\documentclass[dvipsnames,14pt,t]{beamer}
\usepackage{proof}
\usepackage{beamerthemeplainculight}
\usepackage[T1]{fontenc}
\usepackage[latin1]{inputenc}
\usepackage{mathpartir}
\usepackage{isabelle}
\usepackage{isabellesym}
\usepackage[absolute,overlay]{textpos}
\usepackage{ifthen}
\usepackage{tikz}
\usepackage{courier}
\usepackage{listings}
\usetikzlibrary{arrows}
\usetikzlibrary{positioning}
\usetikzlibrary{calc}
\usepackage{graphicx} 
\usetikzlibrary{shapes}
\usetikzlibrary{shadows}
\usetikzlibrary{plotmarks}


\isabellestyle{rm}
\renewcommand{\isastyle}{\rm}%
\renewcommand{\isastyleminor}{\rm}%
\renewcommand{\isastylescript}{\footnotesize\rm\slshape}%
\renewcommand{\isatagproof}{}
\renewcommand{\endisatagproof}{}
\renewcommand{\isamarkupcmt}[1]{#1}

% Isabelle characters
\renewcommand{\isacharunderscore}{\_}
\renewcommand{\isacharbar}{\isamath{\mid}}
\renewcommand{\isasymiota}{}
\renewcommand{\isacharbraceleft}{\{}
\renewcommand{\isacharbraceright}{\}}
\renewcommand{\isacharless}{$\langle$}
\renewcommand{\isachargreater}{$\rangle$}
\renewcommand{\isasymsharp}{\isamath{\#}}
\renewcommand{\isasymdots}{\isamath{...}}
\renewcommand{\isasymbullet}{\act}



\definecolor{javared}{rgb}{0.6,0,0} % for strings
\definecolor{javagreen}{rgb}{0.25,0.5,0.35} % comments
\definecolor{javapurple}{rgb}{0.5,0,0.35} % keywords
\definecolor{javadocblue}{rgb}{0.25,0.35,0.75} % javadoc

\lstset{language=Java,
	basicstyle=\ttfamily,
	keywordstyle=\color{javapurple}\bfseries,
	stringstyle=\color{javagreen},
	commentstyle=\color{javagreen},
	morecomment=[s][\color{javadocblue}]{/**}{*/},
	numbers=left,
	numberstyle=\tiny\color{black},
	stepnumber=1,
	numbersep=10pt,
	tabsize=2,
	showspaces=false,
	showstringspaces=false}

\lstdefinelanguage{scala}{
  morekeywords={abstract,case,catch,class,def,%
    do,else,extends,false,final,finally,%
    for,if,implicit,import,match,mixin,%
    new,null,object,override,package,%
    private,protected,requires,return,sealed,%
    super,this,throw,trait,true,try,%
    type,val,var,while,with,yield},
  otherkeywords={=>,<-,<\%,<:,>:,\#,@},
  sensitive=true,
  morecomment=[l]{//},
  morecomment=[n]{/*}{*/},
  morestring=[b]",
  morestring=[b]',
  morestring=[b]"""
}

\lstset{language=Scala,
	basicstyle=\ttfamily,
	keywordstyle=\color{javapurple}\bfseries,
	stringstyle=\color{javagreen},
	commentstyle=\color{javagreen},
	morecomment=[s][\color{javadocblue}]{/**}{*/},
	numbers=left,
	numberstyle=\tiny\color{black},
	stepnumber=1,
	numbersep=10pt,
	tabsize=2,
	showspaces=false,
	showstringspaces=false}

% beamer stuff 
\renewcommand{\slidecaption}{APP 08, King's College London, 20 November 2012}
\newcommand{\dn}{\stackrel{\mbox{\scriptsize def}}{=}}% for definitions
\newcommand{\bl}[1]{\textcolor{blue}{#1}}

\begin{document}

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\mode<presentation>{
\begin{frame}<1>[t]
\frametitle{%
  \begin{tabular}{@ {}c@ {}}
  \\
  \LARGE Access Control and \\[-3mm] 
  \LARGE Privacy Policies (8)\\[-6mm] 
  \end{tabular}}\bigskip\bigskip\bigskip

  %\begin{center}
  %\includegraphics[scale=1.3]{pics/barrier.jpg}
  %\end{center}

\normalsize
  \begin{center}
  \begin{tabular}{ll}
  Email:  & christian.urban at kcl.ac.uk\\
  Of$\!$fice: & S1.27 (1st floor Strand Building)\\
  Slides: & KEATS (also homework is there)\\
  \end{tabular}
  \end{center}


\end{frame}}
 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%     

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
  \mode<presentation>{
  \begin{frame}[c]
  \frametitle{Last Week}

Andrew Secure RPC Protocol:
\bl{$A$} and \bl{$B$} share a key private \bl{$K_{AB}$} and want to identify
each other\bigskip

 \begin{itemize}
 \item \bl{$A \,\text{sends}\, B :  A, N_A$} 
 \item \bl{$B\,\text{sends}\, A : \{N_A, K'_{AB}\}_{K_{AB}}$}
 \item \bl{$A \,\text{sends}\, B : \{N_A\}_{K'_{AB}}$}
 \end{itemize}
 
  \end{frame}}
  %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%    
    
 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
  \mode<presentation>{
  \begin{frame}[t]
  \frametitle{Protocols}
 
\mbox{} 
  
\begin{tabular}{l}
{\Large \bl{$A\;\text{sends}\; B : \ldots$}}\\
\onslide<2->{\Large \bl{$B\;\text{sends}\; A : \ldots$}}\\
\onslide<2->{\Large \;\;\;\;\;\bl{$:$}}\bigskip
\end{tabular}  
  
 \begin{itemize}
 \item by convention \bl{$A$}, \bl{$B$} are named principals \bl{Alice\ldots}\\
 but most likely they are programs, which just follow some instructions (they are more like roles)\bigskip
\item<2-> indicates one ``protocol run'', or session,  which specifies some 
order in the communication
\item<2-> there can be several sessions in parallel (think of wifi routers) 
\end{itemize} 
  
  \end{frame}}
  %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   
  
   %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
  \mode<presentation>{
  \begin{frame}[c]
  \frametitle{Last Week}


\bl{$A$} and \bl{$B$} share the key \bl{$K_{AB}$} and want to identify
each other\bigskip

 \begin{itemize}
 \item \bl{$A \,\text{sends}\, B :  A, N_A$} 
 \item \bl{$B\,\text{sends}\, A : \{N_A, K'_{AB}\}_{K_{AB}}$}
 \item \bl{$A \,\text{sends}\, B : \{N_A\}_{K'_{AB}}$}
 \end{itemize}
  \end{frame}}
  %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%      
     
 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
  \mode<presentation>{
  \begin{frame}[c]
  \frametitle{Defeating Challenge-Response}

\noindent
A \alert{reflection attack}: an intruder \bl{$I$} impersonates \bl{$B$}.

\begin{center}
\begin{tabular}{@{\hspace{-7mm}}c@{\hspace{1mm}}c@{}}
\begin{tabular}{@{}l@{}}
\onslide<1->{\bl{$A \,\text{sends}\, I :  A, N_A$}}\\ 
\onslide<4->{\bl{$I \,\text{sends}\, A :  \{N_A,\!K'_{\!AB}\}_{K_{\!AB}}$}}\\ 
\onslide<5->{\bl{$A \,\text{sends}\, I : \{N_A\}_{K'_{AB}}$}}\\
\end{tabular}
&
\begin{tabular}{@{}l@{}}
\onslide<2->{\bl{$I \,\text{sends}\, A :  B, N_A$}}\\ 
\onslide<3->{\bl{$A \,\text{sends}\, I :  \{N_A,\!K'_{\!AB}\}_{K_{\!AB}}$}}\\ 
\onslide<6->{\bl{$I \,\text{sends}\, A : \{N_A\}_{K'_{AB}}$}}\\
\end{tabular}
\end{tabular}
\end{center}\bigskip

\onslide<7->{Sounds stupid: ``\ldots answering a question with a counter question''\medskip\\
was originally developed at CMU for terminals to connect to 
workstations (e.g., file servers)}

  \end{frame}}
 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%         

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\mode<presentation>{
\begin{frame}[c]
\frametitle{Identify Friend or Foe}

\begin{center}
\onslide<3->{\mbox{}\hspace{3.4cm}\includegraphics[scale=0.55]{pics/MigInMiddle.jpg}}
\end{center}

\begin{textblock}{6}(0.3,2)
\onslide<2->{
198?: war between Angola (supported by Cuba)
and Namibia (supported by SA)}
\end{textblock}

\begin{textblock}{3}(12.5,4.6)
  \onslide<3->{
  \begin{tikzpicture}
  \node at (0,0) [single arrow, fill=red,text=white, rotate=-50, shape border rotate=180]{``bystander''};
  \end{tikzpicture}}
  \end{textblock}

\begin{textblock}{3}(10.9,10)
  \onslide<3->{
  \begin{tikzpicture}
  \node at (0,0) [single arrow, fill=red,text=white, rotate=-40, shape border rotate=180]{attacker};
  \end{tikzpicture}}
  \end{textblock}
  
\only<4->{
\begin{textblock}{6}(0.3,9)
being outsmarted by Angola/Cuba
ended SA involvement (?)
\end{textblock}}
\only<5->{
\begin{textblock}{6}(0.3,13)
IFF opened up a nice side-channel attack
\end{textblock}}
\end{frame}}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   

  %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
  \mode<presentation>{
  \begin{frame}[c]
  \frametitle{Encryption to the Rescue?}


 \begin{itemize}
 \item \bl{$A \,\text{sends}\, B :  \{A, N_A\}_{K_{AB}}$}\hspace{1cm} encrypted\bigskip 
 \item \bl{$B\,\text{sends}\, A : \{N_A, K'_{AB}\}_{K_{AB}}$}\bigskip
 \item \bl{$A \,\text{sends}\, B : \{N_A\}_{K'_{AB}}$}\bigskip
 \end{itemize}\pause
 
means you need to send separate ``Hello'' signals (bad), or worse 
share a single key between many entities
\end{frame}}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%      

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\mode<presentation>{
\begin{frame}[c]
\frametitle{Protocol Attacks}

\begin{itemize}
\item replay attacks
\item reflection attacks
\item man-in-the-middle attacks
\item timing attacks
\item parallel session attacks
\item binding attacks (public key protocols)
\item changing environment / changing assumptions\bigskip

\item (social engineering attacks)
\end{itemize}
\end{frame}}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   
  
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\mode<presentation>{
\begin{frame}[c]
\frametitle{Replay Attacks}

Schroeder-Needham protocol: exchange of a symmetric key with a trusted 3rd-party \bl{$S$}: 

\begin{center}
\begin{tabular}{r@ {\hspace{1mm}}l}
\bl{$A \rightarrow S :$} & \bl{$A, B, N_A$}\\
\bl{$S \rightarrow A :$} & \bl{$\{N_A, B, K_{AB},\{K_{AB}, A\}_{K_{BS}} \}_{K_{AS}}$}\\
\bl{$A \rightarrow B :$} & \bl{$\{K_{AB}, A\}_{K_{BS}} $}\\
\bl{$B \rightarrow A :$} & \bl{$\{N_B\}_{K_{AB}}$}\\
\bl{$A \rightarrow B :$} & \bl{$\{N_B-1\}_{K_{AB}}$}\\
\end{tabular}
\end{center}\bigskip\pause

at the end of the protocol both \bl{$A$} and \bl{$B$} should be in the possession of the secret key
\bl{$K_{AB}$} and know that the other principal has the key

\end{frame}}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   

  
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\mode<presentation>{
\begin{frame}[c]
\frametitle{Nonces}

\begin{enumerate}
\item I generate a nonce (random number) and send it to you encrypted with a key we share
\item you increase it by one, encrypt it under a key I know and send
it back to me
\end{enumerate}


I can infer:

\begin{itemize}
\item you must have received my message
\item you could only have generated your answer after I send you my initial
message
\item if only you and me know the key, the message must have come from you
\end{itemize}

\end{frame}}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\mode<presentation>{
\begin{frame}[c]

\begin{center}
\begin{tabular}{l}
\bl{$A \rightarrow S :$} \bl{$A, B, N_A$}\\
\bl{$S \rightarrow A :$} \bl{$\{N_A, B, K_{AB},\{K_{AB}, A\}_{K_{BS}} \}_{K_{AS}}$}\\
\bl{$A \rightarrow B :$} \bl{$\{K_{AB}, A\}_{K_{BS}} $}\\
\bl{$B \rightarrow A :$} \bl{$\{N_B\}_{K_{AB}}$}\\
\bl{$A \rightarrow B :$} \bl{$\{N_B-1\}_{K_{AB}}$}\pause\\
\hspace{5cm}compromise \bl{$K_{AB}$}\pause\\
\bl{$A \rightarrow S :$} \bl{$A, B, N'_A$}\\
\bl{$S \rightarrow A :$} \bl{$\{N'_A, B, K'_{AB},\{K'_{AB}, A\}_{K_{BS}} \}_{K_{AS}}$}\pause\\
\bl{$I(A) \rightarrow B :$} \bl{$\{K_{AB}, A\}_{K_{BS}} $}\hspace{0.5cm} replay of older run\pause\\
\bl{$B \rightarrow I(A) :$} \bl{$\{N'_B\}_{K_{AB}}$}\\
\bl{$I(A) \rightarrow B :$} \bl{$\{N'_B-1\}_{K_{AB}}$}\
\end{tabular}
\end{center}\pause

\bl{$B$} believes it is following the correct protocol,
intruder \bl{$I$} can form the correct response because it knows \bl{$K_{AB}$} and
talks to \bl{$B$} masquerading as \bl{$A$}
\end{frame}}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\mode<presentation>{
\begin{frame}[c]

\begin{center}
\includegraphics[scale=0.5]{pics/dogs.jpg}
\end{center}

\end{frame}}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   



%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\mode<presentation>{
\begin{frame}[c]
\frametitle{Replay Attacks}

Andrew Secure RPC protocol: exchanging a new key
between \bl{$A$} and \bl{$B$}

\begin{center}
\begin{tabular}{l}
\bl{$A \rightarrow B :$} \bl{$A, \{N_A\}_{K_{AB}}$}\\
\bl{$B \rightarrow A :$} \bl{$\{N_A+1, N_B\}_{K_{AB}}$}\\
\bl{$A \rightarrow B :$} \bl{$\{N_B+1\}_{K_{AB}}$}\\
\bl{$B \rightarrow A :$} \bl{$\{K^{new}_{AB}, N^{new}_B\}_{K_{AB}}$}\\
\end{tabular}
\end{center}\bigskip\pause

Assume nonces are represented as bit-sequences of the same length as keys
\begin{center}
\begin{tabular}{@{}l@{}}
\bl{$A \rightarrow B :$} \bl{$A, \{N_A\}_{K_{AB}}$}\\
\bl{$B \rightarrow A :$} \bl{$\{N_A+1, N_B\}_{K_{AB}}$}\\
\bl{$A \rightarrow I(B) :$} \bl{$\{N_B+1\}_{K_{AB}}$}\hspace{0.5mm}intercepts\\
\bl{$I(B) \rightarrow A :$} \bl{$\{N_A+1, N_B\}_{K_{AB}}$}\hspace{0.5mm}resend 2nd msg\\
\end{tabular}
\end{center}
\end{frame}}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\mode<presentation>{
\begin{frame}[c]
\frametitle{Time-Stamps}

The Schroeder-Needham protocol can be fixed by including a time-stamp (e.g., in Kerberos):

\begin{center}
\begin{tabular}{r@ {\hspace{1mm}}l}
\bl{$A \rightarrow S :$} & \bl{$A, B, N_A$}\\
\bl{$S \rightarrow A :$} & \bl{$\{N_A, B, K_{AB},\{K_{AB}, A, T_S\}_{K_{BS}} \}_{K_{AS}}$}\\
\bl{$A \rightarrow B :$} & \bl{$\{K_{AB}, A, T_S\}_{K_{BS}} $}\\
\bl{$B \rightarrow A :$} & \bl{$\{N_B\}_{K_{AB}}$}\\
\bl{$A \rightarrow B :$} & \bl{$\{N_B-1\}_{K_{AB}}$}\\
\end{tabular}
\end{center}\bigskip\pause

but nothing is for free: then you need to synchronise time and possibly become a victim to
timing attacks

\end{frame}}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\mode<presentation>{
\begin{frame}[c]

It can also be fixed by including another nonce:

\begin{center}
\begin{tabular}{r@ {\hspace{1mm}}l}
\bl{$A \rightarrow B :$} & \bl{$A$}\\
\bl{$B \rightarrow A :$} & \bl{$\{A, N_B\}_{K_{BS}}$}\\
\bl{$A \rightarrow S :$} & \bl{$A, B, N_A, \{A, N_B\}_{K_{BS}}$}\\
\bl{$S \rightarrow A :$} & \bl{$\{N_A, B, K_{AB},\{K_{AB}, A, N_B\}_{K_{BS}} \}_{K_{AS}}$}\\
\bl{$A \rightarrow B :$} & \bl{$\{K_{AB}, A, N_B\}_{K_{BS}} $}\\
\bl{$B \rightarrow A :$} & \bl{$\{N_B\}_{K_{AB}}$}\\
\bl{$A \rightarrow B :$} & \bl{$\{N_B-1\}_{K_{AB}}$}\\
\end{tabular}
\end{center}\bigskip\pause

but nothing is for free: then you need to synchronise time and possibly become victim to
timing attacks

\end{frame}}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   


%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\mode<presentation>{
\begin{frame}[c]
\frametitle{Binding Attacks}

with public-private keys it is important that the public key is \alert{bound} 
to the right owner (verified by a certification authority \bl{$CA$})

\begin{center}
\begin{tabular}{l}
\bl{$A \rightarrow CA :$} \bl{$A, B, N_A$}\\
\bl{$CA \rightarrow A :$} \bl{$CA, \{CA, A, N_A, K^{pub}_{B}\}_{K^{pub}_{A}}$}\\
\end{tabular}
\end{center}\bigskip

\bl{$A$} knows \bl{$K^{priv}_A$} and can verify the message came from \bl{$CA$}
in response to \bl{$A$}'s message and trusts \bl{$K^{pub}_{B}$} is \bl{$B$}'s public key


\end{frame}}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   



%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\mode<presentation>{
\begin{frame}[c]
\frametitle{Binding Attacks}

\begin{center}
\begin{tabular}{l}
\bl{$A \rightarrow I(CA) :$} \bl{$A, B, N_A$}\\
\bl{$I(A) \rightarrow CA :$} \bl{$A, I, N_A$}\\
\bl{$CA \rightarrow I(A) :$} \bl{$CA, \{CA, A, N_A, K^{pub}_{I}\}_{K^{pub}_{A}}$}\\
\bl{$I(CA) \rightarrow A :$} \bl{$CA, \{CA, A, N_A, K^{pub}_{I}\}_{K^{pub}_{A}}$}\\
\end{tabular}
\end{center}\pause

\bl{$A$} now encrypts messages for \bl{$B$} with the public key of \bl{$I$}
(which happily decrypts them with its private key)

\end{frame}}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   


%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\mode<presentation>{
\begin{frame}[c]

There are plenty of other protocols and attacks. This could go on ``forever''.\pause\bigskip

We look here on one more kind of attacks that are because of a changing environment.

\end{frame}}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\mode<presentation>{
\begin{frame}[t]
\frametitle{Changing Environment Attacks}

\begin{itemize}
\item all protocols rely on some assumptions about the environment
(e.g., cryptographic keys cannot be broken)\bigskip\pause
\end{itemize}

\only<2>{
\begin{itemize}
\item in the ``good olden days'' (1960/70) rail transport was cheap, so fraud was not
worthwhile
\end{itemize}}

\only<3>{
\begin{itemize}
\item when it got expensive, some people bought cheaper monthly tickets for a suburban 
station and a nearby one, and one for the destination and a nearby one
\item a large investment later all barriers were automatic and tickets could record state
\end{itemize}}

\only<4>{
\begin{itemize}
\item but suddenly the environment changed: rail transport got privatised creating many 
competing companies
potentially cheating each other
\item revenue from monthly tickets was distributed according to a formula involving where the ticket was bought\ldots
\end{itemize}}

\only<5>{
\begin{itemize}
\item apart from bad outsiders (passengers), you also had bad insiders (rail companies)
\item chaos and litigation ensued
\end{itemize}}

\end{frame}}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\mode<presentation>{
\begin{frame}[c]

A Man-in-the-middle attack in real life:

\begin{itemize}
\item the card only says yes or no to the terminal if the PIN is correct
\item trick the card in thinking transaction is verified by signature
\item trick the terminal in thinking the transaction was verified by PIN
\end{itemize}

\begin{minipage}{1.1\textwidth}
\begin{center}
\mbox{}\hspace{-6mm}\includegraphics[scale=0.5]{pics/chip-attack.png}
\includegraphics[scale=0.3]{pics/chipnpinflaw.png}
\end{center}
\end{minipage}

\end{frame}}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\mode<presentation>{
\begin{frame}[c]
\frametitle{Problems with EMV}

\begin{itemize}
\item it is a wrapper for many protocols
\item specification by consensus (resulted unmanageable complexity)
\item its specification is 700 pages in English plus 2000+ pages for testing, additionally some 
further parts are secret
\item other attacks have been found

\item one solution might be to require always online verification of the PIN with the bank
\end{itemize}

\end{frame}}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   


%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\mode<presentation>{
\begin{frame}[c]
\frametitle{Problems with WEP (Wifi)}

\begin{itemize}
\item a standard ratified in 1999
\item the protocol was designed by a committee not including cryptographers
\item it used the RC4 encryption algorithm which is a stream cipher requiring a unique nonce
\item WEP did not allocate enough bits for the nonce
\item for authenticating packets it used CRC checksum which can be easily broken
\item the network password was used to directly encrypt packages (instead of a key negotiation protocol)\bigskip
\item encryption was turned of by default
\end{itemize}

\end{frame}}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   


%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\mode<presentation>{
\begin{frame}[c]
\frametitle{Protocols are Difficult}

\begin{itemize}
\item even the systems designed by experts regularly fail\medskip
\item try to make everything explicit (you need to authenticate all data you might rely on)\medskip
\item the one who can fix a system should also be liable for the losses\medskip
\item cryptography is often not {\bf the} answer\bigskip\bigskip  
\end{itemize}

logic is one way protocols are studied in academia
(you can use computers to search for attacks)

\end{frame}}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   


%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\mode<presentation>{
\begin{frame}[c]
\frametitle{Public-Key Infrastructure}

\begin{itemize}
\item the idea is to have a certificate authority (CA)
\item you go to the CA to identify yourself
\item CA: ``I, the CA, have verified that public key \bl{$P^{pub}_{Bob}$} belongs to Bob''\bigskip
\item CA must be trusted by everybody
\item What happens if CA issues a false certificate? Who pays in case of loss? (VeriSign 
explicitly limits liability to \$100.)
\end{itemize}

\end{frame}}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   



%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\mode<presentation>{
\begin{frame}[c]
\frametitle{Privacy, Anonymity et al}

Some terminology:

\begin{itemize}
\item \alert{secrecy} is the mechanism used to limit the number of 
principals with access to information (eg, cryptography or access controls)

\item \alert{confidentiality} is the obligation to protect the secrets of other people 
or organizations (secrecy for the benefit of an organisation)

\item \alert{anonymity} is the ability to leave no evidence of an activity (eg, sharing a secret)

\item \alert{privacy} is the ability or right to protect your personal secrets 
(secrecy for the benefit of an individual)

\end{itemize}

\end{frame}}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\mode<presentation>{
\begin{frame}[t]
\frametitle{Privacy vs Anonymity}

\begin{itemize}
\item everybody agrees that anonymity has its uses (e.g., voting, whistleblowers, peer-review)
\end{itemize}\bigskip\bigskip\pause


But privacy?\bigskip\bigskip

``You have zero privacy anyway. Get over it.''\\
\hfill{}Scott Mcnealy (CEO of Sun)\bigskip\\


If you have nothing to hide, you have nothing to fear.

\end{frame}}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\mode<presentation>{
\begin{frame}[t]
\frametitle{Privacy}

private data can be often used against me

\begin{itemize}
\item if my location data becomes public, thieves will switch off their phones and help themselves in my home
\item if supermarkets can build a profile of what I buy, they can use it to their advantage (banks - mortgages)
\item my employer might not like my opinions\bigskip\pause

\item one the other hand, Freedom-of-Information Act 
\item medical data should be private, but medical research needs data
\end{itemize}

\end{frame}}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\mode<presentation>{
\begin{frame}[t]
\frametitle{Privacy Problems}

\begin{itemize}
\item Apple takes note of every dictation (send over the Internet to Apple)
\item markets often only work, if data is restricted (to build trust)
\item Social network can reveal data about you 
\item have you tried the collusion extension for FireFox?
\item I do use Dropbox, store cards\bigskip
\item next week: anonymising data
\end{itemize}

\begin{textblock}{5}(12,8.9)
\includegraphics[scale=0.3]{pics/gattaca.jpg}\\
\small Gattaca (1997)
\end{textblock}

\end{frame}}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 


\end{document}

%%% Local Variables:  
%%% mode: latex
%%% TeX-master: t
%%% End: