\documentclass[dvipsnames,14pt,t]{beamer}+ −
\usepackage{../style}+ −
\usepackage{../slides}+ −
\usepackage{../graphics}+ −
\usepackage{../langs}+ −
\usetikzlibrary{arrows}+ −
\usetikzlibrary{shapes}+ −
+ −
\setmonofont[Scale=.88]{Consolas}+ −
\newfontfamily{\consolas}{Consolas}+ −
+ −
\hfuzz=220pt + −
+ −
% beamer stuff + −
\renewcommand{\slidecaption}{SEN 04, King's College London}+ −
\newcommand{\bl}[1]{\textcolor{blue}{#1}} + −
+ −
\begin{document}+ −
+ −
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%+ −
\begin{frame}[t]+ −
\frametitle{%+ −
\begin{tabular}{@ {}c@ {}}+ −
\\+ −
\LARGE Security Engineering (4)\\[-3mm] + −
\end{tabular}}\bigskip\bigskip\bigskip+ −
+ −
\normalsize+ −
\begin{center}+ −
\begin{tabular}{ll}+ −
Email: & christian.urban at kcl.ac.uk\\+ −
Office: & N7.07 (North Wing, Bush House)\\+ −
Slides: & KEATS (also home work is there)\\+ −
\end{tabular}+ −
\end{center}+ −
+ −
\end{frame}+ −
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + −
+ −
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%+ −
\begin{frame}[c]+ −
+ −
\begin{center}+ −
\includegraphics[scale=0.34]{../pics/trainwreck.jpg}\\+ −
last week: buffer overflow attacks+ −
\end{center}+ −
+ −
\begin{itemize}+ −
\item this required some cheating on a modern OS+ −
\item but the main point: no cheating needed in practice+ −
(remember the quote about toasters)+ −
\end{itemize} + −
+ −
\end{frame}+ −
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + −
+ −
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%+ −
\begin{frame}[c]+ −
\frametitle{Case-In-Point: Android}+ −
+ −
\begin{itemize}+ −
\item a list of common Android vulnerabilities+ −
(5 BOAs out of 35 vulnerabilities; all from 2013 and later):+ −
+ −
\begin{center}+ −
\url{http://androidvulnerabilities.org/}+ −
\end{center}\bigskip+ −
+ −
\item a paper that attempts to measure the security of Android phones:+ −
+ −
\begin{quote}\small\it ``We find that on average 87.7\% of Android+ −
devices are exposed to at least one of 11 known critical+ −
vulnerabilities\ldots''+ −
\end{quote} + −
+ −
\begin{center}\small+ −
\makebox[0mm]+ −
{\url{https://www.cl.cam.ac.uk/~drt24/papers/spsm-scoring.pdf}}+ −
\end{center}+ −
\end{itemize} + −
+ −
\end{frame}+ −
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + −
+ −
+ −
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%+ −
%\begin{frame}[c]+ −
%+ −
%A student asked:+ −
%+ −
%\begin{bubble}[10cm]\small How do we implement BOAs? On a+ −
%webpage login, for example Facebook, we can't do this. + −
%I am sure the script will stop us even before we reach the + −
%server. The+ −
%script will not let us enter hexadecimal numbers where email+ −
%or username is required and plus it will have a max length,+ −
%like 32 characters only. In this case, what can we do, since+ −
%the method you showed us wouldn't work?+ −
%\end{bubble}\bigskip\bigskip\pause+ −
+ −
%\begin{itemize}+ −
%\item Facebook no+ −
%\item printers, routers, cars, IoT etc likely\pause+ −
%\item I do not want to teach you hacking, rather defending+ −
%\end{itemize}+ −
%+ −
%\end{frame}+ −
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%+ −
+ −
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%+ −
\begin{frame}[c]+ −
\frametitle{Survey at KEATS}+ −
+ −
\begin{center}+ −
\alert{\bf\LARGE Thanks!}+ −
\end{center} + −
+ −
\end{frame}+ −
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + −
+ −
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%+ −
%\begin{frame}[c]+ −
%+ −
%\begin{center}+ −
%\includegraphics[scale=0.45]{../pics/trainwreck.jpg}\\+ −
%last week: buffer overflow attacks+ −
%\end{center}+ −
% + −
%\end{frame}+ −
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + −
+ −
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%+ −
\begin{frame}[c]+ −
\frametitle{\begin{tabular}{c}\LARGE Two General Counter\\[-1mm] + −
\LARGE Measures against BOAs etc\end{tabular}}+ −
+ −
Both try to reduce the attack surface (trusted computing base):\bigskip+ −
+ −
\begin{itemize}+ −
\item \alert{\bf unikernels} -- the idea is to not have+ −
an operating system at all+ −
\item all functionality of the server is implemented in a+ −
single, stand-alone program+ −
\item all functionality an operating system would normally+ −
provide (network stack, file system) is available through+ −
libraries+ −
\item the best known unikernel is MirageOS using Ocaml+ −
(\url{https://mirage.io})+ −
\end{itemize}+ −
+ −
\end{frame}+ −
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + −
+ −
+ −
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%+ −
\begin{frame}[c]+ −
\frametitle{\begin{tabular}{c}Network Applications:\\[-1mm] + −
Privilege Separation\end{tabular}}+ −
+ −
+ −
\begin{center}+ −
\begin{tikzpicture}[scale=1]+ −
+ −
\draw[line width=1mm] (-.3, 0) rectangle (1.5,2);+ −
\draw (4.7,1) node {Internet};+ −
\draw (-2.7,1.7) node {\footnotesize Application};+ −
\draw (0.6,1.7) node {\footnotesize Interface};+ −
\draw (0.6,-0.4) node {\footnotesize \begin{tabular}{c}unprivileged\\[-1mm] process\end{tabular}};+ −
\draw (-2.7,-0.4) node {\footnotesize \begin{tabular}{c}privileged\\[-1mm] process\end{tabular}};+ −
+ −
\draw[line width=1mm] (-1.8, 0) rectangle (-3.6,2);+ −
+ −
\draw[white] (1.7,1) node (X) {};+ −
\draw[white] (3.7,1) node (Y) {};+ −
\draw[red, <->, line width = 2mm] (X) -- (Y);+ −
+ −
\draw[red, <->, line width = 1mm] (-0.6,1) -- (-1.6,1);+ −
\end{tikzpicture}+ −
\end{center}+ −
+ −
\begin{itemize}+ −
\item the idea is make the attack surface smaller and mitigate the+ −
consequences of an attack+ −
\end{itemize}+ −
\end{frame}+ −
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + −
+ −
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%+ −
\begin{frame}[c]+ −
\frametitle{Access Control in Unix}+ −
+ −
\begin{itemize}+ −
\item access control provided by the OS+ −
\item authenticate principals+ −
\item mediate access to files, ports, processes etc according to+ −
\alert{roles} (user ids)\\+ −
\item roles get attached with privileges (some special roles: root)\bigskip\\+ −
+ −
\hspace{8mm}+ −
\begin{bubble}[8cm]+ −
\alert{\bf principle of least privilege:}\\+ −
users and programs should only have as much privilege as they need to+ −
accomplish a task+ −
\end{bubble}+ −
\end{itemize}+ −
+ −
\end{frame}+ −
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + −
+ −
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + −
\begin{frame}[c]+ −
\frametitle{Access Control in Unix (2)}+ −
+ −
+ −
\begin{itemize}+ −
\item privileges are specified by file access permissions (``everything is a file'')\medskip + −
\item there are 9 (plus 2) bits that specify the permissions of a file+ −
\end{itemize}+ −
+ −
\begin{center}+ −
${\underbrace{\LARGE\texttt{-}}_{\text{\makebox[0mm]{directory}}}}+ −
\;{\underbrace{\LARGE\texttt{r{}-{}-}}_{\text{user}}}\,+ −
{\underbrace{\LARGE\texttt{r{}w{}-}}_{\text{group}}}\,+ −
{\underbrace{\LARGE\texttt{r{}w{}x}}_{\text{other}}}\;\;\;+ −
\LARGE\texttt{bob}\;\;\texttt{staff}\;\;\texttt{file}$+ −
\end{center} + −
+ −
\end{frame}+ −
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + −
+ −
+ −
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%+ −
\begin{frame}[c]+ −
\frametitle{Unix-Style Access Control}+ −
\small+ −
+ −
\begin{itemize}+ −
\item + −
Q: ``I am using Windows. Why should I care?'' \\ + −
A: In Windows you have similar AC:+ −
+ −
\begin{center}+ −
\begin{tabular}{l}+ −
administrators group\\ + −
\hspace{5mm}(has complete control over the machine)\\+ −
authenticated users\\+ −
server operators\\+ −
power users\\+ −
network configuration operators+ −
\end{tabular}+ −
\end{center}\medskip+ −
+ −
\item Modern versions of Windows have more fine-grained AC than Unix;+ −
they do not have a setuid bit, but have \texttt{runas} (asks for a+ −
password).%\pause+ −
+ −
%\item OS-provided access control can \alert{\bf add} to your security.+ −
% (defence in depth)+ −
\end{itemize}+ −
+ −
\end{frame}+ −
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + −
+ −
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%+ −
\begin{frame}[c]+ −
\frametitle{Weaknesses of Unix AC}+ −
+ −
Not just restricted to Unix:+ −
+ −
\begin{itemize}+ −
\item if you have too many roles (i.e.~too finegrained AC), then+ −
hierarchy is too complex\\ \textcolor{gray}{you invite situations+ −
like\ldots let's be root}\bigskip+ −
+ −
\item you can still abuse the system\ldots+ −
\end{itemize}+ −
+ −
\end{frame}+ −
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + −
+ −
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%+ −
\begin{frame}[c]+ −
\frametitle{A ``Cron''-Attack}+ −
+ −
The idea is to trick a privileged person to do something on your+ −
behalf:+ −
+ −
\begin{itemize}+ −
\item root:\\\texttt{rm /tmp/*/*}\bigskip\bigskip\pause+ −
+ −
\footnotesize+ −
\begin{minipage}{1.1\textwidth}+ −
\textcolor{gray}{the shell behind the scenes:}\\+ −
\textcolor{gray}{\texttt{rm /tmp/dir$_1$/file$_1$ /tmp/dir$_1$/file$_2$ /tmp/dir$_2$/file$_1$ \ldots}}\bigskip\\+ −
+ −
\textcolor{gray}{this takes time}+ −
\end{minipage}+ −
\end{itemize}+ −
+ −
\end{frame}+ −
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + −
+ −
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%+ −
\begin{frame}[c]+ −
\frametitle{A ``Cron''-Attack}+ −
+ −
\begin{enumerate}+ −
\item attacker \textcolor{gray}{(creates a fake passwd file)}\\ + −
\texttt{mkdir /tmp/a; cat > /tmp/a/passwd}\medskip+ −
\item root \textcolor{gray}{(does the daily cleaning)}\\+ −
\texttt{rm /tmp/*/*}\medskip\\+ −
\hspace{2cm}\textcolor{gray}{\small records that \texttt{/tmp/a/passwd}}\\ + −
\hspace{2cm}\textcolor{gray}{\small should be deleted, but does not do it yet}\medskip\\+ −
+ −
\item attacker \textcolor{gray}{(meanwhile deletes the fake passwd file, and establishes a link to + −
the real passwd file)}\\+ −
\texttt{rm /tmp/a/passwd; rmdir /tmp/a;}\\\texttt{ln -s /etc /tmp/a}\\+ −
\item root now deletes the real passwd file+ −
\end{enumerate}+ −
+ −
\only<2>{+ −
\begin{textblock}{11}(2,5)+ −
\begin{bubble}[8cm]+ −
\normalsize To prevent this kind of attack, you need additional+ −
policies (for example don't do such operations as root).+ −
\end{bubble}+ −
\end{textblock}}+ −
+ −
\end{frame}+ −
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + −
+ −
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%+ −
%\begin{frame}[c]+ −
%\frametitle{\begin{tabular}{c}Infamous Security Flaws\\[-1mm] + −
%in Unix\end{tabular}}+ −
+ −
+ −
%\begin{itemize}+ −
%\item \texttt{lpr} unfortunately runs with root privileges; you had the option to delete files after printing \ldots\pause+ −
%\item for debugging purposes (FreeBSD) Unix provides a ``core dump'', but allowed to follow links \ldots\pause+ −
%\item \texttt{mkdir foo} is owned by root\medskip+ −
%\begin{center}+ −
%\texttt{-rwxr-xr-x 1 root wheel /bin/mkdir}+ −
%\end{center}\medskip+ −
%it first creates an i-node as root and then changes to ownership to the user's id\\ \textcolor{gray}{\small (race condition -- can be automated with a shell script)}+ −
%\end{itemize}+ −
+ −
%\only<4->{+ −
%\begin{textblock}{1}(3,7)+ −
%\begin{tikzpicture}+ −
%\draw (0,0) node[inner sep=2mm,fill=cream, ultra thick, draw=red, rounded corners=2mm] + −
%{\begin{minipage}{8cm}+ −
%Only failure makes us experts.\\+ −
%\hfill\small-- Theo de Raadt (OpenBSD, OpenSSH)+ −
%\end{minipage}};+ −
%\end{tikzpicture}+ −
%\end{textblock}}+ −
+ −
%\end{frame}+ −
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + −
+ −
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + −
\begin{frame}[c]+ −
\frametitle{Subtleties}+ −
+ −
\begin{itemize}+ −
\item<1-> Can Bob write \pcode{file}?+ −
\item<2-> What if Bob is member of \pcode{staff}?+ −
\end{itemize}\bigskip+ −
+ −
\begin{center}+ −
${\underbrace{\Large\texttt{-}}_{\text{\makebox[0mm]{directory}}}}+ −
\;{\underbrace{\Large\texttt{r{}-{}-}}_{\text{user}}}\,+ −
{\underbrace{\Large\texttt{r{}w{}-}}_{\text{group}}}\,+ −
{\underbrace{\Large\texttt{r{}w{}x}}_{\text{other}}}\;\;\;+ −
\Large\texttt{bob}\;\;\texttt{staff}\;\;\texttt{file}$+ −
\end{center} + −
+ −
\end{frame}+ −
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + −
+ −
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%+ −
\begin{frame}[c]+ −
\frametitle{Login Processes}+ −
+ −
+ −
\begin{itemize}+ −
\item login processes run under UID $=$ \pcode{0}\medskip + −
\begin{center}+ −
\texttt{ps -axl | grep login}+ −
\end{center}\medskip+ −
+ −
\item after login, shells run under UID $=$ user (e.g.~501)\medskip+ −
\begin{center}+ −
\texttt{id cu}+ −
\end{center}\medskip\pause+ −
+ −
\item non-root users are not allowed to change the UID --- would break + −
access control+ −
\item but needed for example for accessing \texttt{passwd}+ −
\end{itemize}+ −
+ −
\end{frame}+ −
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + −
+ −
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%+ −
\begin{frame}[c]+ −
\frametitle{Setuid and Setgid}+ −
+ −
The solution is that Unix file permissions are 9 + \underline{2 Bits}:+ −
\alert{\bf Setuid} and \alert{\bf Setgid} bits+ −
+ −
\begin{itemize}+ −
\item When a file with setuid is executed, the resulting process will+ −
assume the UID given to the \underline{owner} of the file.+ −
\item This enables users to create processes as root (or another+ −
user).\bigskip+ −
+ −
\item Essential for changing passwords, for example.+ −
\end{itemize}+ −
+ −
\begin{center}+ −
\texttt{chmod 4755 fobar\_file}+ −
\end{center}+ −
+ −
\end{frame}+ −
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + −
+ −
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%+ −
%\begin{frame}[c]+ −
%\small+ −
%+ −
%\lstinputlisting[language={},numbers=none,xleftmargin=-6mm]{lst}+ −
%+ −
%+ −
%\begin{center}+ −
%\begin{tabular}{@{\hspace{-24mm}}ll}+ −
%members of group staff: & ping, bob, emma\\ + −
%members of group students: & emma\\+ −
%\end{tabular}+ −
%\end{center}+ −
%+ −
%\begin{center}+ −
%\begin{tabular}{@{\hspace{-7mm}}r|c|c|c|c|c@{}}+ −
% & manual.txt & report.txt & microedit & src/code.c & src/code.h \\\hline+ −
%ping & & & & &\\\hline+ −
%bob & & & & &\\\hline+ −
%emma & & & & &\\+ −
%\end{tabular}+ −
%\end{center}+ −
%+ −
%\end{frame}+ −
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + −
+ −
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%+ −
\begin{frame}[c]+ −
\frametitle{\Large Discretionary Access Control}+ −
+ −
\small+ −
\begin{itemize}+ −
\item Access to objects (files, directories, devices, etc.) is+ −
permitted based on user identity. Each object is owned by a+ −
user. Owners can specify freely (at their discretion) how they want to+ −
share their objects with other users, by specifying which other users+ −
can have which form of access to their objects.\medskip+ −
+ −
\item Discretionary access control is implemented on any modern multi-user+ −
OS (Unix, Windows NT, etc.).+ −
\end{itemize}+ −
+ −
\end{frame}+ −
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + −
+ −
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%+ −
\begin{frame}[c]+ −
\frametitle{\Large Mandatory Access Control}+ −
+ −
\small+ −
\begin{itemize}+ −
\item Access to objects is controlled by a system-wide policy, for+ −
example to prevent certain flows of information. In some forms, the+ −
system maintains security labels for both objects and subjects+ −
(processes, users) based on which access is granted or+ −
denied. Labels can change as the result of an access. Security+ −
policies are enforced without the cooperation of users or+ −
programs.\medskip+ −
+ −
\item This is implemented in banking or military operating system + −
versions (SELinux).\pause+ −
\item A simple example: Air Gap Security. Uses a completely separate network+ −
and computer hardware for different application classes (Bin Laden, Bruce Schneier had+ −
airgaps).\pause+ −
\item What do we want to protect: Secrecy or Integrity?+ −
\end{itemize}+ −
+ −
\end{frame}+ −
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + −
+ −
+ −
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%+ −
\begin{frame}[c]+ −
\frametitle{The Bell-LaPadula Model}+ −
\small+ −
+ −
\begin{itemize}+ −
\item Formal policy model for mandatory access control in a military+ −
multi-level security environment. All subjects (processes, users,+ −
terminals, files, windows, connections) are labeled+ −
with a confidentiality level, e.g.+ −
\begin{center}+ −
unclassified < confidential < secret < top secret+ −
\end{center}\medskip+ −
+ −
\item The system policy automatically prevents the flow of information+ −
from high-level objects to lower levels. A process that reads top+ −
secret data becomes tagged as top secret by the operating system, as+ −
will be all files into which it writes afterwards.+ −
%Each user has a maximum allowed confidentiality level specified and+ −
%cannot receive data beyond that level. A selected set of trusted+ −
%subjects is allowed to bypass the restrictions, in order to permit+ −
%the declassification of information.+ −
\end{itemize}+ −
+ −
\end{frame}+ −
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + −
+ −
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%+ −
\begin{frame}[c]+ −
\frametitle{Bell-LaPadula}+ −
\small+ −
+ −
\begin{itemize}+ −
\item \alert{Read Rule}: A principal \bl{$P$} can read an object \bl{$O$} if and only if+ −
\bl{$P$}'s security level is at least as high as \bl{$O$}'s.+ −
\item \alert{Write Rule}: A principal \bl{$P$} can write an object \bl{$O$} if and only if+ −
\bl{$O$}'s security level is at least as high as \bl{$P$}'s.\medskip+ −
+ −
%\item Meta-Rule: All principals in a system should have a sufficiently high security level+ −
%in order to access an object.+ −
\end{itemize}\bigskip+ −
+ −
This restricts information flow $\Rightarrow$ military\bigskip\bigskip\pause+ −
+ −
Bell-LaPadula: {\bf `no read up'} - {\bf `no write down'}+ −
+ −
\end{frame}+ −
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%+ −
+ −
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%+ −
\begin{frame}[c]+ −
\frametitle{\begin{tabular}{c}Principle of\\[-2mm] Least Privilege\end{tabular}}+ −
+ −
\begin{bubble}[10cm]+ −
A principal should have as few privileges as possible to access a resource.+ −
\end{bubble}\bigskip\bigskip+ −
\small+ −
+ −
\begin{itemize}+ −
\item Bob ($T\!S$) and Alice ($S$) want to communicate+ −
\item[] $\Rightarrow$ Bob should lower his security level+ −
\end{itemize}+ −
+ −
\end{frame}+ −
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%+ −
+ −
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%+ −
\begin{frame}[c]+ −
\frametitle{Biba Policy}+ −
\small+ −
+ −
Data Integrity (rather than data secrecy)+ −
+ −
\begin{itemize}+ −
\item Biba: {\bf `no read down'} - {\bf `no write up'}+ −
\item \alert{Read Rule}: A principal \bl{$P$} can read an object \bl{$O$} if and only if+ −
\bl{$P$}'s security level is lower or equal than \bl{$O$}'s.+ −
\item \alert{Write Rule}: A principal \bl{$P$} can write an object \bl{$O$} if and only if+ −
\bl{$O$}'s security level is lower or equal than \bl{$P$}'s.+ −
\end{itemize}\bigskip\bigskip\pause+ −
+ −
E.g.~Firewalls: you can read from inside the firewall, but not from outside\\+ −
Phishing: you can look at an approved PDF, but not one from a random email\\+ −
+ −
\end{frame}+ −
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%+ −
+ −
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%+ −
\begin{frame}[c]+ −
\frametitle{Security Levels (2)}+ −
+ −
\begin{itemize}+ −
\item Bell-La Padula preserves data secrecy, but not data+ −
integrity\bigskip\pause+ −
+ −
\item Biba model is for data integrity + −
+ −
\begin{itemize}+ −
\item read: your own level and above+ −
\item write: your own level and below+ −
\end{itemize}+ −
\end{itemize}+ −
+ −
\end{frame}+ −
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + −
+ −
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%+ −
\begin{frame}[c]+ −
\frametitle{Shared Access Control}+ −
+ −
\begin{center}+ −
\includegraphics[scale=0.7]{../pics/pointsplane.jpg}+ −
\end{center}+ −
+ −
\begin{textblock}{11}(10.5,10.5)+ −
\small+ −
To take an action you\\[-1mm] + −
need at least either:+ −
\begin{itemize}+ −
\item 1 CEO\\[-5mm]+ −
\item 2 MDs, or\\[-5mm]+ −
\item 3 Ds+ −
\end{itemize}+ −
\end{textblock}+ −
+ −
\end{frame}+ −
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + −
+ −
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%+ −
\begin{frame}[c]+ −
\frametitle{\Large Lessons from Access Control}+ −
+ −
Not just restricted to Unix:+ −
+ −
\begin{itemize}+ −
\item if you have too many roles (i.e.~too finegrained AC), then + −
hierarchy is too complex\\+ −
\textcolor{gray}{you invite situations like\ldots lets be root}\bigskip+ −
+ −
\item you can still abuse the system\ldots+ −
\end{itemize}+ −
+ −
\end{frame}+ −
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + −
+ −
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%+ −
\begin{frame}[c]+ −
\frametitle{Protocols}+ −
+ −
\begin{center}+ −
\includegraphics[scale=0.11]{../pics/keyfob.jpg}+ −
\quad+ −
\includegraphics[scale=0.3025]{../pics/startstop.jpg}+ −
\end{center}+ −
+ −
\begin{itemize}+ −
\item Other examples: Wifi, Http-request, TCP-request,+ −
card readers, RFID (passports)\ldots\medskip\pause+ −
+ −
\item The point is that we cannot control the network: An attacker+ −
can install a packet sniffer, inject packets, modify packets,+ −
replay messages\ldots{}fake pretty much everything.+ −
\end{itemize}+ −
+ −
\end{frame}+ −
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + −
+ −
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%+ −
\begin{frame}[c]+ −
\frametitle{Keyless Car Transponders}+ −
+ −
\begin{center}+ −
\includegraphics[scale=0.1]{../pics/keyfob.jpg}+ −
\quad+ −
\includegraphics[scale=0.27]{../pics/startstop.jpg}+ −
\end{center}+ −
+ −
\begin{itemize}+ −
\item There are two security mechanisms: one remote central + −
locking system and one passive RFID tag (engine immobiliser).+ −
\item How can I get in? How can thieves be kept out? + −
How to avoid MITM attacks?+ −
\end{itemize}\medskip+ −
+ −
\footnotesize+ −
\hfill Papers: Gone in 360 Seconds: Hijacking with Hitag2,\\+ −
\hfill Dismantling Megamos Crypto: Wirelessly Lockpicking\\+ −
\hfill a Vehicle Immobilizer+ −
+ −
\end{frame}+ −
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + −
+ −
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%+ −
\begin{frame}[c]+ −
\frametitle{Problems with Key Fobs}+ −
+ −
\begin{columns}+ −
\begin{column}[T]{4cm}+ −
\includegraphics[scale=0.4]{../pics/car-standard.jpg}+ −
\end{column}+ −
+ −
\begin{column}[T]{6cm}\small + −
Circumventing the ignition protection:+ −
+ −
\begin{itemize}+ −
\item either dismantling Megamos crypto,+ −
\item or use the diagnostic port to program + −
blank keys + −
\end{itemize}+ −
+ −
\hspace{14mm}+ −
\includegraphics[scale=0.16]{../pics/Dismantling_Megamos_Crypto.png}+ −
\end{column}+ −
\end{columns}+ −
+ −
\end{frame}+ −
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + −
+ −
+ −
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%+ −
\begin{frame}[c]+ −
\frametitle{HTTPS / GSM}+ −
+ −
\begin{center}+ −
\includegraphics[scale=0.25]{../pics/barclays.jpg}+ −
\quad+ −
\includegraphics[scale=0.25]{../pics/phone-signal.jpg}+ −
\end{center}+ −
+ −
\begin{itemize}+ −
\item I am sitting at Starbuck. How can I be sure I am really+ −
visiting Barclays? I have no control of the access+ −
point.+ −
\item How can I achieve that a secret key is established in+ −
order to encrypt my mobile conversation? I have no+ −
control over the access points. + −
\end{itemize}+ −
+ −
\end{frame}+ −
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + −
+ −
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%+ −
\begin{frame}[c]+ −
\frametitle{G20 Summit in 2009}+ −
+ −
\begin{center}+ −
\includegraphics[scale=0.1]{../pics/snowden.jpg}+ −
\end{center}+ −
+ −
\small+ −
\begin{itemize}+ −
\item Snowden documents reveal ``that during the G20+ −
meetings\dots{}GCHQ used + −
`ground-breaking intelligence capabilities' to intercept+ −
the communications of visiting delegations. This+ −
included setting up internet cafes where they used an+ −
email interception program and key-logging software to+ −
spy on delegates' use of computers\ldots''+ −
+ −
\item ``The G20 spying appears to have been organised for the+ −
more mundane purpose of securing an advantage in+ −
meetings.'' + −
\end{itemize}+ −
+ −
\end{frame}+ −
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + −
+ −
+ −
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%+ −
\begin{frame}[c]+ −
\frametitle{Handshakes}+ −
+ −
\begin{itemize}+ −
\item starting a TCP connection between a client and a server+ −
initiates the following three-way handshake protocol:+ −
\end{itemize}+ −
+ −
\begin{columns}[t]+ −
\begin{column}{5cm}+ −
\begin{minipage}[t]{4cm}+ −
\begin{center}+ −
\raisebox{-2cm}{\includegraphics[scale=0.5]{../pics/handshake.png}}+ −
\end{center}+ −
\end{minipage}+ −
\end{column}+ −
\begin{column}{5cm}+ −
\begin{tabular}[t]{rl}+ −
Alice: & Hello server!\\+ −
Server: & I heard you\\+ −
Alice: & Thanks+ −
\end{tabular}+ −
\end{column}+ −
\end{columns}+ −
+ −
\only<2>{+ −
\begin{textblock}{3}(11,5)+ −
\begin{bubble}[3.2cm]+ −
SYNflood attacks:\medskip\\+ −
\includegraphics[scale=0.4]{../pics/synflood.png}+ −
\end{bubble}+ −
\end{textblock}}+ −
+ −
\end{frame}+ −
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + −
+ −
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%+ −
\begin{frame}[t]+ −
\frametitle{Protocols}+ −
+ −
\mbox{} + −
+ −
\begin{tabular}{l}+ −
{\Large \bl{$A\;\rightarrow\; B : \ldots$}}\\+ −
\onslide<2->{\Large \bl{$B\;\rightarrow\; A : \ldots$}}\\+ −
\onslide<2->{\Large \;\;\;\;\;\bl{$:$}}\bigskip+ −
\end{tabular} + −
+ −
\begin{itemize}+ −
\item by convention \bl{$A$}, \bl{$B$} are named principals \bl{Alice\ldots}\\+ −
but most likely they are programs, which just follow some instructions (they are more like roles)\bigskip+ −
\item<2-> indicates one ``protocol run'', or session, which specifies some + −
order in the communication+ −
\item<2-> there can be several sessions in parallel (think of wifi routers) + −
\end{itemize} + −
+ −
\end{frame}+ −
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + −
+ −
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%+ −
\begin{frame}[c]+ −
\frametitle{Handshakes}+ −
+ −
\begin{itemize}+ −
\item starting a TCP connection between a client and a server+ −
initiates the following three-way handshake protocol:+ −
\end{itemize}+ −
+ −
\begin{columns}[t]+ −
\begin{column}{5cm}+ −
\begin{minipage}[t]{4cm}+ −
\begin{center}+ −
\raisebox{-2cm}{\includegraphics[scale=0.5]{../pics/handshake.png}}+ −
\end{center}+ −
\end{minipage}+ −
\end{column}+ −
\begin{column}{5cm}+ −
\begin{tabular}[t]{rl}+ −
Alice: & Hello server!\\+ −
Server: & I heard you\\+ −
Alice: & Thanks+ −
\end{tabular}+ −
\end{column}+ −
\end{columns}+ −
+ −
\begin{center}+ −
\begin{tabular}{rl}+ −
\bl{$A \rightarrow S$}: & \bl{SYN}\\+ −
\bl{$S \rightarrow A$}: & \bl{SYN-ACK}\\+ −
\bl{$A \rightarrow S$}: & \bl{ACK}\\+ −
\end{tabular}+ −
\end{center}+ −
+ −
\end{frame}+ −
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + −
+ −
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%+ −
\begin{frame}[c]+ −
\frametitle{\Large Cryptographic Protocol Failures}+ −
+ −
Ross Anderson and Roger Needham wrote:\bigskip+ −
+ −
\begin{quote}\rm+ −
A lot of the recorded frauds were the result of this kind of+ −
blunder, or from management negligence pure and simple. + −
\alert{However,+ −
there have been a significant number of cases where the designers+ −
protected the right things, used cryptographic algorithms which were+ −
not broken, and yet found that their systems were still successfully+ −
attacked.}+ −
\end{quote}+ −
+ −
\end{frame}+ −
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + −
+ −
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%+ −
\begin{frame}<1-3>[c]+ −
\frametitle{Oyster Cards}+ −
+ −
\includegraphics[scale=0.4]{../pics/oysterc.jpg}+ −
+ −
\begin{itemize}+ −
\item good example of a bad protocol\\ (security by obscurity)\bigskip+ −
\item<3-> {\it``Breaching security on Oyster cards should not + −
allow unauthorised use for more than a day, as TfL promises to turn + −
off any cloned cards within 24 hours\ldots''}+ −
\end{itemize}+ −
+ −
\only<2>{+ −
\begin{textblock}{12}(0.5,0.5)+ −
\begin{bubble}[11cm]\footnotesize+ −
{\bf Wirelessly Pickpocketing a Mifare Classic Card}\medskip+ −
+ −
The Mifare Classic is the most widely used contactless smartcard on the+ −
market. The stream cipher CRYPTO1 used by the Classic has recently been+ −
reverse engineered and serious attacks have been proposed. The most serious+ −
of them retrieves a secret key in under a second. In order to clone a card,+ −
previously proposed attacks require that the adversary either has access to+ −
an eavesdropped communication session or executes a message-by-message+ −
man-in-the-middle attack between the victim and a legitimate+ −
reader. Although this is already disastrous from a cryptographic point of+ −
view, system integrators maintain that these attacks cannot be performed+ −
undetected.\smallskip+ −
+ −
This paper proposes four attacks that can be executed by an adversary having+ −
only wireless access to just a card (and not to a legitimate reader). The+ −
most serious of them recovers a secret key in less than a second on ordinary+ −
hardware. Besides the cryptographic weaknesses, we exploit other weaknesses+ −
in the protocol stack. A vulnerability in the computation of parity bits+ −
allows an adversary to establish a side channel. Another vulnerability+ −
regarding nested authentications provides enough plaintext for a speedy+ −
known-plaintext attack.\hfill{}(a paper from 2009)+ −
\end{bubble}+ −
\end{textblock}}+ −
+ −
\end{frame}+ −
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + −
+ −
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%+ −
% \begin{frame}<1->[t]+ −
% \frametitle{Another Example}+ −
+ −
% In an email from Ross Anderson\bigskip\small + −
+ −
% \begin{tabular}{l}+ −
% From: Ross Anderson <Ross.Anderson@cl.cam.ac.uk>\\+ −
% Sender: cl-security-research-bounces@lists.cam.ac.uk\\+ −
% To: cl-security-research@lists.cam.ac.uk\\+ −
% Subject: Birmingham case\\+ −
% Date: Tue, 13 Aug 2013 15:13:17 +0100\\+ −
% \end{tabular}+ −
+ −
+ −
% \only<2>{+ −
% \begin{textblock}{12}(0.5,0.8)+ −
% \begin{bubble}[11cm]+ −
% \footnotesize+ −
% As you may know, Volkswagen got an injunction against the University of+ −
% Birmingham suppressing the publication of the design of a weak cipher+ −
% used in the remote key entry systems in its recent-model cars. The paper+ −
% is being given today at Usenix, minus the cipher design.\medskip+ −
+ −
% I've been contacted by Birmingham University's lawyers who seek to prove+ −
% that the cipher can be easily obtained anyway. They are looking for a+ −
% student who will download the firmware from any newish VW, disassemble+ −
% it and look for the cipher. They'd prefer this to be done by a student+ −
% rather than by a professor to emphasise how easy it is.\medskip+ −
+ −
% Volkswagen's argument was that the Birmingham people had reversed a+ −
% locksmithing tool produced by a company in Vietnam, and since their key+ −
% fob chip is claimed to be tamper-resistant, this must have involved a+ −
% corrupt insider at VW or at its supplier Thales. Birmingham's argument+ −
% is that this is nonsense as the cipher is easy to get hold of. Their+ −
% lawyers feel this argument would come better from an independent+ −
% outsider.\medskip+ −
+ −
% Let me know if you're interested in having a go, and I'll put you in+ −
% touch+ −
+ −
% Ross+ −
% \end{bubble}+ −
% \end{textblock}}+ −
+ −
% \end{frame}+ −
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + −
+ −
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%+ −
\begin{frame}[c]+ −
\frametitle{Authentication Protocols}+ −
+ −
+ −
Alice (\bl{$A$}) and Bob (\bl{$B$}) share a secret key \bl{$K_{AB}$}\bigskip+ −
+ −
Passwords:+ −
+ −
\begin{center}+ −
\bl{$B \rightarrow A: K_{AB}$} + −
\end{center}\pause\bigskip+ −
+ −
Problem: Eavesdropper can capture the secret and replay it; \bl{$A$} cannot confirm the+ −
identity of \bl{$B$} + −
+ −
\end{frame}+ −
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + −
+ −
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%+ −
\begin{frame}[c]+ −
\frametitle{Authentication?}+ −
+ −
\begin{center}+ −
\raisebox{-2cm}{\includegraphics[scale=0.4]{../pics/dogs.jpg}}+ −
\end{center}+ −
+ −
\end{frame}+ −
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + −
+ −
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%+ −
\begin{frame}[c]+ −
\frametitle{Authentication Protocols}+ −
+ −
Alice (\bl{$A$}) and Bob (\bl{$B$}) share a secret key \bl{$K_{AB}$}\bigskip+ −
+ −
Simple Challenge Response:+ −
+ −
\begin{center}+ −
\begin{tabular}{ll}+ −
\bl{$A \rightarrow B:$} & \bl{$N$}\\+ −
\bl{$B \rightarrow A:$} & \bl{$\{N\}_{K_{AB}}$}\\+ −
\end{tabular} + −
\end{center}+ −
+ −
+ −
\end{frame}+ −
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + −
+ −
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%+ −
\begin{frame}[c]+ −
\frametitle{Authentication Protocols}+ −
+ −
Alice (\bl{$A$}) and Bob (\bl{$B$}) share a secret key \bl{$K_{AB}$}\bigskip+ −
+ −
Mutual Challenge Response:+ −
+ −
\begin{center}+ −
\begin{tabular}{ll}+ −
\bl{$A \rightarrow B:$} & \bl{$N_A$}\\+ −
\bl{$B \rightarrow A:$} & \bl{$\{N_A, N_B\}_{K_{AB}}$}\\+ −
\bl{$A \rightarrow B:$} & \bl{$N_B$}\\+ −
\end{tabular} + −
\end{center}+ −
+ −
%\pause+ −
%An attacker \bl{$E$} can launch an impersonation attack by+ −
%intercepting all messages for \bl{$B$} and make \bl{$A$} decrypt her+ −
%own challenges.+ −
+ −
\end{frame}+ −
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + −
+ −
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%+ −
\begin{frame}[c]+ −
\frametitle{Nonces}+ −
+ −
\begin{enumerate}+ −
\item I generate a nonce (random number) and send it to you encrypted with a key we share+ −
\item you increase it by one, encrypt it under a key I know and send+ −
it back to me+ −
\end{enumerate}+ −
+ −
+ −
I can infer:+ −
+ −
\begin{itemize}+ −
\item you must have received my message+ −
\item you could only have generated your answer after I send you my initial+ −
message+ −
\item if only you and me know the key, the message must have come from you+ −
\end{itemize}+ −
+ −
\end{frame}+ −
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + −
+ −
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%+ −
\begin{frame}[c]+ −
+ −
\begin{center}+ −
\begin{tabular}{ll}+ −
\bl{$A \rightarrow B$:} & \bl{$N_A$}\\ + −
\bl{$B \rightarrow A$:} & \bl{$\{N_A, N_B\}_{K_{AB}}$}\\+ −
\bl{$A \rightarrow B$:} & \bl{$N_B$}\\+ −
\end{tabular}+ −
\end{center}+ −
+ −
The attack (let $A$ decrypt her own messages):+ −
+ −
\begin{center}+ −
\begin{tabular}{ll}+ −
\bl{$A \rightarrow E$:} & \bl{$N_A$}\\ + −
\textcolor{gray}{$E \rightarrow A$:} & \textcolor{gray}{$N_A$}\\ + −
\textcolor{gray}{$A \rightarrow E$:} & \textcolor{gray}{$\{N_A, N_A'\}_{K_{AB}}$}\\+ −
\bl{$E \rightarrow A$:} & \bl{$\{N_A, N_A'\}_{K_{AB}}$}\\+ −
\bl{$A \rightarrow E$:} & \bl{$N_A' \;\;(= N_B)$}\\+ −
\end{tabular}+ −
\end{center}\pause+ −
+ −
\small Solutions: \bl{$K_{AB} \not= K_{BA}$} or include an id in the second message+ −
\end{frame}+ −
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + −
+ −
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%+ −
\begin{frame}[c]+ −
\frametitle{Encryption to the Rescue?}+ −
+ −
+ −
\begin{itemize}+ −
\item \bl{$A \,\rightarrow\, B : \{A, N_A\}_{K_{AB}}$}\hspace{1cm} encrypted\bigskip + −
\item \bl{$B\,\rightarrow\, A : \{N_A, K'_{AB}\}_{K_{AB}}$}\bigskip+ −
\item \bl{$A \,\rightarrow\, B : \{N_A\}_{K'_{AB}}$}\bigskip+ −
\end{itemize}\pause+ −
+ −
means you need to send separate ``Hello'' signals (bad), or worse + −
share a single key between many entities+ −
\end{frame}+ −
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + −
+ −
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%+ −
\begin{frame}[c]+ −
\frametitle{Protocol Attacks}+ −
+ −
\begin{itemize}+ −
\item replay attacks+ −
\item reflection attacks+ −
\item man-in-the-middle attacks+ −
\item timing attacks+ −
\item parallel session attacks+ −
\item binding attacks (public key protocols)+ −
\item changing environment / changing assumptions\bigskip+ −
+ −
\item (social engineering attacks)+ −
\end{itemize}+ −
\end{frame}+ −
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + −
+ −
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%+ −
\begin{frame}[c]+ −
\frametitle{Public-Key Infrastructure}+ −
+ −
\begin{itemize}+ −
\item the idea is to have a certificate authority (CA)+ −
\item you go to the CA to identify yourself+ −
\item CA: ``I, the CA, have verified that public key \bl{$P^{pub}_{Bob}$} belongs to Bob''\bigskip+ −
\item CA must be trusted by everybody+ −
\item What happens if CA issues a false certificate? Who pays in case of loss? (VeriSign + −
explicitly limits liability to \$100.)+ −
\end{itemize}+ −
+ −
\end{frame}+ −
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + −
+ −
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%+ −
\begin{frame}[c]+ −
\frametitle{Man-in-the-Middle}+ −
+ −
``Normal'' protocol run:\bigskip+ −
+ −
\begin{itemize}+ −
\item \bl{$A$} sends public key to \bl{$B$}+ −
\item \bl{$B$} sends public key to \bl{$A$}+ −
\item \bl{$A$} sends message encrypted with \bl{$B$}'s public key, \bl{$B$} decrypts it+ −
with its private key+ −
\item \bl{$B$} sends message encrypted with \bl{$A$}'s public key, \bl{$A$} decrypts it+ −
with its private key+ −
\end{itemize}+ −
+ −
\end{frame}+ −
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + −
+ −
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%+ −
\begin{frame}[c]+ −
\frametitle{Man-in-the-Middle}+ −
+ −
Attack:+ −
+ −
\begin{itemize}+ −
\item \bl{$A$} sends public key to \bl{$B$} --- \bl{$C$} intercepts this message and send his own public key+ −
\item \bl{$B$} sends public key to \bl{$A$} --- \bl{$C$} intercepts this message and send his own public key+ −
\item \bl{$A$} sends message encrypted with \bl{$C$}'s public key, \bl{$C$} decrypts it+ −
with its private key, re-encrypts with \bl{$B$}'s public key + −
\item similar for other direction+ −
\end{itemize}+ −
+ −
\end{frame}+ −
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + −
+ −
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%+ −
\begin{frame}[c]+ −
\frametitle{Man-in-the-Middle}+ −
+ −
Potential Prevention?+ −
+ −
\begin{itemize}+ −
\item \bl{$A$} sends public key to \bl{$B$}+ −
\item \bl{$B$} sends public key to \bl{$A$}+ −
\item \bl{$A$} encrypts message with \bl{$B$}'s public key, send's {\bf half} of the message+ −
\item \bl{$B$} encrypts message with \bl{$A$}'s public key, send's {\bf half} of the message+ −
\item \bl{$A$} sends other half, \bl{$B$} can now decrypt entire message+ −
\item \bl{$B$} sends other half, \bl{$A$} can now decrypt entire message+ −
\end{itemize}\pause+ −
+ −
%\bl{$C$} would have to invent a totally new message+ −
\alert{Under which circumstances does this protocol prevent+ −
MiM-attacks, or does it?}+ −
+ −
\end{frame}+ −
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%+ −
+ −
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%+ −
\begin{frame}[c]+ −
\frametitle{Splitting Messages}+ −
+ −
\begin{center}+ −
$\underbrace{\texttt{\Grid{0X1peUVTGJK+H70mMjAM8p}}}_{\bl{\{A,m\}_{K^{pub}_B}}}$+ −
\end{center}+ −
+ −
\begin{center}+ −
$\underbrace{\texttt{\Grid{0X1peUVTGJK}}}_{\bl{H_1}}$\quad+ −
$\underbrace{\texttt{\Grid{+H70mMjAM8p}}}_{\bl{H_2}}$+ −
\end{center}+ −
+ −
\begin{itemize}+ −
\item you can also use the even and odd bytes+ −
\item the point is you cannot decrypt the halves, even if you+ −
have the key + −
\end{itemize}+ −
+ −
+ −
\end{frame}+ −
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + −
+ −
+ −
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%+ −
\begin{frame}[c]+ −
+ −
\begin{center}+ −
\begin{tabular}{l@{\hspace{9mm}}l}+ −
\begin{tabular}[t]{@{}l@{}}+ −
\bl{$A \to C : K^{pub}_A$}\\+ −
\bl{$C \to B : K^{pub}_C$}\\+ −
\bl{$B \to C : K^{pub}_B$}\\+ −
\bl{$C \to A : K^{pub}_C$}\medskip\\+ −
\bl{$\{A,m\}_{K^{pub}_C} \;\mapsto\; H_1,H_2$}\\+ −
\bl{$\{B,m'\}_{K^{pub}_C} \;\mapsto\; M_1,M_2$}\bigskip\\+ −
\bl{$\{C,a\}_{K^{pub}_B} \;\mapsto\; C_1,C_2$}\\+ −
\bl{$\{C,b\}_{K^{pub}_A} \;\mapsto\; D_1,D_2$}+ −
\end{tabular} &+ −
\begin{tabular}[t]{@{}l@{}}+ −
\bl{$A \to C : H_1$}\\+ −
\bl{$C \to B : C_1$}\\+ −
\bl{$B \to C : \{C_1, M_1\}_{K^{pub}_C}$}\\+ −
\bl{$C \to A : \{H_1, D_1\}_{K^{pub}_A}$}\\+ −
\bl{$A \to C : \{H_2, D_1\}_{K^{pub}_C}$}\\+ −
\bl{$C \to B : \{C_2, M_1\}_{K^{pub}_B}$}\\+ −
\bl{$B \to C : M_2$}\\+ −
\bl{$C \to A : D_2$}+ −
\end{tabular}+ −
\end{tabular}+ −
\end{center}\pause+ −
+ −
\footnotesize+ −
\bl{$m$} = How is your grandmother? \bl{$m'$} = How is the+ −
weather today in London?+ −
+ −
\end{frame}+ −
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + −
+ −
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%+ −
\begin{frame}[c]+ −
+ −
\begin{itemize}+ −
\item you have to ask something that cannot be imitated + −
(requires \bl{$A$} and \bl{$B$} know each other)+ −
\item what happens if \bl{$m$} and \bl{$m'$} are voice+ −
messages?\bigskip\pause+ −
+ −
\item So \bl{$C$} can either leave the communication unchanged,+ −
or invent a complete new conversation+ −
+ −
\end{itemize}+ −
+ −
\end{frame}+ −
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + −
+ −
+ −
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%+ −
\begin{frame}[c]+ −
\frametitle{Car Transponder (HiTag2)}+ −
+ −
\begin{enumerate}+ −
\item \bl{$C$} generates a random number \bl{$N$}+ −
\item \bl{$C$} calculates \bl{$(F,G) = \{N\}_K$}+ −
\item \bl{$C \to T$}: \bl{$N, F$}+ −
\item \bl{$T$} calculates \bl{$(F',G') = \{N\}_K$}+ −
\item \bl{$T$} checks that \bl{$F = F'$}+ −
\item \bl{$T \to C$}: \bl{$N, G'$}+ −
\item \bl{$C$} checks that \bl{$G = G'$}+ −
\end{enumerate}\pause+ −
+ −
\small+ −
This process means that the transponder believes the car knows+ −
the key \bl{$K$}, and the car believes the transponder knows+ −
the key \bl{$K$}. They have authenticated themselves+ −
to each other, or have they?+ −
+ −
\end{frame}+ −
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + −
+ −
+ −
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%+ −
\begin{frame}[c]+ −
+ −
A Man-in-the-middle attack in real life:+ −
+ −
\begin{itemize}+ −
\item the card only says yes to the terminal if the PIN is correct+ −
\item trick the card in thinking transaction is verified by signature+ −
\item trick the terminal in thinking the transaction was verified by PIN+ −
\end{itemize}+ −
+ −
\begin{minipage}{1.1\textwidth}+ −
\begin{center}+ −
\mbox{}\hspace{-6mm}\includegraphics[scale=0.5]{../pics/chip-attack.png}+ −
\includegraphics[scale=0.3]{../pics/chipnpinflaw.png}+ −
\end{center}+ −
\end{minipage}+ −
+ −
\end{frame}+ −
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + −
+ −
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%+ −
\begin{frame}[c]+ −
+ −
\begin{itemize}+ −
\item the moral: establishing a secure connection from+ −
``zero'' is almost impossible---you need to rely on some+ −
established trust\medskip+ −
+ −
\item that is why PKI relies on certificates, which however are+ −
badly, badly realised+ −
+ −
\end{itemize}+ −
+ −
\end{frame}+ −
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + −
+ −
+ −
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%+ −
\begin{frame}[c]+ −
\frametitle{Trusted Third Parties}+ −
+ −
Simple protocol for establishing a secure connection via a+ −
mutually trusted 3rd party (server):+ −
+ −
\begin{center}+ −
\begin{tabular}{r@ {\hspace{1mm}}l}+ −
\bl{$A \rightarrow S :$} & \bl{$A, B$}\\+ −
\bl{$S \rightarrow A :$} & \bl{$\{K_{AB}, \{K_{AB}\}_{K_{BS}} \}_{K_{AS}}$}\\+ −
\bl{$A \rightarrow B :$} & \bl{$\{K_{AB}\}_{K_{BS}} $}\\+ −
\bl{$A \rightarrow B :$} & \bl{$\{m\}_{K_{AB}}$}\\+ −
\end{tabular}+ −
\end{center}+ −
+ −
\end{frame}+ −
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + −
+ −
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%+ −
\begin{frame}[c]+ −
\frametitle{PKI: The Main Idea}+ −
+ −
\begin{itemize}+ −
\item the idea is to have a certificate authority (CA)+ −
\item you go to the CA to identify yourself+ −
\item CA: ``I, the CA, have verified that public key + −
\bl{$P^{pub}_{Bob}$} belongs to Bob''\bigskip+ −
\item CA must be trusted by everybody\medskip+ −
\item certificates are time limited, and can be revoked+ −
+ −
\item What happens if CA issues a false certificate? Who pays in case of loss? (VeriSign + −
explicitly limits liability to \$100.)+ −
\end{itemize}+ −
+ −
\end{frame}+ −
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + −
+ −
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%+ −
\begin{frame}[c]+ −
\frametitle{PKI: Chains of Trust}+ −
+ −
\begin{center}+ −
\begin{tikzpicture}[scale=1,+ −
node/.style={+ −
rectangle,rounded corners=3mm,+ −
very thick,draw=black!50,minimum height=18mm, minimum width=23mm,+ −
top color=white,bottom color=black!20}]+ −
+ −
\node (A) at (0,0) [node] {};+ −
\node [below right] at (A.north west) + −
{\small\begin{tabular}{@{}l}CA\\Root Cert.\end{tabular}};+ −
+ −
\node (B) at (4,0) [node] {};+ −
\node [below right=1mm] at (B.north west) + −
{\mbox{}\hspace{-1mm}\small+ −
\begin{tabular}{@{}l}Subordinate\\ CA\end{tabular}};+ −
+ −
\node (C) at (8,0) [node] {};+ −
\node [below right] at (C.north west) + −
{\small\begin{tabular}{@{}l}Server\\ Bank.com\end{tabular}};+ −
+ −
\draw [->,line width=4mm] (A) -- (B); + −
\draw [->,line width=4mm] (B) -- (C); + −
+ −
\node (D) at (6,-3) [node] {};+ −
\node [below right] at (D.north west) + −
{\small\begin{tabular}{@{}l}Browser\\ Root Store\end{tabular}};+ −
+ −
\node (E) at (2,-3) [node] {};+ −
\node [below right] at (E.north west) + −
{\small\begin{tabular}{@{}l}Browser\\ Vendor\end{tabular}};+ −
+ −
\draw [->,line width=4mm] (E) -- (D); + −
\end{tikzpicture}+ −
\end{center}+ −
+ −
\begin{itemize}+ −
\item CAs make almost no money anymore, because of stiff+ −
competition+ −
\item browser companies are not really interested in security;+ −
only in market share+ −
\end{itemize}+ −
+ −
\end{frame}+ −
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + −
+ −
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%+ −
\begin{frame}[c]+ −
\frametitle{PKI: Weaknesses}+ −
+ −
CAs just cannot win (make any profit):\medskip+ −
+ −
\begin{itemize}+ −
\item there are hundreds of CAs, which issue millions of+ −
certificates and the error rate is small+ −
+ −
\item users (servers) do not want to pay or pay as little as+ −
possible\bigskip+ −
+ −
\item a CA can issue a certificate for any domain not needing+ −
any permission (CAs are meant to undergo audits,+ −
but\ldots DigiNotar)+ −
+ −
\item if a CA has issued many certificates, it ``becomes too+ −
big to fail'' + −
+ −
\item Can we be sure CAs are not just frontends of some + −
government organisation? + −
+ −
\end{itemize}+ −
+ −
\end{frame}+ −
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + −
+ −
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%+ −
\begin{frame}[c]+ −
\frametitle{PKI: Weaknesses}+ −
+ −
\begin{itemize}+ −
+ −
\item many certificates are issued via Whois, whether you own+ −
the domain\ldots if you hijacked a domain, it is easy to+ −
obtain certificates\medskip+ −
+ −
\item the revocation mechanism does not work (Chrome has given+ −
up on general revocation lists)\medskip+ −
+ −
\item lax approach to validation of certificates + −
(Have you ever bypassed certification warnings?)\medskip+ −
+ −
\item sometimes you want to actually install invalid+ −
certificates (self-signed)+ −
+ −
\end{itemize}+ −
+ −
\end{frame}+ −
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + −
+ −
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%+ −
\begin{frame}[c]+ −
\frametitle{PKI: Attacks}+ −
+ −
\begin{itemize}+ −
+ −
\item Go directly after root certificates + −
\begin{itemize}+ −
\item governments can demand private keys\smallskip+ −
\item 10 years ago it was estimated that breaking a 1024 bit+ −
key takes one year and costs 10 - 30 Mio \$; this is now+ −
reduced to 1 Mio \$+ −
\end{itemize} + −
+ −
\item Go after buggy implementations of certificate+ −
validation\smallskip+ −
+ −
\item Social Engineering + −
\begin{itemize}+ −
\item in 2001 somebody pretended to be + −
from Microsoft and asked for two code-signing + −
certificates+ −
\end{itemize}\bigskip+ −
\end{itemize}+ −
+ −
\small The eco-system is completely broken (it relies on+ −
thousands of entities to do the right thing). Maybe DNSSEC+ −
where keys can be attached to domain names is a way out.+ −
+ −
\end{frame}+ −
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + −
+ −
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%+ −
\begin{frame}[c]+ −
\frametitle{Real Attacks}+ −
+ −
\begin{itemize}+ −
+ −
\item In 2011, DigiNotar (Dutch company) was the first CA that+ −
got compromised comprehensively, and where many+ −
fraudulent certificates were issued to the wild. It+ −
included approximately 300,000 IP addresses, mostly+ −
located in Iran. The attackers (in Iran?) were likely+ −
interested ``only'' in collecting gmail passwords.\medskip+ −
+ −
\item The Flame malware piggy-bagged on this attack by+ −
advertising malicious Windows updates to some targeted+ −
systems (mostly in Iran, Israel, Sudan).+ −
+ −
\end{itemize}+ −
+ −
\end{frame}+ −
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + −
+ −
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%+ −
\begin{frame}[c]+ −
\frametitle{PKI is Broken}+ −
+ −
\begin{itemize}+ −
+ −
\item PKI and certificates are meant to protect you against+ −
MITM attacks, but if the attack occurs your are + −
presented with a warning and you need to decide whether+ −
you are under attack.\medskip+ −
+ −
\item Webcontent gets often loaded from 3rd-party servers,+ −
which might not be secured\medskip+ −
+ −
\item Misaligned incentives: browser vendors are not+ −
interested in breaking webpages with invalid+ −
certificates + −
+ −
\end{itemize}+ −
+ −
\end{frame}+ −
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + −
+ −
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%+ −
\begin{frame}[c]+ −
+ −
Why are there so many invalid certificates?\bigskip+ −
+ −
\begin{itemize}+ −
+ −
\item insufficient name coverage (www.example.com should+ −
include example.com)+ −
+ −
\item IoT: many appliances have web-based admin interfaces; + −
the manufacturer cannot know under which IP and domain name+ −
the appliances are run (so cannot install a valid certificate)+ −
+ −
\item expired certificates, or incomplete chains of trust+ −
(servers are supposed to supply them)+ −
+ −
\end{itemize}+ −
+ −
\end{frame}+ −
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + −
+ −
+ −
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%+ −
\begin{frame}[c]+ −
\frametitle{Protocols are Difficult}+ −
+ −
\begin{itemize}+ −
\item even the systems designed by experts regularly fail\medskip+ −
\item the one who can fix a system should also be liable for the losses\medskip+ −
\item cryptography is often not the problem\bigskip\bigskip + −
\end{itemize}+ −
+ −
\end{frame}+ −
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + −
+ −
+ −
\end{document}+ −
+ −
%%% Local Variables: + −
%%% mode: latex+ −
%%% TeX-master: t+ −
%%% End: + −
+ −