\documentclass[dvipsnames,14pt,t]{beamer}
\usepackage{../slides}
\usepackage{../graphics}
\usepackage{../langs}
\usetikzlibrary{arrows}
\usetikzlibrary{shapes}

\setmonofont[Scale=.88]{Consolas}
\newfontfamily{\consolas}{Consolas}

\hfuzz=220pt 

% beamer stuff 
\newcommand{\bl}[1]{\textcolor{blue}{#1}}  
\renewcommand{\slidecaption}{SEN 05, King's College London}


\begin{document}

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\begin{frame}[t]
\frametitle{%
  \begin{tabular}{@ {}c@ {}}
  \\
  \LARGE Security Engineering (5)\\[-3mm] 
  \end{tabular}}\bigskip\bigskip\bigskip

  \normalsize
  \begin{center}
  \begin{tabular}{ll}
  Email:  & christian.urban at kcl.ac.uk\\
  Office: & S1.27 (1st floor Strand Building)\\
  Slides: & KEATS (also homework is there)\\
  \end{tabular}
  \end{center}

\end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%     

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\begin{frame}[c]
\frametitle{Protocols}

Some examples where ``over-the-air'' protocols are used:

\begin{itemize}
\item wifi
\item card readers (you cannot trust the terminals)
\item RFID (passports)
\item car transponders
\end{itemize}\medskip\pause

The point is that we cannot control the network: An attacker
can install a packet sniffer, inject packets, modify packets,
replay messages\ldots{}fake pretty much everything.

\end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\begin{frame}[c]
\frametitle{Keyless Car Transponders}

\begin{center}
\includegraphics[scale=0.1]{../pics/keyfob.jpg}
\quad
\includegraphics[scale=0.27]{../pics/startstop.jpg}
\end{center}

\begin{itemize}
\item There are two security mechanisms: one remote central 
locking system and one passive RFID tag (engine immobiliser).
\item How can I get in? How can thieves be kept out? 
How to avoid MITM attacks?
\end{itemize}\medskip

\footnotesize
\hfill Papers: Gone in 360 Seconds: Hijacking with Hitag2,\\
\hfill Dismantling Megamos Crypto: Wirelessly Lockpicking\\
\hfill a Vehicle Immobilizer

\end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\begin{frame}[c]
\frametitle{HTTPS / GSM}

\begin{center}
\includegraphics[scale=0.25]{../pics/barclays.jpg}
\quad
\includegraphics[scale=0.25]{../pics/phone-signal.jpg}
\end{center}

\begin{itemize}
\item I am sitting at Starbuck. How can I be sure I am really
      visiting Barclays? I have no control of the access
      point.
\item How can I achieve that a secret key is established in
      order to encrypt my mobile conversation? I have no
      control over the access points. 
\end{itemize}

\end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\begin{frame}[c]
\frametitle{Handshakes}

\begin{itemize}
\item starting a TCP connection between a client and a server
initiates the following three-way handshake protocol:
\end{itemize}

\begin{columns}[t]
\begin{column}{5cm}
\begin{minipage}[t]{4cm}
\begin{center}
\raisebox{-2cm}{\includegraphics[scale=0.5]{../pics/handshake.png}}
\end{center}
\end{minipage}
\end{column}
\begin{column}{5cm}
\begin{tabular}[t]{rl}
Alice:  & Hello server!\\
Server: & I heard you\\
Alice:  & Thanks
\end{tabular}
\end{column}
\end{columns}

\onslide<2->{
\begin{center}
\begin{tabular}{rl}
\bl{$A \rightarrow S$}: & \bl{SYN}\\
\bl{$S \rightarrow A$}: & \bl{SYN-ACK}\\
\bl{$A \rightarrow S$}: & \bl{ACK}\\
\end{tabular}
\end{center}}

\only<3>{
\begin{textblock}{3}(11,5)
\begin{bubble}[3.2cm]
SYNflood attacks:\medskip\\
\includegraphics[scale=0.4]{../pics/synflood.png}
\end{bubble}
\end{textblock}}

\end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\begin{frame}[c]
\frametitle{Authentication}

\begin{columns} 
\begin{column}{8cm}
\begin{minipage}[t]{7.5cm}
\begin{center}
\raisebox{-2cm}{\includegraphics[scale=0.4]{../pics/dogs.jpg}}
\end{center}
\end{minipage}
\end{column}
\begin{column}{5cm}
\begin{minipage}[t]{4.5cm}
\begin{tabular}{l}
Knock Knock!\\
Who's there?\\
Alice.\\
Alice who?
\end{tabular}
\end{minipage}
\end{column}
\end{columns}

\end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\begin{frame}[c]
\frametitle{Authentication Protocols}

Alice (\bl{$A$}) and Bob (\bl{$B$}) share a secret key
\bl{$K_{AB}$}\bigskip

Password transmission:

\begin{center}
\bl{$A \rightarrow B: K_{AB}$} 
\end{center}\pause\bigskip

Problems: Eavesdropper can capture the secret and replay it;
\bl{$B$} cannot confirm the identity of \bl{$A$}  

\end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\begin{frame}[c]
\frametitle{Authentication Protocols}

Alice (\bl{$A$}) and Bob (\bl{$B$}) share a secret key
\bl{$K_{AB}$}\bigskip

Simple Challenge Response (solving the replay problem):

\begin{center}
\begin{tabular}{lll}
\bl{$A \rightarrow B:$} & \bl{Hi I am A}\\
\bl{$B \rightarrow A:$} & \bl{$N$} & (challenge)\\
\bl{$A \rightarrow B:$} & \bl{$\{N\}_{K_{AB}}$}\\
\end{tabular} 
\end{center}\pause

\begin{itemize}
\item cannot be replayed since next time will be another
      challenge \bl{$N$}
\item \bl{$B$} authenticates \bl{$A$}, but \bl{$A$} does not
      authenticate \bl{$B$} (Eve can intercept
      messages from \bl{$A$}, send random challenge 
      and ignore last) 
\end{itemize}

\end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\begin{frame}[c]
\frametitle{Authentication Protocols}

Alice (\bl{$A$}) and Bob (\bl{$B$}) share a secret key \bl{$K_{AB}$}\bigskip

Mutual Challenge Response:

\begin{center}
\begin{tabular}{ll}
\bl{$A \rightarrow B:$} & \bl{$N_A$}\\
\bl{$B \rightarrow A:$} & \bl{$\{N_A, N_B\}_{K_{AB}}$}\\
\bl{$A \rightarrow B:$} & \bl{$N_B$}\\
\end{tabular} 
\end{center}\pause

But requires shared secret key.
\end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   


%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\begin{frame}[c]
\frametitle{Nonces}

\begin{enumerate}
\item I generate a nonce (random number) and send it to you encrypted with a key we share
\item you increase it by one, encrypt it under a key I know and send
it back to me
\end{enumerate}


I can infer:

\begin{itemize}
\item you must have received my message
\item you could only have generated your answer after I send you my initial
message
\item if only you and me know the key, the message must have come from you
\end{itemize}

\end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\mode<presentation>{
\begin{frame}[c]

\begin{center}
\begin{tabular}{ll}
\bl{$A \rightarrow B$:} & \bl{$N_A$}\\  
\bl{$B \rightarrow A$:} & \bl{$\{N_A, N_B\}_{K_{AB}}$}\\
\bl{$A \rightarrow B$:} & \bl{$N_B$}\\
\end{tabular}
\end{center}

The attack (let $A$ decrypt her own messages):

\begin{center}
\begin{tabular}{ll}
\bl{$A \rightarrow E$:} & \bl{$N_A$}\\ 
\textcolor{gray}{$E \rightarrow A$:} & \textcolor{gray}{$N_A$}\\ 
\textcolor{gray}{$A \rightarrow E$:} & \textcolor{gray}{$\{N_A, N_A'\}_{K_{AB}}$}\\
\bl{$E \rightarrow A$:} & \bl{$\{N_A, N_A'\}_{K_{AB}}$}\\
\bl{$A \rightarrow E$:} & \bl{$N_A' \;\;(= N_B)$}\\
\end{tabular}
\end{center}\pause

\small Solutions: \bl{$K_{AB} \not= K_{BA}$} or include an id in the second message
\end{frame}}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%     

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
  \mode<presentation>{
  \begin{frame}[c]
  \frametitle{Encryption to the Rescue?}


 \begin{itemize}
 \item \bl{$A \,\rightarrow\, B :  \{A, N_A\}_{K_{AB}}$}\hspace{1cm} encrypted\bigskip 
 \item \bl{$B\,\rightarrow\, A : \{N_A, K'_{AB}\}_{K_{AB}}$}\bigskip
 \item \bl{$A \,\rightarrow\, B : \{N_A\}_{K'_{AB}}$}\bigskip
 \end{itemize}\pause
 
means you need to send separate ``Hello'' signals (bad), or worse 
share a single key between many entities
\end{frame}}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%      

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\mode<presentation>{
\begin{frame}[c]
\frametitle{Trusted Third Party}

Simple protocol for establishing a secure connection via a mutually
trusted 3rd party (server):

\begin{center}
\begin{tabular}{r@ {\hspace{1mm}}l}
\bl{$A \rightarrow S :$} & \bl{$A, B$}\\
\bl{$S \rightarrow A :$} & \bl{$\{K_{AB}\}_{K_{AS}}$} and \bl{$\{\{K_{AB}\}_{K_{BS}} \}_{K_{AS}}$}\\
\bl{$A \rightarrow B :$} & \bl{$\{K_{AB}\}_{K_{BS}} $}\\
\bl{$A \rightarrow B :$} & \bl{$\{m\}_{K_{AB}}$}\\
\end{tabular}
\end{center}

\end{frame}}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   

 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\mode<presentation>{
\begin{frame}[c]
\frametitle{Public-Key Infrastructure}

\begin{itemize}
\item the idea is to have a certificate authority (CA)
\item you go to the CA to identify yourself
\item CA: ``I, the CA, have verified that public key 
  \bl{$P^{pub}_{Bob}$} belongs to Bob''\bigskip
\item CA must be trusted by everybody
\item What happens if CA issues a false certificate? Who pays in case of loss? (VeriSign 
explicitly limits liability to \$100.)
\end{itemize}

\end{frame}}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   



%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\begin{frame}[c]
\frametitle{Person-in-the-Middle}

``Normal'' protocol run:\bigskip

\begin{itemize}
\item \bl{$A$} sends public key  to \bl{$B$}
\item \bl{$B$} sends public key  to \bl{$A$}
\item \bl{$A$} sends a message encrypted with \bl{$B$}'s public key, \bl{$B$} decrypts it
with its private key
\item \bl{$B$} sends a message encrypted with \bl{$A$}'s public key, \bl{$A$} decrypts it
with its private key
\end{itemize}

\end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\mode<presentation>{
\begin{frame}[c]
\frametitle{Person-in-the-Middle}

Attack:

\begin{itemize}
\item \bl{$A$} sends public key  to \bl{$B$}  --- \bl{$C$} 
  intercepts this message and send his own public key to 
  \bl{$B$}
\item \bl{$B$} sends public key  to \bl{$A$} --- \bl{$C$} 
  intercepts this message and send his own public key 
  \bl{$A$}  
\item \bl{$A$} sends a message encrypted with \bl{$C$}'s public key, \bl{$C$} decrypts it
with its private key, re-encrypts with \bl{$B$}'s public key 
\item similar the other way
\end{itemize}

\end{frame}}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\begin{frame}[c]
\frametitle{Person-in-the-Middle}

Prevention:

\begin{itemize}
\item \bl{$A$} sends public key  to \bl{$B$}
\item \bl{$B$} sends public key  to \bl{$A$}
\item \bl{$A$} encrypts a message with \bl{$B$}'s public key, 
  sends {\bf half} of the message to \bl{$B$}
\item \bl{$B$} encrypts a message with \bl{$A$}'s public key, 
 sends {\bf half} of the message back to \bl{$A$}
\item \bl{$A$} sends other half, \bl{$B$} can now decrypt 
 entire message
\item \bl{$B$} sends other half, \bl{$A$} can now decrypt 
 entire message
\end{itemize}\pause

\bl{$C$} would have to invent a totally new message

\end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\begin{frame}[c]
\frametitle{Car Transponder (HiTag2)}

\begin{enumerate}
\item \bl{$C$} generates a random number \bl{$N$}
\item \bl{$C$} calculates \bl{$(F,G) = \{N\}_K$}
\item \bl{$C \to T$}: \bl{$N, F$}
\item \bl{$T$} calculates \bl{$(F',G') = \{N\}_K$}
\item \bl{$T$} checks that \bl{$F = F'$}
\item \bl{$T \to C$}: \bl{$N, G'$}
\item \bl{$C$} checks that \bl{$G = G'$}
\end{enumerate}\pause

\small
This process means that the transponder believes the car knows
the key \bl{$K$}, and the car believes the transponder knows
the key \bl{$K$}. They have authenticated themselves
to each other.

\end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\begin{frame}[c]
\frametitle{Person-in-the-Middle}

\begin{itemize}
\item Border Gateway Protocol (BGP) --- routers believe 
  their neighbours
\item it is possible to advertise bad routes
\item can be done over continents\bigskip 
\end{itemize}

\hfill\footnotesize\url{http://www.renesys.com/2013/11/mitm-internet-hijacking/}
\end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\mode<presentation>{
\begin{frame}[c]
\frametitle{Protocol Attacks}

\begin{itemize}
\item replay attacks
\item reflection attacks
\item man-in-the-middle attacks
\item timing attacks
\item parallel session attacks
\item binding attacks (public key protocols)
\item changing environment / changing assumptions\bigskip

\item (social engineering attacks)
\end{itemize}
\end{frame}}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\begin{frame}[c]
\frametitle{Best Practices}

{\bf Principle 1:} Every message should say what it means: the
interpretation of a message should not depend on the
context.\bigskip\pause

{\bf Principle 2:} If the identity of a principal is essential
to the meaning of a message, it is prudent to mention the
principal’s name explicitly in the message (though
difficult).\bigskip

\end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\mode<presentation>{
\begin{frame}[c]
\frametitle{Best Practices}

{\bf Principle 3:} Be clear about why encryption is being
done. Encryption is not wholly cheap, and not asking precisely
why it is being done can lead to redundancy. Encryption is not
synonymous with security.

\small
\begin{center}
Possible Uses of Encryption

\begin{itemize}
\item Preservation of confidentiality: \bl{$\{X\}_K$} only those that have \bl{$K$} may recover \bl{$X$}.
\item Guarantee authenticity: The partner is indeed some particular principal.
\item Guarantee confidentiality and authenticity: binds two parts of a message --- 
\bl{$\{X,Y\}_K$} is not the same as \bl{$\{X\}_K$} and \bl{$\{Y\}_K$}.
\end{itemize}
\end{center}

\end{frame}}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\begin{frame}[c]
\frametitle{Best Practices}

{\bf Principle 4:} The protocol designers should know which
trust relations their protocol depends on, and why the
dependence is necessary. The reasons for particular trust
relations being acceptable should be explicit though they will
be founded on judgment and policy rather than on
logic.\bigskip


Example Certification Authorities: CAs are trusted to certify
a key only after proper steps have been taken to identify the
principal that owns it.

\end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\mode<presentation>{
\begin{frame}[c]
\frametitle{Formal Methods}

Ross Anderson about the use of Logic:\bigskip

\begin{quote}
Formal methods can be an excellent way of finding 
bugs in security protocol designs as they force the designer 
to make everything explicit and thus confront difficult design 
choices that might otherwise be fudged. 
\end{quote}

\end{frame}}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\begin{frame}[c]
\frametitle{Mid-Term}

\begin{itemize}
\item homework, handouts, programs\ldots
\end{itemize}\bigskip\bigskip\bigskip

\begin{center}
{\huge\bf\alert{Any Questions?}}
\end{center}

\end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\begin{frame}[c]


\end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   


\end{document}

%%% Local Variables:  
%%% mode: latex
%%% TeX-master: t
%%% End: