my message
\item you could only have generated your answer after I send you my initial
message
\item if only you and me know the key, the message must have come from you
\end{itemize}
\end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\begin{frame}[c]
\begin{center}
\begin{tabular}{ll}
\bl{$A \rightarrow B$:} & \bl{$N_A$}\\
\bl{$B \rightarrow A$:} & \bl{$\{N_A, N_B\}_{K_{AB}}$}\\
\bl{$A \rightarrow B$:} & \bl{$N_B$}\\
\end{tabular}
\end{center}
The attack (let $A$ decrypt her own messages):
\begin{center}
\begin{tabular}{ll}
\bl{$A \rightarrow E$:} & \bl{$N_A$}\\
\textcolor{gray}{$E \rightarrow A$:} & \textcolor{gray}{$N_A$}\\
\textcolor{gray}{$A \rightarrow E$:} & \textcolor{gray}{$\{N_A, N_A'\}_{K_{AB}}$}\\
\bl{$E \rightarrow A$:} & \bl{$\{N_A, N_A'\}_{K_{AB}}$}\\
\bl{$A \rightarrow E$:} & \bl{$N_A' \;\;(= N_B)$}\\
\end{tabular}
\end{center}\pause
\small Solutions: \bl{$K_{AB} \not= K_{BA}$} or include an id in the second message
\end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\begin{frame}[c]
\frametitle{Encryption to the Rescue?}
\begin{itemize}
\item \bl{$A \,\rightarrow\, B : \{A, N_A\}_{K_{AB}}$}\hspace{1cm} encrypted\bigskip
\item \bl{$B\,\rightarrow\, A : \{N_A, K'_{AB}\}_{K_{AB}}$}\bigskip
\item \bl{$A \,\rightarrow\, B : \{N_A\}_{K'_{AB}}$}\bigskip
\end{itemize}\pause
means you need to send separate ``Hello'' signals (bad), or worse
share a single key between many entities
\end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\begin{frame}[c]
\frametitle{Protocol Attacks}
\begin{itemize}
\item replay attacks
\item reflection attacks
\item man-in-the-middle attacks
\item timing attacks
\item parallel session attacks
\item binding attacks (public key protocols)
\item changing environment / changing assumptions\bigskip
\item (social engineering attacks)
\end{itemize}
\end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\begin{frame}[c]
\frametitle{Public-Key Infrastructure}
\begin{itemize}
\item the idea is to have a certificate authority (CA)
\item you go to the CA to identify yourself
\item CA: ``I, the CA, have verified that public key \bl{$P^{pub}_{Bob}$} belongs to Bob''\bigskip
\item CA must be trusted by everybody
\item What happens if CA issues a false certificate? Who pays in case of loss? (VeriSign
explicitly limits liability to \$100.)
\end{itemize}
\end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\begin{frame}[c]
\frametitle{Man-in-the-Middle}
``Normal'' protocol run:\bigskip
\begin{itemize}
\item \bl{$A$} sends public key to \bl{$B$}
\item \bl{$B$} sends public key to \bl{$A$}
\item \bl{$A$} sends message encrypted with \bl{$B$}'s public key, \bl{$B$} decrypts it
with its private key
\item \bl{$B$} sends message encrypted with \bl{$A$}'s public key, \bl{$A$} decrypts it
with its private key
\end{itemize}
\end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\begin{frame}[c]
\frametitle{Man-in-the-Middle}
Attack:
\begin{itemize}
\item \bl{$A$} sends public key to \bl{$B$} --- \bl{$C$} intercepts this message and send his own public key
\item \bl{$B$} sends public key to \bl{$A$} --- \bl{$C$} intercepts this message and send his own public key
\item \bl{$A$} sends message encrypted with \bl{$C$}'s public key, \bl{$C$} decrypts it
with its private key, re-encrypts with \bl{$B$}'s public key
\item similar for other direction
\end{itemize}
\end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\begin{frame}[c]
\frametitle{Man-in-the-Middle}
Potential Prevention?
\begin{itemize}
\item \bl{$A$} sends public key to \bl{$B$}
\item \bl{$B$} sends public key to \bl{$A$}
\item \bl{$A$} encrypts message with \bl{$B$}'s public key, send's {\bf half} of the message
\item \bl{$B$} encrypts message with \bl{$A$}'s public key, send's {\bf half} of the message
\item \bl{$A$} sends other half, \bl{$B$} can now decrypt entire message
\item \bl{$B$} sends other half, \bl{$A$} can now decrypt entire message
\end{itemize}\pause
%\bl{$C$} would have to invent a totally new message
\alert{Under which circumstances does this protocol prevent
MiM-attacks, or does it?}
\end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\begin{frame}[c]
\frametitle{Car Transponder (HiTag2)}
\begin{enumerate}
\item \bl{$C$} generates a random number \bl{$N$}
\item \bl{$C$} calculates \bl{$(F,G) = \{N\}_K$}
\item \bl{$C \to T$}: \bl{$N, F$}
\item \bl{$T$} calculates \bl{$(F',G') = \{N\}_K$}
\item \bl{$T$} checks that \bl{$F = F'$}
\item \bl{$T \to C$}: \bl{$N, G'$}
\item \bl{$C$} checks that \bl{$G = G'$}
\end{enumerate}\pause
\small
This process means that the transponder believes the car knows
the key \bl{$K$}, and the car believes the transponder knows
the key \bl{$K$}. They have authenticated themselves
to each other, or have they?
\end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\begin{frame}[c]
A Man-in-the-middle attack in real life:
\begin{itemize}
\item the card only says yes to the terminal if the PIN is correct
\item trick the card in thinking transaction is verified by signature
\item trick the terminal in thinking the transaction was verified by PIN
\end{itemize}
\begin{minipage}{1.1\textwidth}
\begin{center}
\mbox{}\hspace{-6mm}\includegraphics[scale=0.5]{../pics/chip-attack.png}
\includegraphics[scale=0.3]{../pics/chipnpinflaw.png}
\end{center}
\end{minipage}
\end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\begin{frame}[c]
\frametitle{Problems with EMV}
\begin{itemize}
\item it is a wrapper for many protocols
\item specification by consensus (resulted unmanageable complexity)
\item its specification is 700 pages in English plus 2000+ pages for testing, additionally some
further parts are secret
\item other attacks have been found
\end{itemize}
\end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\begin{frame}[c]
\frametitle{Protocols are Difficult}
\begin{itemize}
\item even the systems designed by experts regularly fail\medskip
\item the one who can fix a system should also be liable for the losses\medskip
\item cryptography is often not the problem\bigskip\bigskip
\end{itemize}
\end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\end{document}
%%% Local Variables:
%%% mode: latex
%%% TeX-master: t
%%% End: