\PassOptionsToPackage{bookmarks=false}{hyperref}
\documentclass[dvipsnames,14pt,t,hyperref={bookmarks=false}]{beamer}
\usepackage{../style}
\usepackage{../slides}
\usepackage{../graphics}
\usepackage{../langs}
\usepackage{../data}
\usetikzlibrary{arrows}
\usetikzlibrary{shapes}
\setmonofont[Scale=.88]{Consolas}
\newfontfamily{\consolas}{Consolas}
\hfuzz=220pt
% beamer stuff
\newcommand{\bl}[1]{\textcolor{blue}{#1}}
\renewcommand{\slidecaption}{SEN 05, King's College London}
\begin{document}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\begin{frame}[t]
\frametitle{%
\begin{tabular}{@ {}c@ {}}
\\
\LARGE Security Engineering (5)\\[-3mm]
\end{tabular}}\bigskip\bigskip\bigskip
\normalsize
\begin{center}
\begin{tabular}{ll}
Email: & christian.urban at kcl.ac.uk\\
Office: & N7.07 (North Wing, Bush House)\\
Slides: & KEATS (also homework is there)\\
\end{tabular}
\end{center}
\end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\begin{frame}[c]
\frametitle{Topical Slide}
\begin{itemize}
\item Protocoll attack against Wifi clients
\item you can force a client to install choosen keys (000\ldots{}000)
\item all Unix-based devices are affected (Windows not so much, since
they do not fully implement the Wifi standard)
\end{itemize}
\end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\begin{frame}[c]
\frametitle{Protocols}
\begin{center}
\includegraphics[scale=0.11]{../pics/keyfob.jpg}
\quad
\includegraphics[scale=0.3025]{../pics/startstop.jpg}
\end{center}
\begin{itemize}
\item Other examples: Wifi, Http-request, TCP-request,
card readers, RFID (passports)\ldots\medskip\pause
\item The point is that we cannot control the network: An attacker
can install a packet sniffer, inject packets, modify packets,
replay messages\ldots{}fake pretty much everything.
\end{itemize}
\end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\begin{frame}[c]
\frametitle{Keyless Car Transponders}
\begin{center}
\includegraphics[scale=0.1]{../pics/keyfob.jpg}
\quad
\includegraphics[scale=0.27]{../pics/startstop.jpg}
\end{center}
\begin{itemize}
\item There are two security mechanisms: one remote central
locking system and one passive RFID tag (engine immobiliser).
\item How can I get in? How can thieves be kept out?
How to avoid MITM attacks?
\end{itemize}\medskip
\footnotesize
\hfill Papers: Gone in 360 Seconds: Hijacking with Hitag2,\\
\hfill Dismantling Megamos Crypto: Wirelessly Lockpicking\\
\hfill a Vehicle Immobilizer
\end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\begin{frame}[c]
\frametitle{Problems with Key Fobs}
\begin{columns}
\begin{column}[T]{4cm}
\includegraphics[scale=0.4]{../pics/car-standard.jpg}
\end{column}
\begin{column}[T]{6cm}\small
Circumventing the ignition protection:
\begin{itemize}
\item either dismantling Megamos crypto,
\item or use the diagnostic port to program
blank keys
\end{itemize}
\hspace{14mm}
\includegraphics[scale=0.16]{../pics/Dismantling_Megamos_Crypto.png}
\end{column}
\end{columns}
\end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\begin{frame}[c]
\frametitle{HTTPS / GSM}
\begin{center}
\includegraphics[scale=0.25]{../pics/barclays.jpg}
\quad
\includegraphics[scale=0.25]{../pics/phone-signal.jpg}
\end{center}
\begin{itemize}
\item I am sitting at Starbuck. How can I be sure I am really
visiting Barclays? I have no control of the access
point.
\item How can I achieve that a secret key is established in
order to encrypt my mobile conversation? I have no
control over the access points.
\end{itemize}
\end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\begin{frame}[c]
\frametitle{G20 Summit in 2009}
\begin{center}
\includegraphics[scale=0.1]{../pics/snowden.jpg}
\end{center}
\small
\begin{itemize}
\item Snowden documents reveal ``that during the G20
meetings\dots{}GCHQ used
`ground-breaking intelligence capabilities' to intercept
the communications of visiting delegations. This
included setting up internet cafes where they used an
email interception program and key-logging software to
spy on delegates' use of computers\ldots''
\item ``The G20 spying appears to have been organised for the
more mundane purpose of securing an advantage in
meetings.''
\end{itemize}
\end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\begin{frame}[c]
\frametitle{Handshakes}
\begin{itemize}
\item starting a TCP connection between a client and a server
initiates the following three-way handshake protocol:
\end{itemize}
\begin{columns}[t]
\begin{column}{5cm}
\begin{minipage}[t]{4cm}
\begin{center}
\raisebox{-2cm}{\includegraphics[scale=0.5]{../pics/handshake.png}}
\end{center}
\end{minipage}
\end{column}
\begin{column}{5cm}
\begin{tabular}[t]{rl}
Alice: & Hello server!\\
Server: & I heard you\\
Alice: & Thanks
\end{tabular}
\end{column}
\end{columns}
\only<2>{
\begin{textblock}{3}(11,5)
\begin{bubble}[3.2cm]
SYNflood attacks:\medskip\\
\includegraphics[scale=0.4]{../pics/synflood.png}
\end{bubble}
\end{textblock}}
\end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\begin{frame}[t]
\frametitle{Protocols}
\mbox{}
\begin{tabular}{l}
{\Large \bl{$A\;\rightarrow\; B : \ldots$}}\\
\onslide<2->{\Large \bl{$B\;\rightarrow\; A : \ldots$}}\\
\onslide<2->{\Large \;\;\;\;\;\bl{$:$}}\bigskip
\end{tabular}
\begin{itemize}
\item by convention \bl{$A$}, \bl{$B$} are named principals \bl{Alice\ldots}\\
but most likely they are programs, which just follow some instructions (they are more like roles)\bigskip
\item<2-> indicates one ``protocol run'', or session, which specifies some
order in the communication
\item<2-> there can be several sessions in parallel (think of wifi routers)
\end{itemize}
\end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\begin{frame}[t]
\frametitle{Messages}
\mbox{}
\begin{tabular}{l}
{\Large \bl{$A\;\rightarrow\; B : msg$}}\\
\end{tabular}\bigskip
\begin{itemize}
\item Unencrypted: \bl{$msg$}
\item Random number (nonce): \bl{$N$}
\item Encrypted: \bl{$\{msg\}_K$}, \bl{$\{msg_1, msg_2\}_K$}, \bl{$\{\{msg\}_{K_1}\}_{K_2}$}
\end{itemize}
\end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\begin{frame}[c]
\frametitle{Handshakes}
\begin{itemize}
\item starting a TCP connection between a client and a server
initiates the following three-way handshake protocol:
\end{itemize}
\begin{columns}[t]
\begin{column}{5cm}
\begin{minipage}[t]{4cm}
\begin{center}
\raisebox{-2cm}{\includegraphics[scale=0.5]{../pics/handshake.png}}
\end{center}
\end{minipage}
\end{column}
\begin{column}{5cm}
\begin{tabular}[t]{rl}
Alice: & Hello server!\\
Server: & I heard you\\
Alice: & Thanks
\end{tabular}
\end{column}
\end{columns}
\begin{center}
\begin{tabular}{rl}
\bl{$A \rightarrow S$}: & \bl{SYN}\\
\bl{$S \rightarrow A$}: & \bl{SYN-ACK}\\
\bl{$A \rightarrow S$}: & \bl{ACK}\\
\end{tabular}
\end{center}
\end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\begin{frame}[c]
\frametitle{\Large Cryptographic Protocol Failures}
Ross Anderson and Roger Needham wrote:\bigskip
\begin{quote}\rm
A lot of the recorded frauds were the result of this kind of
blunder, or from management negligence pure and simple.
\alert{However,
there have been a significant number of cases where the designers
protected the right things, used cryptographic algorithms which were
not broken, and yet found that their systems were still successfully
attacked.}
\end{quote}
\end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\begin{frame}<1-3>[c]
\frametitle{Oyster Cards}
\includegraphics[scale=0.4]{../pics/oysterc.jpg}
\begin{itemize}
\item good example of a bad protocol\\ (security by obscurity)\bigskip
\item<3-> {\it``Breaching security on Oyster cards should not
allow unauthorised use for more than a day, as TfL promises to turn
off any cloned cards within 24 hours\ldots''}
\end{itemize}
\only<2>{
\begin{textblock}{12}(0.5,0.5)
\begin{bubble}[11cm]\footnotesize
{\bf Wirelessly Pickpocketing a Mifare Classic Card}\medskip
The Mifare Classic is the most widely used contactless smartcard on the
market. The stream cipher CRYPTO1 used by the Classic has recently been
reverse engineered and serious attacks have been proposed. The most serious
of them retrieves a secret key in under a second. In order to clone a card,
previously proposed attacks require that the adversary either has access to
an eavesdropped communication session or executes a message-by-message
man-in-the-middle attack between the victim and a legitimate
reader. Although this is already disastrous from a cryptographic point of
view, system integrators maintain that these attacks cannot be performed
undetected.\smallskip
This paper proposes four attacks that can be executed by an adversary having
only wireless access to just a card (and not to a legitimate reader). The
most serious of them recovers a secret key in less than a second on ordinary
hardware. Besides the cryptographic weaknesses, we exploit other weaknesses
in the protocol stack. A vulnerability in the computation of parity bits
allows an adversary to establish a side channel. Another vulnerability
regarding nested authentications provides enough plaintext for a speedy
known-plaintext attack.\hfill{}(a paper from 2009)
\end{bubble}
\end{textblock}}
\end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\begin{frame}<1->[t]
\frametitle{Another Example}
In an email from Ross Anderson\bigskip\small
\begin{tabular}{l}
From: Ross Anderson <Ross.Anderson@cl.cam.ac.uk>\\
Sender: cl-security-research-bounces@lists.cam.ac.uk\\
To: cl-security-research@lists.cam.ac.uk\\
Subject: Birmingham case\\
Date: Tue, 13 Aug 2013 15:13:17 +0100\\
\end{tabular}
\only<2>{
\begin{textblock}{12}(0.5,0.8)
\begin{bubble}[11cm]
\footnotesize
As you may know, Volkswagen got an injunction against the University of
Birmingham suppressing the publication of the design of a weak cipher
used in the remote key entry systems in its recent-model cars. The paper
is being given today at Usenix, minus the cipher design.\medskip
I've been contacted by Birmingham University's lawyers who seek to prove
that the cipher can be easily obtained anyway. They are looking for a
student who will download the firmware from any newish VW, disassemble
it and look for the cipher. They'd prefer this to be done by a student
rather than by a professor to emphasise how easy it is.\medskip
Volkswagen's argument was that the Birmingham people had reversed a
locksmithing tool produced by a company in Vietnam, and since their key
fob chip is claimed to be tamper-resistant, this must have involved a
corrupt insider at VW or at its supplier Thales. Birmingham's argument
is that this is nonsense as the cipher is easy to get hold of. Their
lawyers feel this argument would come better from an independent
outsider.\medskip
Let me know if you're interested in having a go, and I'll put you in
touch
Ross
\end{bubble}
\end{textblock}}
\end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\begin{frame}[c]
\frametitle{Authentication Protocols}
Alice (\bl{$A$}) and Bob (\bl{$B$}) share a secret key \bl{$K_{AB}$}\bigskip
Passwords:
\begin{center}
\bl{$B \rightarrow A: K_{AB}$}
\end{center}\pause\bigskip
Problem: Eavesdropper can capture the secret and replay it; \bl{$A$} cannot confirm the
identity of \bl{$B$}
\end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\begin{frame}[c]
\frametitle{Authentication?}
\begin{center}
\raisebox{-2cm}{\includegraphics[scale=0.4]{../pics/dogs.jpg}}
\end{center}
\end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\begin{frame}[c]
\frametitle{Authentication Protocols}
Alice (\bl{$A$}) and Bob (\bl{$B$}) share a secret key \bl{$K_{AB}$}\bigskip
Simple Challenge Response:
\begin{center}
\begin{tabular}{ll}
\bl{$A \rightarrow B:$} & \bl{$N$}\\
\bl{$B \rightarrow A:$} & \bl{$\{N\}_{K_{AB}}$}\\
\end{tabular}
\end{center}
\end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\begin{frame}[c]
\frametitle{Authentication Protocols}
Alice (\bl{$A$}) and Bob (\bl{$B$}) share a secret key \bl{$K_{AB}$}\bigskip
Mutual Challenge Response:
\begin{center}
\begin{tabular}{ll}
\bl{$A \rightarrow B:$} & \bl{$N_A$}\\
\bl{$B \rightarrow A:$} & \bl{$\{N_A, N_B\}_{K_{AB}}$}\\
\bl{$A \rightarrow B:$} & \bl{$N_B$}\\
\end{tabular}
\end{center}
%\pause
%An attacker \bl{$E$} can launch an impersonation attack by
%intercepting all messages for \bl{$B$} and make \bl{$A$} decrypt her
%own challenges.
\end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\begin{frame}[c]
\frametitle{Nonces}
\begin{enumerate}
\item I generate a nonce (random number) and send it to you encrypted with a key we share
\item you increase it by one, encrypt it under a key I know and send
it back to me
\end{enumerate}\medskip
I can infer:
\begin{itemize}
\item you must have received my message
\item you could only have generated your answer after I send you my initial
message
\item if only you and me know the key, the message must have come from you
\end{itemize}
\end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\begin{frame}[c]
\begin{center}
\begin{tabular}{ll}
\bl{$A \rightarrow B$:} & \bl{$N_A$}\\
\bl{$B \rightarrow A$:} & \bl{$\{N_A, N_B\}_{K_{AB}}$}\\
\bl{$A \rightarrow B$:} & \bl{$N_B$}\\
\end{tabular}
\end{center}
The attack (let $A$ decrypt her own messages):
\begin{center}
\begin{tabular}{ll}
\bl{$A \rightarrow E$:} & \bl{$N_A$}\\
\textcolor{gray}{$E \rightarrow A$:} & \textcolor{gray}{$N_A$}\\
\textcolor{gray}{$A \rightarrow E$:} & \textcolor{gray}{$\{N_A, N_A'\}_{K_{AB}}$}\\
\bl{$E \rightarrow A$:} & \bl{$\{N_A, N_A'\}_{K_{AB}}$}\\
\bl{$A \rightarrow E$:} & \bl{$N_A' \;\;(= N_B)$}\\
\end{tabular}
\end{center}\pause
\small Solutions: \bl{$K_{AB} \not= K_{BA}$} or include an id in the second message
\end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\begin{frame}[c]
\frametitle{Encryption to the Rescue?}
\begin{itemize}
\item \bl{$A \,\rightarrow\, B : \{A, N_A\}_{K_{AB}}$}\hspace{1cm} encrypted\bigskip
\item \bl{$B\,\rightarrow\, A : \{N_A, K'_{AB}\}_{K_{AB}}$}\bigskip
\item \bl{$A \,\rightarrow\, B : \{N_A\}_{K'_{AB}}$}\bigskip
\end{itemize}\pause
means you need to send separate ``Hello'' signals (bad), or worse
share a single key between many entities
\end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
% \begin{frame}[c]
% \frametitle{Protocol Attacks}
% \begin{itemize}
% \item replay attacks
% \item reflection attacks
% \item man-in-the-middle attacks
% \item timing attacks
% \item parallel session attacks
% \item binding attacks (public key protocols)
% \item changing environment / changing assumptions\bigskip
% \item (social engineering attacks)
% \end{itemize}
% \end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\begin{frame}[c]
\frametitle{Public-Key Infrastructure}
\begin{itemize}
\item the idea is to have a certificate authority (CA)
\item you go to the CA to identify yourself
\item CA: ``I, the CA, have verified that public key \bl{$P^{pub}_{Bob}$} belongs to Bob''\bigskip
\item CA must be trusted by everybody
\item What happens if CA issues a false certificate? Who pays in case of loss? (VeriSign
explicitly limits liability to \$100.)
\end{itemize}
\end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\begin{frame}[c]
\frametitle{A Simple PK Protocol}
``Normal'' protocol run:\bigskip
\begin{itemize}
\item \bl{$A$} sends public key to \bl{$B$}
\item \bl{$B$} sends public key to \bl{$A$}
\item \bl{$A$} sends message encrypted with \bl{$B$}'s public key, \bl{$B$} decrypts it
with its private key
\item \bl{$B$} sends message encrypted with \bl{$A$}'s public key, \bl{$A$} decrypts it
with its private key
\end{itemize}
\end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\begin{frame}[c]
\frametitle{A Simple PK Protocol}
\begin{center}
\begin{tabular}{ll@{\hspace{2mm}}l}
1. & \bl{$A \to B :$} & \bl{$K^{pub}_A$}\smallskip\\
2. & \bl{$B \to A :$} & \bl{$K^{pub}_B$}\smallskip\\
3. & \bl{$A \to B :$} & \bl{$\{A,m\}_{K^{pub}_B}$}\smallskip\\
4. & \bl{$B \to A :$} & \bl{$\{B,m'\}_{K^{pub}_A}$}
\end{tabular}
\end{center}\pause\bigskip
unfortunately there is a simple man-in-the- middle-attack
\end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\begin{frame}[c]
\frametitle{Man-in-the-Middle}
Attack:
\begin{itemize}
\item \bl{$A$} sends public key to \bl{$B$} --- \bl{$C$} intercepts this message and send his own public key
\item \bl{$B$} sends public key to \bl{$A$} --- \bl{$C$} intercepts this message and send his own public key
\item \bl{$A$} sends message encrypted with \bl{$C$}'s public key, \bl{$C$} decrypts it
with its private key, re-encrypts with \bl{$B$}'s public key
\item similar for other direction
\end{itemize}
\end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\begin{frame}[c]
\frametitle{A MITM Attack}
\begin{center}
\begin{tabular}{ll@{\hspace{2mm}}l}
1. & \bl{$A \to E :$} & \bl{$K^{pub}_A$}\smallskip\\
2. & \bl{$E \to B :$} & \bl{$K^{pub}_E$}\smallskip\\
3. & \bl{$B \to E :$} & \bl{$K^{pub}_B$}\smallskip\\
4. & \bl{$E \to A :$} & \bl{$K^{pub}_E$}\smallskip\\
5. & \bl{$A \to E :$} & \bl{$\{A,m\}_{K^{pub}_E}$}\smallskip\\
6. & \bl{$E \to B :$} & \bl{$\{E,m\}_{K^{pub}_B}$}\smallskip\\
7. & \bl{$B \to E :$} & \bl{$\{B,m'\}_{K^{pub}_E}$}\smallskip\\
8. & \bl{$E \to A :$} & \bl{$\{E,m'\}_{K^{pub}_A}$}
\end{tabular}
\end{center}\pause\medskip
and \bl{$A$} and \bl{$B$} have no chance to detect it
\end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
% \begin{frame}[c]
% \frametitle{Man-in-the-Middle}
% Potential Prevention?
% \begin{itemize}
% \item \bl{$A$} sends public key to \bl{$B$}
% \item \bl{$B$} sends public key to \bl{$A$}
% \item \bl{$A$} encrypts message with \bl{$B$}'s public key, send's {\bf half} of the message
% \item \bl{$B$} encrypts message with \bl{$A$}'s public key, send's {\bf half} of the message
% \item \bl{$A$} sends other half, \bl{$B$} can now decrypt entire message
% \item \bl{$B$} sends other half, \bl{$A$} can now decrypt entire message
% \end{itemize}\pause
% %\bl{$C$} would have to invent a totally new message
% \alert{Under which circumstances does this protocol prevent
% MiM-attacks, or does it?}
%\end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\begin{frame}[c]
A Man-in-the-middle attack in real life:
\begin{itemize}
\item the card only says yes to the terminal if the PIN is correct
\item trick the card in thinking transaction is verified by signature
\item trick the terminal in thinking the transaction was verified by PIN
\end{itemize}
\begin{minipage}{1.1\textwidth}
\begin{center}
\mbox{}\hspace{-6mm}\includegraphics[scale=0.5]{../pics/chip-attack.png}
\includegraphics[scale=0.3]{../pics/chipnpinflaw.png}
\end{center}
\end{minipage}
\end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
% \begin{frame}[c]
% \frametitle{Problems with EMV}
% \begin{itemize}
% \item it is a wrapper for many protocols
% \item specification by consensus (resulted unmanageable complexity)
% \item its specification is 700 pages in English plus 2000+ pages for testing, additionally some
% further parts are secret
% \item other attacks have been found
% \end{itemize}
% \end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
% \begin{frame}[c]
% \frametitle{Protocols are Difficult}
% \begin{itemize}
% \item even the systems designed by experts regularly fail\medskip
% \item the one who can fix a system should also be liable for the losses\medskip
% \item cryptography is often not the problem\bigskip\bigskip
% \end{itemize}
% \end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\begin{frame}[c]
\frametitle{Interlock Protocol}
The interlock protocol (``best bet'' against MITM):
\begin{center}
\begin{tabular}{ll@{\hspace{2mm}}l}
1. & \bl{$A \to B :$} & \bl{$K^{pub}_A$}\\
2. & \bl{$B \to A :$} & \bl{$K^{pub}_B$}\\
3. & & \bl{$\{A,m\}_{K^{pub}_B} \;\mapsto\; H_1,H_2$}\\
& & \bl{$\{B,m'\}_{K^{pub}_A} \;\mapsto\; M_1,M_2$}\\
4. & \bl{$A \to B :$} & \bl{$H_1$}\\
5. & \bl{$B \to A :$} & \bl{$\{H_1, M_1\}_{K^{pub}_A}$}\\
6. & \bl{$A \to B :$} & \bl{$\{H_2, M_1\}_{K^{pub}_B}$}\\
7. & \bl{$B \to A :$} & \bl{$M_2$}
\end{tabular}
\end{center}
\end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\begin{frame}[c]
\frametitle{Splitting Messages}
\begin{center}
$\underbrace{\texttt{\Grid{0X1peUVTGJK+H70mMjAM8p}}}_{\bl{\{A,m\}_{K^{pub}_B}}}$
\end{center}
\begin{center}
$\underbrace{\texttt{\Grid{0X1peUVTGJK}}}_{\bl{H_1}}$\quad
$\underbrace{\texttt{\Grid{+H70mMjAM8p}}}_{\bl{H_2}}$
\end{center}
\begin{itemize}
\item you can also use the even and odd bytes
\item the point is you cannot decrypt the halves, even if you
have the key
\end{itemize}
\end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\begin{frame}[c]
\begin{center}
\begin{tabular}{l@{\hspace{9mm}}l}
\begin{tabular}[t]{@{}l@{}}
\bl{$A \to C : K^{pub}_A$}\\
\bl{$C \to B : K^{pub}_C$}\\
\bl{$B \to C : K^{pub}_B$}\\
\bl{$C \to A : K^{pub}_C$}\medskip\\
\bl{$\{A,m\}_{K^{pub}_C} \;\mapsto\; H_1,H_2$}\\
\bl{$\{B,m'\}_{K^{pub}_C} \;\mapsto\; M_1,M_2$}\bigskip\\
\bl{$\{C,a\}_{K^{pub}_B} \;\mapsto\; C_1,C_2$}\\
\bl{$\{C,b\}_{K^{pub}_A} \;\mapsto\; D_1,D_2$}
\end{tabular} &
\begin{tabular}[t]{@{}l@{}}
\bl{$A \to C : H_1$}\\
\bl{$C \to B : C_1$}\\
\bl{$B \to C : \{C_1, M_1\}_{K^{pub}_C}$}\\
\bl{$C \to A : \{H_1, D_1\}_{K^{pub}_A}$}\\
\bl{$A \to C : \{H_2, D_1\}_{K^{pub}_C}$}\\
\bl{$C \to B : \{C_2, M_1\}_{K^{pub}_B}$}\\
\bl{$B \to C : M_2$}\\
\bl{$C \to A : D_2$}
\end{tabular}
\end{tabular}
\end{center}\pause
\footnotesize
\bl{$m$} = How is your grandmother? \bl{$m'$} = How is the
weather today in London?
\end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\begin{frame}[c]
\begin{itemize}
\item you have to ask something that cannot be imitated
(requires \bl{$A$} and \bl{$B$} know each other)
\item what happens if \bl{$m$} and \bl{$m'$} are voice
messages?\bigskip\pause
\item So \bl{$C$} can either leave the communication unchanged,
or invent a complete new conversation
\end{itemize}
\end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\begin{frame}[c]
\begin{itemize}
\item the moral: establishing a secure connection from
``zero'' is almost impossible---you need to rely on some
established trust\medskip
\item that is why PKI relies on certificates, which however are
badly, badly realised
\end{itemize}
\end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\begin{frame}[c]
\frametitle{Car Transponder (HiTag2)}
\begin{enumerate}
\item \bl{$C$} generates a random number \bl{$N$}
\item \bl{$C$} calculates \bl{$(F,G) = \{N\}_K$}
\item \bl{$C \to T$}: \bl{$N, F$}
\item \bl{$T$} calculates \bl{$(F',G') = \{N\}_K$}
\item \bl{$T$} checks that \bl{$F = F'$}
\item \bl{$T \to C$}: \bl{$N, G'$}
\item \bl{$C$} checks that \bl{$G = G'$}
\end{enumerate}\pause
\small
This process means that the transponder believes the car knows
the key \bl{$K$}, and the car believes the transponder knows
the key \bl{$K$}. They have authenticated themselves
to each other, or have they?
\end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\begin{frame}[c]
\frametitle{Trusted Third Parties}
Simple protocol for establishing a secure connection via a
mutually trusted 3rd party (server):
\begin{center}
\begin{tabular}{r@ {\hspace{1mm}}l}
\bl{$A \rightarrow S :$} & \bl{$A, B$}\\
\bl{$S \rightarrow A :$} & \bl{$\{K_{AB}, \{K_{AB}\}_{K_{BS}} \}_{K_{AS}}$}\\
\bl{$A \rightarrow B :$} & \bl{$\{K_{AB}\}_{K_{BS}} $}\\
\bl{$A \rightarrow B :$} & \bl{$\{m\}_{K_{AB}}$}\\
\end{tabular}
\end{center}
\end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\begin{frame}[c]
\frametitle{PKI: The Main Idea}
\begin{itemize}
\item the idea is to have a certificate authority (CA)
\item you go to the CA to identify yourself
\item CA: ``I, the CA, have verified that public key
\bl{$P^{pub}_{Bob}$} belongs to Bob''\bigskip
\item CA must be trusted by everybody\medskip
\item certificates are time limited, and can be revoked
\item What happens if CA issues a false certificate? Who pays in case of loss? (VeriSign
explicitly limits liability to \$100.)
\end{itemize}
\end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\begin{frame}[c]
\frametitle{PKI: Chains of Trust}
\begin{center}
\begin{tikzpicture}[scale=1,
node/.style={
rectangle,rounded corners=3mm,
very thick,draw=black!50,minimum height=18mm, minimum width=23mm,
top color=white,bottom color=black!20}]
\node (A) at (0,0) [node] {};
\node [below right] at (A.north west)
{\small\begin{tabular}{@{}l}CA\\Root Cert.\end{tabular}};
\node (B) at (4,0) [node] {};
\node [below right=1mm] at (B.north west)
{\mbox{}\hspace{-1mm}\small
\begin{tabular}{@{}l}Subordinate\\ CA\end{tabular}};
\node (C) at (8,0) [node] {};
\node [below right] at (C.north west)
{\small\begin{tabular}{@{}l}Server\\ Bank.com\end{tabular}};
\draw [->,line width=4mm] (A) -- (B);
\draw [->,line width=4mm] (B) -- (C);
\node (D) at (6,-3) [node] {};
\node [below right] at (D.north west)
{\small\begin{tabular}{@{}l}Browser\\ Root Store\end{tabular}};
\node (E) at (2,-3) [node] {};
\node [below right] at (E.north west)
{\small\begin{tabular}{@{}l}Browser\\ Vendor\end{tabular}};
\draw [->,line width=4mm] (E) -- (D);
\end{tikzpicture}
\end{center}
\begin{itemize}
\item CAs make almost no money anymore, because of stiff
competition
\item browser companies are not really interested in security;
only in market share
\end{itemize}
\end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\begin{frame}[c]
\frametitle{PKI: Weaknesses}
CAs just cannot win (make any profit):\medskip
\begin{itemize}
\item there are hundreds of CAs, which issue millions of
certificates and the error rate is small
\item users (servers) do not want to pay or pay as little as
possible\bigskip
\item a CA can issue a certificate for any domain not needing
any permission (CAs are meant to undergo audits,
but\ldots DigiNotar)
\item if a CA has issued many certificates, it ``becomes too
big to fail''
\item Can we be sure CAs are not just frontends of some
government organisation?
\end{itemize}
\end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\begin{frame}[c]
\frametitle{PKI: Weaknesses}
\begin{itemize}
\item many certificates are issued via Whois, whether you own
the domain\ldots if you hijacked a domain, it is easy to
obtain certificates\medskip
\item the revocation mechanism does not work (Chrome has given
up on general revocation lists)\medskip
\item lax approach to validation of certificates
(Have you ever bypassed certification warnings?)\medskip
\item sometimes you want to actually install invalid
certificates (self-signed)
\end{itemize}
\end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\begin{frame}[c]
\frametitle{PKI: Attacks}
\begin{itemize}
\item Go directly after root certificates
\begin{itemize}
\item governments can demand private keys\smallskip
\item 10 years ago it was estimated that breaking a 1024 bit
key takes one year and costs 10 - 30 Mio \$; this is now
reduced to 1 Mio \$
\end{itemize}
\item Go after buggy implementations of certificate
validation\smallskip
\item Social Engineering
\begin{itemize}
\item in 2001 somebody pretended to be
from Microsoft and asked for two code-signing
certificates
\end{itemize}\bigskip
\end{itemize}
\small The eco-system is completely broken (it relies on
thousands of entities to do the right thing). Maybe DNSSEC
where keys can be attached to domain names is a way out.
\end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\begin{frame}[c]
\frametitle{Real Attacks}
\begin{itemize}
\item In 2011, DigiNotar (Dutch company) was the first CA that
got compromised comprehensively, and where many
fraudulent certificates were issued to the wild. It
included approximately 300,000 IP addresses, mostly
located in Iran. The attackers (in Iran?) were likely
interested ``only'' in collecting gmail passwords.\medskip
\item The Flame malware piggy-bagged on this attack by
advertising malicious Windows updates to some targeted
systems (mostly in Iran, Israel, Sudan).
\end{itemize}
\end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\begin{frame}[c]
\frametitle{PKI is Broken}
\begin{itemize}
\item PKI and certificates are meant to protect you against
MITM attacks, but if the attack occurs your are
presented with a warning and you need to decide whether
you are under attack.\medskip
\item Webcontent gets often loaded from 3rd-party servers,
which might not be secured\medskip
\item Misaligned incentives: browser vendors are not
interested in breaking webpages with invalid
certificates
\end{itemize}
\end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\begin{frame}[c]
Why are there so many invalid certificates?\bigskip
\begin{itemize}
\item insufficient name coverage (www.example.com should
include example.com)
\item IoT: many appliances have web-based admin interfaces;
the manufacturer cannot know under which IP and domain name
the appliances are run (so cannot install a valid certificate)
\item expired certificates, or incomplete chains of trust
(servers are supposed to supply them)
\end{itemize}
\end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%
%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%\begin{frame}[c]
%\frametitle{Best Practices}
%
%{\bf Principle 1:} Every message should say what it means: the
%interpretation of a message should not depend on the
%context.\bigskip\pause
%
%{\bf Principle 2:} If the identity of a principal is essential
%to the meaning of a message, it is prudent to mention the
%principal’s name explicitly in the message (though
%difficult).\bigskip
%
%\end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%\begin{frame}[c]
%\frametitle{Best Practices}
%
%{\bf Principle 3:} Be clear about why encryption is being
%done. Encryption is not wholly cheap, and not asking precisely
%why it is being done can lead to redundancy. Encryption is not
%synonymous with security.
%
%
%\small
%\begin{center}
%Possible Uses of Encryption
%
%
%\begin{itemize}
%\item Preservation of confidentiality: \bl{$\{X\}_K$} only those that have \bl{$K$} may recover \bl{$X$}.
%\item Guarantee authenticity: The partner is indeed some particular principal.
%\item Guarantee confidentiality and authenticity: binds two parts of a message ---
%\bl{$\{X,Y\}_K$} is not the same as \bl{$\{X\}_K$} and \bl{$\{Y\}_K$}.
%\end{itemize}
%\end{center}
%
%\end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%\begin{frame}[c]
%\frametitle{Best Practices}
%
%{\bf Principle 4:} The protocol designers should know which
%trust relations their protocol depends on, and why the
%dependence is necessary. The reasons for particular trust
%relations being acceptable should be explicit though they will
%be founded on judgment and policy rather than on
%logic.\bigskip
%
%
%Example Certification Authorities: CAs are trusted to certify
%a key only after proper steps have been taken to identify the
%principal that owns it.
%
%\end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%\begin{frame}[c]
%\frametitle{Formal Methods}
%
%Ross Anderson about the use of Logic:\bigskip
%
%\begin{quote}
%Formal methods can be an excellent way of finding
%bugs in security protocol designs as they force the designer
%to make everything explicit and thus confront difficult design
%choices that might otherwise be fudged.
%\end{quote}
%
%\end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%
\end{document}
%%% Local Variables:
%%% mode: latex
%%% TeX-master: t
%%% End: