\documentclass[dvipsnames,14pt,t]{beamer}\usepackage{../slides}\usepackage{../graphics}\usepackage{../langs}\usetikzlibrary{arrows}\usetikzlibrary{shapes}\setmonofont[Scale=.88]{Consolas}\newfontfamily{\consolas}{Consolas}\hfuzz=220pt % beamer stuff \renewcommand{\slidecaption}{SEN 04, King's College London}\newcommand{\bl}[1]{\textcolor{blue}{#1}} \begin{document}%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%\begin{frame}[t]\frametitle{% \begin{tabular}{@ {}c@ {}} \\ \LARGE Security Engineering (4)\\[-3mm] \end{tabular}}\bigskip\bigskip\bigskip\normalsize \begin{center} \begin{tabular}{ll} Email: & christian.urban at kcl.ac.uk\\ Office: & S1.27 (1st floor Strand Building)\\ Slides: & KEATS (also home work is there)\\ \end{tabular} \end{center}\end{frame}%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%\begin{frame}[c]\frametitle{Survey: Thanks!}\small\begin{itemize}\item ``Would be good, if you provide more detailed explanations. I feel your slides are not as structured as they could be.''\item ``Please consider reference book chapters to cover core subjectareas.''\pause\item ``The homework questions don't come directly from the slides. So must go look things up.''\item ``Could you please put the homework answers online, perhapsjust before the exam. That's late enough where we should have doneit and if not, we're screwed already then.''\item ``Could you provide a brief basic answers to sheets for referenceand not to be relied on.''\end{itemize}\end{frame}%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%\begin{frame}[c]\begin{center}\includegraphics[scale=0.45]{../pics/trainwreck.jpg}\\last week: buffer overflow attacks\end{center}\end{frame}%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%\begin{frame}[fragile]\frametitle{D-Link Wifi Router, BOA}\smallAs a proof-of-concept, the following URL allows attackers to control the return value saved on the stack (the vulnerability is triggered whenexecuting \pcode{"/usr/sbin/widget"}):\begin{center}\footnotesize \pcode{curl http://<target ip>/post_login.xml?hash=AAA...AAABBBB}\end{center}The value of the "hash" HTTP GET parameter consists of292 occurrences of the \pcode{'A'} character, followed by four occurrences of character \pcode{'B'}. In our lab setup, characters \pcode{'B'} overwrite the saved program counter (\pcode{\%ra}).\bigskip\begin{tabular}{@{}ll}Discovery date: & 06/03/2013\\Release date: & 02/08/2013\end{tabular}\bigskip\footnotesize\hfill\url{http://roberto.greyhats.it/advisories/20130801-dlink-dir645.txt} \end{frame}%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%\begin{frame}[fragile]\frametitle{D-Link Backdoors}D-Link router flaw lets anyone login through "Joel's Backdoor":\medskip\begin{quote}\rm\smallIf you tell your browser to identify itself as Joel's backdoor, instead of (say) as Mozilla/5.0 AppleWebKit/536.30.1 Version/6.0.5, you're in without authentication.\medskip"What is this string," I hear you ask?You will laugh: it is\pause \begin{center}\large\pcode{xmlset_roodkcableoj28840ybtide}\end{center}\end{quote}\bigskip\bigskip\hfill\footnotesize October 15, 2013\\\hfill\footnotesize\url{http://www.devttys0.com/2013/10/reverse-engineering-a-d-link-backdoor/}\end{frame}%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%\begin{frame}[fragile]CVE-2014-0476 \pcode{chkrootkit} vulnerability 4 Jun'14\medskip\begin{quote}\rm\smallHi,we just found a serious vulnerability in the chkrootkit package, whichmay allow local attackers to gain root access to a box in certainconfigurations (\pcode{/tmp} not mounted noexec). Steps to reproduce:\begin{itemize}\item Put an executable file named \pcode{update} with non-root owner in \pcode{/tmp} (not mounted noexec, obviously)\item Run chkrootkit (as uid \pcode{0})\end{itemize}Result: The file \pcode{/tmp/update} will be executed as root, thus effectivelyrooting your box, if malicious content is placed inside the file.If an attacker knows you are periodically running chkrootkit (like in\pcode{cron.daily}) and has write access to \pcode{/tmp} (not mounted noexec), he mayeasily take advantage of this.\end{quote}\mbox{}\\[-10mm]\hfill\footnotesize\url{http://seclists.org/oss-sec/2014/q2/430}\end{frame}%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%\begin{frame}[c]\frametitle{Unix-Style Access Control}How to do control access? In Unix you have\begin{itemize}\item users and you have groups/roles:\item some special roles: root\end{itemize}\end{frame}%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%\begin{frame}[c]\frametitle{Unix-Style Access Control}\small\begin{itemize}\item Q: ``I am using Windows. Why should I care?'' \\ A: In Windows you have similar AC:\begin{center}\begin{tabular}{l}administrators group\\ \hspace{5mm}(has complete control over the machine)\\authenticated users\\server operators\\power users\\network configuration operators\end{tabular}\end{center}\medskip\item Modern versions of Windows have more fine-grained AC than Unix; they do not have a setuid bit, but have \texttt{runas} (asks for a password).\pause\item OS-provided access control can \alert{\bf add} to your security. (defence in depth)\end{itemize}\end{frame}%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%\begin{frame}[c]\frametitle{\begin{tabular}{c}Network Applications:\\[-1mm] Privilege Separation\end{tabular}}\begin{center} \begin{tikzpicture}[scale=1] \draw[line width=1mm] (-.3, 0) rectangle (1.5,2); \draw (4.7,1) node {Internet}; \draw (-2.7,1.7) node {\footnotesize Application}; \draw (0.6,1.7) node {\footnotesize Interface}; \draw (0.6,-0.4) node {\footnotesize \begin{tabular}{c}unprivileged\\[-1mm] process\end{tabular}}; \draw (-2.7,-0.4) node {\footnotesize \begin{tabular}{c}privileged\\[-1mm] process\end{tabular}}; \draw[line width=1mm] (-1.8, 0) rectangle (-3.6,2); \draw[white] (1.7,1) node (X) {}; \draw[white] (3.7,1) node (Y) {}; \draw[red, <->, line width = 2mm] (X) -- (Y); \draw[red, <->, line width = 1mm] (-0.6,1) -- (-1.6,1); \end{tikzpicture}\end{center}\begin{itemize}\item the idea is make the attack surface smaller and mitigate the consequences of an attack\end{itemize}\end{frame}%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%\begin{frame}[c]\frametitle{Weaknesses of Unix AC}Not just restricted to Unix:\begin{itemize}\item if you have too many roles (i.e.~too finegrained AC), then hierarchy is too complex\\ \textcolor{gray}{you invite situations like\ldots let's be root}\bigskip\item you can still abuse the system\ldots\end{itemize}\end{frame}%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%\begin{frame}[c]\frametitle{A ``Cron''-Attack}The idea is to trick a privileged person to do something on yourbehalf:\begin{itemize}\item root:\\\texttt{rm /tmp/*/*}\bigskip\bigskip\pause\footnotesize\begin{minipage}{1.1\textwidth}\textcolor{gray}{the shell behind the scenes:}\\\textcolor{gray}{\texttt{rm /tmp/dir$_1$/file$_1$ /tmp/dir$_1$/file$_2$ /tmp/dir$_2$/file$_1$ \ldots}}\bigskip\\\textcolor{gray}{this takes time}\end{minipage}\end{itemize}\end{frame}%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%\begin{frame}[c]\frametitle{A ``Cron''-Attack}\begin{enumerate}\item attacker \textcolor{gray}{(creates a fake passwd file)}\\ \texttt{mkdir /tmp/a; cat > /tmp/a/passwd}\medskip\item root \textcolor{gray}{(does the daily cleaning)}\\\texttt{rm /tmp/*/*}\medskip\\\hspace{2cm}\textcolor{gray}{\small records that \texttt{/tmp/a/passwd}}\\ \hspace{2cm}\textcolor{gray}{\small should be deleted, but does not do it yet}\medskip\\\item attacker \textcolor{gray}{(meanwhile deletes the fake passwd file, and establishes a link to the real passwd file)}\\\texttt{rm /tmp/a/passwd; rmdir /tmp/a;}\\\texttt{ln -s /etc /tmp/a}\\\item root now deletes the real passwd file\end{enumerate}\only<2>{\begin{textblock}{11}(2,5)\begin{bubble}[8cm]\normalsize To prevent this kind of attack, you need additionalpolicies (don't do such operations as root).\end{bubble}\end{textblock}}\end{frame}%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%\begin{frame}[c]\frametitle{Access Control in Unix}\begin{itemize}\item access control provided by the OS\item authenticate principals\item mediate access to files, ports, processes etc according to \alert{roles} (user ids)\\\item roles get attached with privileges\bigskip\\\hspace{8mm}\begin{bubble}[8cm]\alert{principle of least privilege:}\\users and programs should only have as much privilege as they need toaccomplish a task\end{bubble}\end{itemize}\end{frame}%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%\mode<presentation>{\begin{frame}[c]\frametitle{Access Control in Unix (2)}\begin{itemize}\item privileges are specified by file access permissions (``everything is a file'')\medskip \item there are 9 (plus 2) bits that specify the permissions of a file\begin{center}\begin{tabular}{l}\texttt{\$ ls -la}\\\texttt{-rwxrw-r-{}- \hspace{3mm} foo\_file.txt}\end{tabular}\end{center}\end{itemize}\end{frame}}%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%\begin{frame}[c]\frametitle{Login Process}\begin{itemize}\item login processes run under UID $=$ \pcode{0}\medskip \begin{center}\texttt{ps -axl | grep login}\end{center}\medskip\item after login, shells run under UID $=$ user (e.g.~501)\medskip\begin{center}\texttt{id cu}\end{center}\medskip\pause\item non-root users are not allowed to change the UID --- would break access control\item but needed for example for accessing \texttt{passwd}\end{itemize}\end{frame}%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%\begin{frame}[c]\frametitle{Setuid and Setgid}The solution is that Unix file permissions are 9 + \underline{2 Bits}:\alert{Setuid} and \alert{Setgid} bits\begin{itemize}\item When a file with setuid is executed, the resulting process will assume the UID given to the \underline{owner} of the file.\item This enables users to create processes as root (or another user).\bigskip\item Essential for changing passwords, for example.\end{itemize}\begin{center}\texttt{chmod 4755 fobar\_file}\end{center}\end{frame}%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%\begin{frame}[c]\frametitle{\Large Discretionary Access Control}\begin{itemize}\item Access to objects (files, directories, devices, etc.) ispermitted based on user identity. Each object is owned by auser. Owners can specify freely (at their discretion) how they want toshare their objects with other users, by specifying which other userscan have which form of access to their objects.\medskip\item Discretionary access control is implemented on any modern multi-userOS (Unix, Windows NT, etc.).\end{itemize}\end{frame}%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%\begin{frame}[c]\frametitle{\Large Mandatory Access Control}\begin{itemize}\item Access to objects is controlled by a system-wide policy, for example to prevent certain flows of information. In some forms, the system maintains security labels for both objects and subjects (processes, users) based on which access is granted or denied. Labels can change as the result of an access. Security policies are enforced without the cooperation of users or programs.\medskip\item This is implemented in banking or military operating system versions (SELinux).\end{itemize}\end{frame}%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%\begin{frame}[c]\frametitle{\Large Discretionary Access Control}In its most generic form usually given by an \alert{Access Control Matrix} of the form\begin{center}\begin{tabular}{r|c|c|c} & /mail/jane & edit.exe & postfix \\\hlinejane & r, w & r, x & r, x\\\hlinejohn & $\varnothing$ & r, w, x& r, x\\\hlinepostfix & a & $\varnothing$ & r, x\\\end{tabular}\end{center}access privileges: {\bf r}ead, {\bf w}rite, e{\bf x}ecute, {\bf a}ppend\end{frame}%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%\begin{frame}[c]\small\lstinputlisting[language={},numbers=none,xleftmargin=-6mm]{lst}\begin{center}\begin{tabular}{@{\hspace{-24mm}}ll}members of group staff: & ping, bob, emma\\ members of group students: & emma\\\end{tabular}\end{center}\begin{center}\begin{tabular}{@{\hspace{-7mm}}r|c|c|c|c|c@{}} & manual.txt & report.txt & microedit & src/code.c & src/code.h \\\hlineping & & & & &\\\hlinebob & & & & &\\\hlineemma & & & & &\\\end{tabular}\end{center}\end{frame}%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%\begin{frame}[c]\frametitle{Mandatory Access Control}\small\begin{itemize}\item Restrictions to allowed information flows are not decided at the user's discretion (as with Unix \pcode{chmod}), but instead enforced by system policies.\item Mandatory access control mechanisms are aimed in particular at preventing policy violations by untrusted programs, which typically have at least the same access privileges as the invoking user.\medskip\pauseSimple example: Air Gap Security. Uses a completely separate networkand computer hardware for different application classes.\end{itemize}\end{frame}%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%\begin{frame}[c]\frametitle{The Bell-LaPadula Model}\small\begin{itemize}\item Formal policy model for mandatory access control in a military multi-level security environment. All subjects (processes, users, terminals, files, windows, connections) are labeled with a confidentiality level, e.g.\begin{center}unclassified < confidential < secret < top secret\end{center}\medskip\item The system policy automatically prevents the flow of information from high-level objects to lower levels. A process that reads top secret data becomes tagged as top secret by the operating system, as will be all files into which it writes afterwards.%Each user has a maximum allowed confidentiality level specified and%cannot receive data beyond that level. A selected set of trusted%subjects is allowed to bypass the restrictions, in order to permit%the declassification of information.\end{itemize}\end{frame}%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% \begin{frame}[c] \frametitle{Bell-LaPadula} \small \begin{itemize} \item \alert{Read Rule}: A principal \bl{$P$} can read an object \bl{$O$} if and only if \bl{$P$}'s security level is at least as high as \bl{$O$}'s. \item \alert{Write Rule}: A principal \bl{$P$} can write an object \bl{$O$} if and only if \bl{$O$}'s security level is at least as high as \bl{$P$}'s.\medskip \item Meta-Rule: All principals in a system should have a sufficiently high security level in order to access an object. \end{itemize}\bigskip This restricts information flow $\Rightarrow$ military\bigskip\bigskip\pause Bell-LaPadula: {\bf `no read up'} - {\bf `no write down'} \end{frame}%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% \begin{frame}[c] \frametitle{\begin{tabular}{c}Principle of\\[-2mm] Least Privilege\end{tabular}} \begin{bubble}[10cm] A principal should have as few privileges as possible to access a resource. \end{bubble}\bigskip\bigskip \small \begin{itemize} \item Bob ($T\!S$) and Alice ($S$) want to communicate \item[] $\Rightarrow$ Bob should lower his security level \end{itemize} \end{frame}%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% \begin{frame}[c] \frametitle{Biba Policy} \small Data Integrity (rather than data confidentiality) \begin{itemize} \item Biba: {\bf `no read down'} - {\bf `no write up'} \item \alert{Read Rule}: A principal \bl{$P$} can read an object \bl{$O$} if and only if \bl{$P$}'s security level is lower or equal than \bl{$O$}'s. \item \alert{Write Rule}: A principal \bl{$P$} can write an object \bl{$O$} if and only if \bl{$O$}'s security level is lower or equal than \bl{$P$}'s. \end{itemize}\bigskip\bigskip\pause E.g.~Firewalls: you can read from inside the firewall, but not from outside\\ Phishing: you can look at an approved PDF, but not one from a random email\\ \end{frame}%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%\begin{frame}[c]\frametitle{Security Levels (2)}\begin{itemize}\item Bell-La Padula preserves data secrecy, but not data integrity\bigskip\pause\item Biba model is for data integrity \begin{itemize}\item read: your own level and above\item write: your own level and below\end{itemize}\end{itemize}\end{frame}%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%\begin{frame}[c]\frametitle{Shared Access Control}\begin{center}\includegraphics[scale=0.7]{../pics/pointsplane.jpg}\end{center}\begin{textblock}{11}(10.5,10.5)\smallTo take an action you\\[-1mm] need at least either:\begin{itemize}\item 1 CEO\\[-5mm]\item 2 MDs, or\\[-5mm]\item 3 Ds\end{itemize}\end{textblock}\end{frame}%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%\begin{frame}[c]\frametitle{\Large Lessons from Access Control}Not just restricted to Unix:\begin{itemize}\item if you have too many roles (i.e.~too finegrained AC), then hierarchy is too complex\\ \textcolor{gray}{you invite situations like\ldots lets be root}\bigskip\item you can still abuse the system\ldots\bigskip\pause\item policies (a finite system)\\ computer system (infinite)\medskip\\Q: Does your policy ensure that a tainted file cannot affect yourcore system files?\end{itemize}\end{frame}%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% \begin{frame}[t] \frametitle{Protocols}\mbox{} \begin{tabular}{l}{\Large \bl{$A\;\rightarrow\; B : \ldots$}}\\\onslide<2->{\Large \bl{$B\;\rightarrow\; A : \ldots$}}\\\onslide<2->{\Large \;\;\;\;\;\bl{$:$}}\bigskip\end{tabular} \begin{itemize} \item by convention \bl{$A$}, \bl{$B$} are named principals \bl{Alice\ldots}\\ but most likely they are programs, which just follow some instructions (they are more like roles)\bigskip\item<2-> indicates one ``protocol run'', or session, which specifies some order in the communication\item<2-> there can be several sessions in parallel (think of wifi routers) \end{itemize} \end{frame}%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%\begin{frame}[c]\frametitle{\Large Cryptographic Protocol Failures}Ross Anderson and Roger Needham wrote:\bigskip\begin{quote}\rm\alert{A lot of the recorded frauds were the result of this kind of blunder, or from management negligence pure and simple.} However,there have been a significant number of cases where the designersprotected the right things, used cryptographic algorithms which werenot broken, and yet found that their systems were still successfullyattacked.\end{quote}\end{frame}%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% \begin{frame}<1-3>[c] \frametitle{Oyster Cards} \includegraphics[scale=0.4]{../pics/oysterc.jpg} \begin{itemize} \item good example of a bad protocol\\ (security by obscurity)\bigskip \item<3-> ``Breaching security on Oyster cards should not allow unauthorised use for more than a day, as TfL promises to turn off any cloned cards within 24 hours\ldots'' \end{itemize} \only<2>{ \begin{textblock}{12}(0.5,0.5) \begin{bubble}[11cm]\footnotesize {\bf Wirelessly Pickpocketing a Mifare Classic Card}\medskip The Mifare Classic is the most widely used contactless smartcard on the market. The stream cipher CRYPTO1 used by the Classic has recently been reverse engineered and serious attacks have been proposed. The most serious of them retrieves a secret key in under a second. In order to clone a card, previously proposed attacks require that the adversary either has access to an eavesdropped communication session or executes a message-by-message man-in-the-middle attack between the victim and a legitimate reader. Although this is already disastrous from a cryptographic point of view, system integrators maintain that these attacks cannot be performed undetected.\smallskip This paper proposes four attacks that can be executed by an adversary having only wireless access to just a card (and not to a legitimate reader). The most serious of them recovers a secret key in less than a second on ordinary hardware. Besides the cryptographic weaknesses, we exploit other weaknesses in the protocol stack. A vulnerability in the computation of parity bits allows an adversary to establish a side channel. Another vulnerability regarding nested authentications provides enough plaintext for a speedy known-plaintext attack.\hfill{}(a paper from 2009) \end{bubble} \end{textblock}} \end{frame}%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%\begin{frame}<1->[t]\frametitle{Another Example}In an email from Ross Anderson\bigskip\small \begin{tabular}{l}From: Ross Anderson <Ross.Anderson@cl.cam.ac.uk>\\Sender: cl-security-research-bounces@lists.cam.ac.uk\\To: cl-security-research@lists.cam.ac.uk\\Subject: Birmingham case\\Date: Tue, 13 Aug 2013 15:13:17 +0100\\\end{tabular}\only<2>{\begin{textblock}{12}(0.5,0.8)\begin{bubble}[11cm]\footnotesizeAs you may know, Volkswagen got an injunction against the University ofBirmingham suppressing the publication of the design of a weak cipherused in the remote key entry systems in its recent-model cars. The paperis being given today at Usenix, minus the cipher design.\medskipI've been contacted by Birmingham University's lawyers who seek to provethat the cipher can be easily obtained anyway. They are looking for astudent who will download the firmware from any newish VW, disassembleit and look for the cipher. They'd prefer this to be done by a studentrather than by a professor to emphasise how easy it is.\medskipVolkswagen's argument was that the Birmingham people had reversed alocksmithing tool produced by a company in Vietnam, and since their keyfob chip is claimed to be tamper-resistant, this must have involved acorrupt insider at VW or at its supplier Thales. Birmingham's argumentis that this is nonsense as the cipher is easy to get hold of. Theirlawyers feel this argument would come better from an independentoutsider.\medskipLet me know if you're interested in having a go, and I'll put you intouchRoss\end{bubble}\end{textblock}}\end{frame}%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%\begin{frame}[c]\frametitle{\Large Cryptographic Protocol Failures}Ross Anderson and Roger Needham wrote:\bigskip\begin{quote}\rmA lot of the recorded frauds were the result of this kind of blunder,or from management negligence pure and simple. \alert{However, there have been a significant number of cases where the designers protected the right things, used cryptographic algorithms which were not broken, and yet found that their systems were still successfully attacked.}\end{quote}\end{frame}%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%\mode<presentation>{\begin{frame}[c]\frametitle{Authentication Protocols}Alice (\bl{$A$}) and Bob (\bl{$B$}) share a secret key \bl{$K_{AB}$}\bigskipPasswords:\begin{center}\bl{$B \rightarrow A: K_{AB}$} \end{center}\pause\bigskipProblem: Eavesdropper can capture the secret and replay it; \bl{$A$} cannot confirm theidentity of \bl{$B$} \end{frame}}%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%\mode<presentation>{\begin{frame}[c]\frametitle{Authentication Protocols}Alice (\bl{$A$}) and Bob (\bl{$B$}) share a secret key \bl{$K_{AB}$}\bigskipSimple Challenge Response:\begin{center}\begin{tabular}{ll}\bl{$A \rightarrow B:$} & \bl{$N$}\\\bl{$B \rightarrow A:$} & \bl{$\{N\}_{K_{AB}}$}\\\end{tabular} \end{center}\end{frame}}%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%\mode<presentation>{\begin{frame}[c]\frametitle{Authentication Protocols}Alice (\bl{$A$}) and Bob (\bl{$B$}) share a secret key \bl{$K_{AB}$}\bigskipMutual Challenge Response:\begin{center}\begin{tabular}{ll}\bl{$A \rightarrow B:$} & \bl{$N_A$}\\\bl{$B \rightarrow A:$} & \bl{$\{N_A, N_B\}_{K_{AB}}$}\\\bl{$A \rightarrow B:$} & \bl{$N_B$}\\\end{tabular} \end{center}%\pause%An attacker \bl{$E$} can launch an impersonation attack by%intercepting all messages for \bl{$B$} and make \bl{$A$} decrypt her%own challenges.\end{frame}}%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%\begin{frame}[c]\frametitle{Nonces}\begin{enumerate}\item I generate a nonce (random number) and send it to you encrypted with a key we share\item you increase it by one, encrypt it under a key I know and sendit back to me\end{enumerate}I can infer:\begin{itemize}\item you must have received my message\item you could only have generated your answer after I send you my initialmessage\item if only you and me know the key, the message must have come from you\end{itemize}\end{frame}%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%\mode<presentation>{\begin{frame}[c]\begin{center}\begin{tabular}{ll}\bl{$A \rightarrow B$:} & \bl{$N_A$}\\ \bl{$B \rightarrow A$:} & \bl{$\{N_A, N_B\}_{K_{ab}}$}\\\bl{$A \rightarrow B$:} & \bl{$N_B$}\\\end{tabular}\end{center}The attack (let $A$ decrypt her own messages):\begin{center}\begin{tabular}{ll}\bl{$A \rightarrow E$:} & \bl{$N_A$}\\ \textcolor{gray}{$E \rightarrow A$:} & \textcolor{gray}{$N_A$}\\ \textcolor{gray}{$A \rightarrow E$:} & \textcolor{gray}{$\{N_A, N_A'\}_{K_{AB}}$}\\\bl{$E \rightarrow A$:} & \bl{$\{N_A, N_A'\}_{K_{AB}}$}\\\bl{$A \rightarrow E$:} & \bl{$N_A' \;\;(= N_B)$}\\\end{tabular}\end{center}\pause\small Solutions: \bl{$K_{AB} \not= K_{BA}$} or include an id in the second message\end{frame}}%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% \mode<presentation>{ \begin{frame}[c] \frametitle{Encryption to the Rescue?} \begin{itemize} \item \bl{$A \,\rightarrow\, B : \{A, N_A\}_{K_{AB}}$}\hspace{1cm} encrypted\bigskip \item \bl{$B\,\rightarrow\, A : \{N_A, K'_{AB}\}_{K_{AB}}$}\bigskip \item \bl{$A \,\rightarrow\, B : \{N_A\}_{K'_{AB}}$}\bigskip \end{itemize}\pausemeans you need to send separate ``Hello'' signals (bad), or worse share a single key between many entities\end{frame}}%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%\mode<presentation>{\begin{frame}[c]\frametitle{Protocol Attacks}\begin{itemize}\item replay attacks\item reflection attacks\item man-in-the-middle attacks\item timing attacks\item parallel session attacks\item binding attacks (public key protocols)\item changing environment / changing assumptions\bigskip\item (social engineering attacks)\end{itemize}\end{frame}}%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%\mode<presentation>{\begin{frame}[c]\frametitle{Public-Key Infrastructure}\begin{itemize}\item the idea is to have a certificate authority (CA)\item you go to the CA to identify yourself\item CA: ``I, the CA, have verified that public key \bl{$P^{pub}_{Bob}$} belongs to Bob''\bigskip\item CA must be trusted by everybody\item What happens if CA issues a false certificate? Who pays in case of loss? (VeriSign explicitly limits liability to \$100.)\end{itemize}\end{frame}}%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%\mode<presentation>{\begin{frame}[c]\frametitle{Person-in-the-Middle}``Normal'' protocol run:\bigskip\begin{itemize}\item \bl{$A$} sends public key to \bl{$B$}\item \bl{$B$} sends public key to \bl{$A$}\item \bl{$A$} sends message encrypted with \bl{$B$}'s public key, \bl{$B$} decrypts itwith its private key\item \bl{$B$} sends message encrypted with \bl{$A$}'s public key, \bl{$A$} decrypts itwith its private key\end{itemize}\end{frame}}%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%\mode<presentation>{\begin{frame}[c]\frametitle{Person-in-the-Middle}Attack:\begin{itemize}\item \bl{$A$} sends public key to \bl{$B$} --- \bl{$C$} intercepts this message and send his own public key\item \bl{$B$} sends public key to \bl{$A$} --- \bl{$C$} intercepts this message and send his own public key\item \bl{$A$} sends message encrypted with \bl{$C$}'s public key, \bl{$C$} decrypts itwith its private key, re-encrypts with \bl{$B$}'s public key \item similar for other direction\end{itemize}\end{frame}}%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%\mode<presentation>{\begin{frame}[c]\frametitle{Person-in-the-Middle}Prevention:\begin{itemize}\item \bl{$A$} sends public key to \bl{$B$}\item \bl{$B$} sends public key to \bl{$A$}\item \bl{$A$} encrypts message with \bl{$B$}'s public key, send's {\bf half} of the message\item \bl{$B$} encrypts message with \bl{$A$}'s public key, send's {\bf half} of the message\item \bl{$A$} sends other half, \bl{$B$} can now decrypt entire message\item \bl{$B$} sends other half, \bl{$A$} can now decrypt entire message\end{itemize}\pause\bl{$C$} would have to invent a totally new message\end{frame}} %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%\mode<presentation>{\begin{frame}[c]\frametitle{Public-Key Infrastructure}\begin{itemize}\item the idea is to have a certificate authority (CA)\item you go to the CA to identify yourself\item CA: ``I, the CA, have verified that public key \bl{$P^{pub}_{Bob}$} belongs to Bob''\bigskip\item CA must be trusted by everybody\item What happens if CA issues a false certificate? Who pays in case of loss? (VeriSign explicitly limits liability to \$100.)\end{itemize}\end{frame}}%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%\mode<presentation>{\begin{frame}[c]\frametitle{Binding Attacks}with public-private keys it is important that the public key is \alert{bound} to the right owner (verified by a certification authority \bl{$CA$})\begin{center}\begin{tabular}{l}\bl{$A \rightarrow CA :$} \bl{$A, B, N_A$}\\\bl{$CA \rightarrow A :$} \bl{$CA, \{CA, A, N_A, K^{pub}_{B}\}_{K^{pub}_{A}}$}\\\end{tabular}\end{center}\bigskip\bl{$A$} knows \bl{$K^{priv}_A$} and can verify the message came from \bl{$CA$}in response to \bl{$A$}'s message and trusts \bl{$K^{pub}_{B}$} is \bl{$B$}'s public key\end{frame}}%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%\mode<presentation>{\begin{frame}[c]\frametitle{Binding Attacks}\begin{center}\begin{tabular}{l}\bl{$A \rightarrow I(CA) :$} \bl{$A, B, N_A$}\\\bl{$I(A) \rightarrow CA :$} \bl{$A, I, N_A$}\\\bl{$CA \rightarrow I(A) :$} \bl{$CA, \{CA, A, N_A, K^{pub}_{I}\}_{K^{pub}_{A}}$}\\\bl{$I(CA) \rightarrow A :$} \bl{$CA, \{CA, A, N_A, K^{pub}_{I}\}_{K^{pub}_{A}}$}\\\end{tabular}\end{center}\pause\bl{$A$} now encrypts messages for \bl{$B$} with the public key of \bl{$I$}(which happily decrypts them with its private key)\end{frame}}%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%\mode<presentation>{\begin{frame}[c]\frametitle{Replay Attacks}Schroeder-Needham protocol: exchange of a symmetric key with a trusted 3rd-party \bl{$S$}: \begin{center}\begin{tabular}{r@ {\hspace{1mm}}l}\bl{$A \rightarrow S :$} & \bl{$A, B, N_A$}\\\bl{$S \rightarrow A :$} & \bl{$\{N_A, B, K_{AB},\{K_{AB}, A\}_{K_{BS}} \}_{K_{AS}}$}\\\bl{$A \rightarrow B :$} & \bl{$\{K_{AB}, A\}_{K_{BS}} $}\\\bl{$B \rightarrow A :$} & \bl{$\{N_B\}_{K_{AB}}$}\\\bl{$A \rightarrow B :$} & \bl{$\{N_B-1\}_{K_{AB}}$}\\\end{tabular}\end{center}\bigskip\pauseat the end of the protocol both \bl{$A$} and \bl{$B$} should be in the possession of the secret key\bl{$K_{AB}$} and know that the other principal has the key\end{frame}}%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%\mode<presentation>{\begin{frame}[c]\begin{center}\begin{tabular}{l}\bl{$A \rightarrow S :$} \bl{$A, B, N_A$}\\\bl{$S \rightarrow A :$} \bl{$\{N_A, B, K_{AB},\{K_{AB}, A\}_{K_{BS}} \}_{K_{AS}}$}\\\bl{$A \rightarrow B :$} \bl{$\{K_{AB}, A\}_{K_{BS}} $}\\\bl{$B \rightarrow A :$} \bl{$\{N_B\}_{K_{AB}}$}\\\bl{$A \rightarrow B :$} \bl{$\{N_B-1\}_{K_{AB}}$}\pause\\\hspace{5cm}compromise \bl{$K_{AB}$}\pause\\\bl{$A \rightarrow S :$} \bl{$A, B, N'_A$}\\\bl{$S \rightarrow A :$} \bl{$\{N'_A, B, K'_{AB},\{K'_{AB}, A\}_{K_{BS}} \}_{K_{AS}}$}\pause\\\bl{$I(A) \rightarrow B :$} \bl{$\{K_{AB}, A\}_{K_{BS}} $}\hspace{0.5cm} replay of older run\pause\\\bl{$B \rightarrow I(A) :$} \bl{$\{N'_B\}_{K_{AB}}$}\\\bl{$I(A) \rightarrow B :$} \bl{$\{N'_B-1\}_{K_{AB}}$}\\end{tabular}\end{center}\pause\bl{$B$} believes it is following the correct protocol,intruder \bl{$I$} can form the correct response because it knows \bl{$K_{AB}$} andtalks to \bl{$B$} masquerading as \bl{$A$}\end{frame}}%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%\mode<presentation>{\begin{frame}[c]\frametitle{Time-Stamps}The Schroeder-Needham protocol can be fixed by including a time-stamp (e.g., in Kerberos):\begin{center}\begin{tabular}{r@ {\hspace{1mm}}l}\bl{$A \rightarrow S :$} & \bl{$A, B, N_A$}\\\bl{$S \rightarrow A :$} & \bl{$\{N_A, B, K_{AB},\{K_{AB}, A, T_S\}_{K_{BS}} \}_{K_{AS}}$}\\\bl{$A \rightarrow B :$} & \bl{$\{K_{AB}, A, T_S\}_{K_{BS}} $}\\\bl{$B \rightarrow A :$} & \bl{$\{N_B\}_{K_{AB}}$}\\\bl{$A \rightarrow B :$} & \bl{$\{N_B-1\}_{K_{AB}}$}\\\end{tabular}\end{center}\bigskip\pausebut nothing is for free: then you need to synchronise time and possibly become a victim totiming attacks\end{frame}}%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%\mode<presentation>{\begin{frame}[c]A Man-in-the-middle attack in real life:\begin{itemize}\item the card only says yes to the terminal if the PIN is correct\item trick the card in thinking transaction is verified by signature\item trick the terminal in thinking the transaction was verified by PIN\end{itemize}\begin{minipage}{1.1\textwidth}\begin{center}\mbox{}\hspace{-6mm}\includegraphics[scale=0.5]{../pics/chip-attack.png}\includegraphics[scale=0.3]{../pics/chipnpinflaw.png}\end{center}\end{minipage}\end{frame}}%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%\mode<presentation>{\begin{frame}[c]\frametitle{Problems with EMV}\begin{itemize}\item it is a wrapper for many protocols\item specification by consensus (resulted unmanageable complexity)\item its specification is 700 pages in English plus 2000+ pages for testing, additionally some further parts are secret\item other attacks have been found\end{itemize}\end{frame}}%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%\mode<presentation>{\begin{frame}[c]\frametitle{\begin{tabular}{@{}c@{}}Problems with WEP (Wifi)\end{tabular}}\begin{itemize}\item a standard ratified in 1999\item the protocol was designed by a committee not including cryptographers\item it used the RC4 encryption algorithm which is a stream cipher requiring a unique nonce\item WEP did not allocate enough bits for the nonce\item for authenticating packets it used CRC checksum which can be easily broken\item the network password was used to directly encrypt packages (instead of a key negotiation protocol)\bigskip\item encryption was turned off by default\end{itemize}\end{frame}}%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%\mode<presentation>{\begin{frame}[c]\frametitle{Protocols are Difficult}\begin{itemize}\item even the systems designed by experts regularly fail\medskip\item try to make everything explicit (you need to authenticate all data you might rely on)\medskip\item the one who can fix a system should also be liable for the losses\medskip\item cryptography is often not {\bf the} answer\bigskip\bigskip \end{itemize}\end{frame}}%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%\mode<presentation>{\begin{frame}[c]\frametitle{Best Practices}{\bf Principle 1:} Every message should say what it means: the interpretation of a message should not depend on the context.\bigskip\pause{\bf Principle 2:} If the identity of a principal is essential to the meaning of a message, it is prudent to mention the principal’s name explicitly in the message (though difficult).\bigskip\end{frame}}%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%\mode<presentation>{\begin{frame}[c]{\bf Principle 3:} Be clear about why encryption is beingdone. Encryption is not cheap, and not asking precisely why it isbeing done can lead to redundancy. Encryption is not synonymous withsecurity.\begin{center}Possible Uses of Encryption\begin{itemize}\item Preservation of confidentiality: \bl{$\{X\}_K$} only those that have \bl{$K$} may recover \bl{$X$}.\item Guarantee authenticity: The partner is indeed some particular principal.\item Guarantee confidentiality and authenticity: binds two parts of a message --- \bl{$\{X,Y\}_K$} is not the same as \bl{$\{X\}_K$} and \bl{$\{Y\}_K$}.\end{itemize}\end{center}\end{frame}}%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%\mode<presentation>{\begin{frame}[c]\frametitle{Best Practices}{\bf Principle 4:} The protocol designer should know which trust relations his protocol depends on, and why the dependence is necessary. The reasons for particular trust relations being acceptable should be explicit though they will be founded on judgment and policy rather than on logic.\bigskipExample Certification Authorities: CAs are trusted to certify a key only after proper steps have been taken to identify the principal that owns it.\end{frame}}%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% \end{document}%%% Local Variables: %%% mode: latex%%% TeX-master: t%%% End: