\PassOptionsToPackage{bookmarks=false}{hyperref}
\documentclass[dvipsnames,14pt,t,hyperref={bookmarks=false}]{beamer}
\usepackage{../slides}
\usepackage{../graphics}
\usepackage{../langs}
\usepackage{../style}
\usetikzlibrary{arrows}
\usetikzlibrary{shapes}

\setmonofont[Scale=.88]{Consolas}
\newfontfamily{\consolas}{Consolas}

\hfuzz=220pt 

% beamer stuff 
\newcommand{\bl}[1]{\textcolor{blue}{#1}}  
\renewcommand{\slidecaption}{SEN 05, King's College London}


\begin{document}

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\begin{frame}[t]
\frametitle{%
  \begin{tabular}{@ {}c@ {}}
  \\
  \LARGE Security Engineering (5)\\[-3mm] 
  \end{tabular}}\bigskip\bigskip\bigskip

  \normalsize
  \begin{center}
  \begin{tabular}{ll}
  Email:  & christian.urban at kcl.ac.uk\\
  Office: & S1.27 (1st floor Strand Building)\\
  Slides: & KEATS (also homework is there)\\
  \end{tabular}
  \end{center}

\end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%     

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\begin{frame}[c]
\frametitle{Problems with Key Fobs}

\begin{columns}
\begin{column}[T]{4cm}
\includegraphics[scale=0.4]{../pics/car-standard.jpg}
\end{column}

\begin{column}[T]{6cm}\small 
Circumventing the ignition protection:

\begin{itemize}
\item either dismantling Megamos crypto,
\item or use the diagnostic port to program 
  blank keys 
\end{itemize}

\hspace{14mm}
\includegraphics[scale=0.16]{../pics/Dismantling_Megamos_Crypto.png}
\end{column}
\end{columns}



\end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\begin{frame}[c]
\frametitle{Protocols}

\begin{center}
\includegraphics[scale=0.11]{../pics/keyfob.jpg}
\quad
\includegraphics[scale=0.232]{../pics/starbucks.jpg}
\end{center}

\begin{itemize}
\item The point is that we have no control over the network

\item We want to avoid that a message exchange (a protocol) can
be attacked without detection
\end{itemize}
  
\end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\begin{frame}[c]
\frametitle{G20 Summit in 2009}

\begin{center}
\includegraphics[scale=0.1]{../pics/snowden.jpg}
\end{center}

\small
\begin{itemize}
\item Snowden documents reveal ``that during G20
      meetings\dots{}GCHQ used 
      `ground-breaking intelligence capabilities' to intercept
      the communications of visiting delegations. This
      included setting up internet cafes where they used an
      email interception program and key-logging software to
      spy on delegates' use of computers\ldots''

\item ``The G20 spying appears to have been organised for the
      more mundane purpose of securing an advantage in
      meetings.'' 
\end{itemize}
  
\end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\begin{frame}[c]
\frametitle{A Simple PK Protocol}


\begin{center}
\begin{tabular}{ll@{\hspace{2mm}}l}
1. & \bl{$A \to B :$} & \bl{$K^{pub}_A$}\smallskip\\
2. & \bl{$B \to A :$} & \bl{$K^{pub}_B$}\smallskip\\
3. & \bl{$A \to B :$} & \bl{$\{A,m\}_{K^{pub}_B}$}\smallskip\\
4. & \bl{$B \to A :$} & \bl{$\{B,m'\}_{K^{pub}_A}$}
\end{tabular}
\end{center}\pause\bigskip

unfortunately there is a simple man-in-the- middle-attack
\end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%  

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\begin{frame}[c]
\frametitle{A MITM Attack}


\begin{center}
\begin{tabular}{ll@{\hspace{2mm}}l}
1. & \bl{$A \to E :$} & \bl{$K^{pub}_A$}\smallskip\\
2. & \bl{$E \to B :$} & \bl{$K^{pub}_E$}\smallskip\\
3. & \bl{$B \to E :$} & \bl{$K^{pub}_B$}\smallskip\\
4. & \bl{$E \to A :$} & \bl{$K^{pub}_E$}\smallskip\\
5. & \bl{$A \to E :$} & \bl{$\{A,m\}_{K^{pub}_E}$}\smallskip\\
6. & \bl{$E \to B :$} & \bl{$\{E,m\}_{K^{pub}_B}$}\smallskip\\
7. & \bl{$B \to E :$} & \bl{$\{B,m'\}_{K^{pub}_E}$}\smallskip\\
8. & \bl{$E \to A :$} & \bl{$\{E,m'\}_{K^{pub}_A}$}
\end{tabular}
\end{center}\pause\medskip

and \bl{$A$} and \bl{$B$} have no chance to detect it
\end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%  

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\begin{frame}[c]
\frametitle{Interlock Protocol}

The interlock protocol (``best bet'' against MITM):

\begin{center}
\begin{tabular}{ll@{\hspace{2mm}}l}
1. & \bl{$A \to B :$} & \bl{$K^{pub}_A$}\\
2. & \bl{$B \to A :$} & \bl{$K^{pub}_B$}\\
3. & & \bl{$\{A,m\}_{K^{pub}_B} \;\mapsto\; H_1,H_2$}\\
   & & \bl{$\{B,m'\}_{K^{pub}_A} \;\mapsto\; M_1,M_2$}\\
4. & \bl{$A \to B :$} & \bl{$H_1$}\\
5. & \bl{$B \to A :$} & \bl{$\{H_1, M_1\}_{K^{pub}_A}$}\\
6. & \bl{$A \to B :$} & \bl{$\{H_2, M_1\}_{K^{pub}_B}$}\\
7. & \bl{$B \to A :$} & \bl{$M_2$}
\end{tabular}
\end{center}

\end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%  

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\begin{frame}[c]
\frametitle{Splitting Messages}

\begin{center}
$\underbrace{\texttt{\Grid{0X1peUVTGJK+H70mMjAM8p}}}_{\{A,m\}_{K^{pub}_B}}$
\end{center}
 
\begin{center}
$\underbrace{\texttt{\Grid{0X1peUVTGJK}}}_{H_1}$\quad
$\underbrace{\texttt{\Grid{+H70mMjAM8p}}}_{H_2}$
\end{center}

\begin{itemize}
\item you can also use the even and odd bytes
\item the point is you cannot decrypt the halves
\end{itemize}


\end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%  

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\begin{frame}[c]

\begin{center}
\begin{tabular}{l@{\hspace{9mm}}l}
\begin{tabular}[t]{@{}l@{}}
\bl{$A \to C : K^{pub}_A$}\\
\bl{$C \to B : K^{pub}_C$}\\
\bl{$B \to C : K^{pub}_B$}\\
\bl{$C \to A : K^{pub}_C$}\medskip\\
\bl{$\{A,m\}_{K^{pub}_C} \;\mapsto\; H_1,H_2$}\\
\bl{$\{B,m'\}_{K^{pub}_C} \;\mapsto\; M_1,M_2$}\bigskip\\
\bl{$\{C,a\}_{K^{pub}_B} \;\mapsto\; C_1,C_2$}\\
\bl{$\{C,b\}_{K^{pub}_A} \;\mapsto\; D_1,D_2$}
\end{tabular} &
\begin{tabular}[t]{@{}l@{}}
\bl{$A \to C : H_1$}\\
\bl{$C \to B : C_1$}\\
\bl{$B \to C : \{C_1, M_1\}_{K^{pub}_C}$}\\
\bl{$C \to A : \{H_1, D_1\}_{K^{pub}_A}$}\\
\bl{$A \to C : \{H_2, D_1\}_{K^{pub}_C}$}\\
\bl{$C \to B : \{C_2, M_1\}_{K^{pub}_B}$}\\
\bl{$B \to C : M_2$}\\
\bl{$C \to A : D_2$}
\end{tabular}
\end{tabular}
\end{center}\pause

\footnotesize
\bl{$m$} = How is your grandmother? \bl{$m'$} = How is the
weather today in London?

\end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%  

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\begin{frame}[c]

\begin{itemize}
\item you have to ask something that cannot imitated 
  (requires \bl{$A$} and \bl{$B$} know each other)
\item what happens if \bl{$m$} and \bl{$m'$} are voice
  messages?\bigskip\pause

\item So \bl{$C$} can either leave the communication unchanged
      (Hellamn-Diffie), or invent a complete new conversation
      
\end{itemize}

\end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%  

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\begin{frame}[c]

\begin{itemize}
\item the moral: establishing a secure connection from
      ``zero'' is almost impossible---you need to rely on some
      established trust\medskip

\item that is why we rely on certificates, which however are
      badly, badly realised

\end{itemize}

\end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%  

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\begin{frame}[c]
\frametitle{Trusted Third Parties}

Simple protocol for establishing a secure connection via a
mutually trusted 3rd party (server):

\begin{center}
\begin{tabular}{r@ {\hspace{1mm}}l}
\bl{$A \rightarrow S :$} & \bl{$A, B$}\\
\bl{$S \rightarrow A :$} & \bl{$\{K_{AB}, \{K_{AB}\}_{K_{BS}} \}_{K_{AS}}$}\\
\bl{$A \rightarrow B :$} & \bl{$\{K_{AB}\}_{K_{BS}} $}\\
\bl{$A \rightarrow B :$} & \bl{$\{m\}_{K_{AB}}$}\\
\end{tabular}
\end{center}

\end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   

 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\begin{frame}[c]
\frametitle{PKI: The Main Idea}

\begin{itemize}
\item the idea is to have a certificate authority (CA)
\item you go to the CA to identify yourself
\item CA: ``I, the CA, have verified that public key 
  \bl{$P^{pub}_{Bob}$} belongs to Bob''\bigskip
\item CA must be trusted by everybody\medskip

\item What happens if CA issues a false certificate? Who pays in case of loss? (VeriSign 
explicitly limits liability to \$100.)
\end{itemize}

\end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   


%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\begin{frame}[c]
\frametitle{Best Practices}

{\bf Principle 1:} Every message should say what it means: the
interpretation of a message should not depend on the
context.\bigskip\pause

{\bf Principle 2:} If the identity of a principal is essential
to the meaning of a message, it is prudent to mention the
principal’s name explicitly in the message (though
difficult).\bigskip

\end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\begin{frame}[c]
\frametitle{Best Practices}

{\bf Principle 3:} Be clear about why encryption is being
done. Encryption is not wholly cheap, and not asking precisely
why it is being done can lead to redundancy. Encryption is not
synonymous with security.

\small
\begin{center}
Possible Uses of Encryption

\begin{itemize}
\item Preservation of confidentiality: \bl{$\{X\}_K$} only those that have \bl{$K$} may recover \bl{$X$}.
\item Guarantee authenticity: The partner is indeed some particular principal.
\item Guarantee confidentiality and authenticity: binds two parts of a message --- 
\bl{$\{X,Y\}_K$} is not the same as \bl{$\{X\}_K$} and \bl{$\{Y\}_K$}.
\end{itemize}
\end{center}

\end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\begin{frame}[c]
\frametitle{Best Practices}

{\bf Principle 4:} The protocol designers should know which
trust relations their protocol depends on, and why the
dependence is necessary. The reasons for particular trust
relations being acceptable should be explicit though they will
be founded on judgment and policy rather than on
logic.\bigskip


Example Certification Authorities: CAs are trusted to certify
a key only after proper steps have been taken to identify the
principal that owns it.

\end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\begin{frame}[c]
\frametitle{Formal Methods}

Ross Anderson about the use of Logic:\bigskip

\begin{quote}
Formal methods can be an excellent way of finding 
bugs in security protocol designs as they force the designer 
to make everything explicit and thus confront difficult design 
choices that might otherwise be fudged. 
\end{quote}

\end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\begin{frame}[c]
\frametitle{Mid-Term}

\begin{itemize}
\item homework, handouts, programs\ldots
\end{itemize}\bigskip\bigskip\bigskip

\begin{center}
{\huge\bf\alert{Any Questions?}}
\end{center}

\end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   

\end{document}

%%% Local Variables:  
%%% mode: latex
%%% TeX-master: t
%%% End: