\documentclass[dvipsnames,14pt,t]{beamer}
\usepackage{../slides}
\usepackage{../graphics}
\usepackage{../langs}
\usetikzlibrary{arrows}
\usetikzlibrary{shapes}

\setmonofont[Scale=.88]{Consolas}
\newfontfamily{\consolas}{Consolas}

\hfuzz=220pt 

% beamer stuff 
\renewcommand{\slidecaption}{APP 04, King's College London}
\newcommand{\bl}[1]{\textcolor{blue}{#1}}  

\begin{document}

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\begin{frame}[t]
\frametitle{%
  \begin{tabular}{@ {}c@ {}}
  \\
  \LARGE Access Control and \\[-3mm] 
  \LARGE Privacy Policies (4)\\[-6mm] 
  \end{tabular}}\bigskip\bigskip\bigskip

\normalsize
  \begin{center}
  \begin{tabular}{ll}
  Email:  & christian.urban at kcl.ac.uk\\
  Office: & S1.27 (1st floor Strand Building)\\
  Slides: & KEATS (also home work is there)\\
  \end{tabular}
  \end{center}

\end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%     

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\begin{frame}[c]
\frametitle{Survey: Thanks!}
\small

\begin{itemize}
\item ``Would be good, if you provide more detailed explanations. I feel 
your slides are not as structured as they could be.''
\item ``Please consider reference book chapters to cover core subject
areas.''\pause
\item ``The homework questions don't come directly from the 
slides. So must go look things up.''
\item ``Could you please put the homework answers online, perhaps
just before the exam. That's late enough where we should have done
it and if not, we're screwed already then.''
\item ``Could you provide a brief basic answers to sheets for reference
and not to be relied on.''
\end{itemize}
  
\end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\begin{frame}[c]

\begin{center}
\includegraphics[scale=0.45]{../pics/trainwreck.jpg}\\
last week: buffer overflow attacks
\end{center}
  
\end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\begin{frame}[fragile]
\frametitle{D-Link Wifi Router, BOA}
\small

As a proof-of-concept, the following URL allows 
attackers to control the return value saved on 
the stack (the vulnerability is triggered when
executing \pcode{"/usr/sbin/widget"}):

\begin{center}\footnotesize 
\pcode{curl http://<target ip>/post_login.xml?hash=AAA...AAABBBB}
\end{center}

The value of the "hash" HTTP GET parameter consists of
292 occurrences of the \pcode{'A'} character, followed by four 
occurrences of character \pcode{'B'}. In our lab setup, characters 
\pcode{'B'} overwrite the saved program counter (\pcode{\%ra}).\bigskip


\begin{tabular}{@{}ll}
Discovery date: & 06/03/2013\\
Release date:   & 02/08/2013
\end{tabular}\bigskip


\footnotesize
\hfill\url{http://roberto.greyhats.it/advisories/20130801-dlink-dir645.txt} 
\end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\begin{frame}[fragile]
\frametitle{D-Link Backdoors}

D-Link router flaw lets anyone login through "Joel's Backdoor":\medskip

\begin{quote}\rm\small
If you tell your browser to identify itself as Joel's backdoor, instead of (say) 
as Mozilla/5.0 AppleWebKit/536.30.1 Version/6.0.5, you're in without authentication.\medskip
  
"What is this string," I hear you ask?

You will laugh: it is\pause 

\begin{center}\large
\pcode{xmlset_roodkcableoj28840ybtide}
\end{center}
\end{quote}\bigskip\bigskip

\hfill\footnotesize October 15, 2013\\
\hfill\footnotesize\url{http://www.devttys0.com/2013/10/reverse-engineering-a-d-link-backdoor/}

\end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\begin{frame}[fragile]

CVE-2014-0476 \pcode{chkrootkit} vulnerability 4 Jun'14\medskip

\begin{quote}\rm\small
Hi,

we just found a serious vulnerability in the chkrootkit package, which
may allow local attackers to gain root access to a box in certain
configurations (\pcode{/tmp} not mounted noexec). Steps to reproduce:

\begin{itemize}
\item Put an executable file named \pcode{update} with non-root owner in 
\pcode{/tmp} (not mounted noexec, obviously)
\item Run chkrootkit (as uid \pcode{0})
\end{itemize}

Result: The file \pcode{/tmp/update} will be executed as root, thus effectively
rooting your box, if malicious content is placed inside the file.

If an attacker knows you are periodically running chkrootkit (like in
\pcode{cron.daily}) and has write access to \pcode{/tmp} (not mounted noexec), he may
easily take advantage of this.
\end{quote}
\mbox{}\\[-10mm]

\hfill\footnotesize\url{http://seclists.org/oss-sec/2014/q2/430}

\end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\begin{frame}[c]
\frametitle{Access Control in Unix}

\begin{itemize}
\item access control provided by the OS
\item authenticate principals
\item mediate access to files, ports, processes etc according to
  \alert{roles} (user ids)\\
\item roles get attached with privileges\bigskip\\

\hspace{8mm}
\begin{bubble}[8cm]
\alert{principle of least privilege:}\\
users and programs should only have as much privilege as they need to
accomplish a task
\end{bubble}
\end{itemize}

\end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%     

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\mode<presentation>{
\begin{frame}[c]
\frametitle{Access Control in Unix (2)}


\begin{itemize}
\item privileges are specified by file access permissions (``everything is a file'')\medskip 
\item there are 9 (plus 2) bits that specify the permissions of a file

\begin{center}
\begin{tabular}{l}
\texttt{\$ ls -la}\\
\texttt{-rwxrw-r-{}- \hspace{3mm} foo\_file.txt}
\end{tabular}
\end{center}
\end{itemize}

\end{frame}}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\begin{frame}[c]
\frametitle{Login Process}


\begin{itemize}
\item login processes run under UID $=$ \pcode{0}\medskip 
\begin{center}
\texttt{ps -axl | grep login}
\end{center}\medskip

\item after login, shells run under UID $=$ user (e.g.~501)\medskip
\begin{center}
\texttt{id cu}
\end{center}\medskip\pause

\item non-root users are not allowed to change the UID --- would break 
access control
\item but needed for example for accessing \texttt{passwd}
\end{itemize}

\end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\begin{frame}[c]
\frametitle{Setuid and Setgid}

The solution is that Unix file permissions are 9 + \underline{2 Bits}:
\alert{Setuid} and \alert{Setgid} bits

\begin{itemize}
\item When a file with setuid is executed, the resulting process will
  assume the UID given to the \underline{owner} of the file.
\item This enables users to create processes as root (or another
  user).\bigskip

\item Essential for changing passwords, for example.
\end{itemize}

\begin{center}
\texttt{chmod 4755 fobar\_file}
\end{center}

\end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%  

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\begin{frame}[c]
\frametitle{\Large Discretionary Access Control}

\begin{itemize}
\item Access to objects (files, directories, devices, etc.) is
permitted based on user identity. Each object is owned by a
user. Owners can specify freely (at their discretion) how they want to
share their objects with other users, by specifying which other users
can have which form of access to their objects.\medskip

\item Discretionary access control is implemented on any modern multi-user
OS (Unix, Windows NT, etc.).
\end{itemize}

\end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\begin{frame}[c]
\frametitle{\Large Mandatory Access Control}

\begin{itemize}
\item Access to objects is controlled by a system-wide policy, for
  example to prevent certain flows of information. In some forms, the
  system maintains security labels for both objects and subjects
  (processes, users) based on which access is granted or
  denied. Labels can change as the result of an access. Security
  policies are enforced without the cooperation of users or
  programs.\medskip

\item This is implemented in banking or military operating system 
  versions (SELinux).
\end{itemize}

\end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\begin{frame}[c]
\frametitle{\Large Discretionary Access Control}

In its most generic form usually given by an \alert{Access Control
  Matrix} of the form

\begin{center}
\begin{tabular}{r|c|c|c}
                 & /mail/jane & edit.exe & postfix \\\hline
jane          & r, w & r, x & r, x\\\hline
john          & $\varnothing$ & r, w, x&  r, x\\\hline
postfix  & a & $\varnothing$ &  r, x\\
\end{tabular}
\end{center}

access privileges: {\bf r}ead, {\bf w}rite, e{\bf x}ecute, {\bf a}ppend
\end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\begin{frame}[c]
\small

\lstinputlisting[language={},numbers=none,xleftmargin=-6mm]{lst}


\begin{center}
\begin{tabular}{@{\hspace{-24mm}}ll}
members of group staff: & ping, bob, emma\\ 
members of group students: & emma\\
\end{tabular}
\end{center}

\begin{center}
\begin{tabular}{@{\hspace{-7mm}}r|c|c|c|c|c@{}}
        & manual.txt & report.txt & microedit & src/code.c & src/code.h \\\hline
ping & & & & &\\\hline
bob & & & & &\\\hline
emma   & & & & &\\
\end{tabular}
\end{center}

\end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\begin{frame}[c]
\frametitle{Mandatory Access Control}
\small

\begin{itemize}
\item Restrictions to allowed information flows are not decided at the
  user's discretion (as with Unix \pcode{chmod}), but instead enforced
  by system policies.

\item Mandatory access control mechanisms are aimed in particular at
  preventing policy violations by untrusted programs, which typically
  have at least the same access privileges as the invoking
  user.\medskip\pause

Simple example: Air Gap Security. Uses a completely separate network
and computer hardware for different application classes.
\end{itemize}

\end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   


%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\begin{frame}[c]
\frametitle{The Bell-LaPadula Model}
\small

\begin{itemize}
\item Formal policy model for mandatory access control in a military
  multi-level security environment. All subjects (processes, users,
  terminals, files, windows, connections) are labeled
  with a confidentiality level, e.g.
\begin{center}
unclassified < confidential < secret < top secret
\end{center}\medskip

\item The system policy automatically prevents the flow of information
  from high-level objects to lower levels. A process that reads top
  secret data becomes tagged as top secret by the operating system, as
  will be all files into which it writes afterwards.
%Each user has a maximum allowed confidentiality level specified and
%cannot receive data beyond that level. A selected set of trusted
%subjects is allowed to bypass the restrictions, in order to permit
%the declassification of information.
\end{itemize}

\end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
  \begin{frame}[c]
  \frametitle{Bell-LaPadula}
  \small
  
  \begin{itemize}
  \item \alert{Read Rule}: A principal \bl{$P$} can read an object \bl{$O$} if and only if
  \bl{$P$}'s security level is at least as high as \bl{$O$}'s.
  \item \alert{Write Rule}: A principal \bl{$P$} can write an object \bl{$O$} if and only if
  \bl{$O$}'s security level is at least as high as \bl{$P$}'s.\medskip

  \item Meta-Rule: All principals in a system should have a sufficiently high security level
  in order to access an object.
  \end{itemize}\bigskip

  This restricts information flow $\Rightarrow$ military\bigskip\bigskip\pause

  Bell-LaPadula: {\bf `no read up'} - {\bf `no write down'}

  \end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
  \begin{frame}[c]
  \frametitle{\begin{tabular}{c}Principle of\\[-2mm] Least Privilege\end{tabular}}
  
  \begin{bubble}[10cm]
  A principal should have as few privileges as possible to access a resource.
  \end{bubble}\bigskip\bigskip
  \small

  \begin{itemize}
  \item Bob ($T\!S$) and Alice ($S$) want to communicate
  \item[] $\Rightarrow$ Bob should lower his security level
  \end{itemize}

  \end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
  \begin{frame}[c]
  \frametitle{Biba Policy}
  \small
  
  Data Integrity (rather than data confidentiality)

  \begin{itemize}
  \item Biba: {\bf `no read down'} - {\bf `no write up'}
  \item \alert{Read Rule}: A principal \bl{$P$} can read an object \bl{$O$} if and only if
  \bl{$P$}'s security level is lower or equal than \bl{$O$}'s.
  \item \alert{Write Rule}: A principal \bl{$P$} can write an object \bl{$O$} if and only if
  \bl{$O$}'s security level is lower or equal than \bl{$P$}'s.
  \end{itemize}\bigskip\bigskip\pause

  E.g.~Firewalls: you can read from inside the firewall, but not from outside\\
  Phishing: you can look at an approved PDF, but not one from a random email\\

  \end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\begin{frame}[c]
\frametitle{Security Levels (2)}

\begin{itemize}
\item Bell-La Padula preserves data secrecy, but not data
  integrity\bigskip\pause

\item Biba model is for data integrity  

\begin{itemize}
\item read: your own level and above
\item write: your own level and below
\end{itemize}
\end{itemize}

\end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\begin{frame}[c]
\frametitle{Shared Access Control}

\begin{center}
\includegraphics[scale=0.7]{../pics/pointsplane.jpg}
\end{center}

\begin{textblock}{11}(10.5,10.5)
\small
To take an action you\\[-1mm] 
need at least either:
\begin{itemize}
\item 1 CEO\\[-5mm]
\item 2 MDs, or\\[-5mm]
\item 3 Ds
\end{itemize}
\end{textblock}

\end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\begin{frame}[c]
\frametitle{\Large Lessons from Access Control}

Not just restricted to Unix:

\begin{itemize}
\item if you have too many roles (i.e.~too finegrained AC), then 
	hierarchy is too complex\\
	\textcolor{gray}{you invite situations like\ldots lets be root}\bigskip

\item you can still abuse the system\ldots\bigskip\pause

\item 
  policies (a finite system)\\
  computer system (infinite)\medskip\\
Q: Does your policy ensure that a tainted file cannot affect your
core system files?

\end{itemize}

\end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
  \begin{frame}[t]
  \frametitle{Protocols}
 
\mbox{} 
  
\begin{tabular}{l}
{\Large \bl{$A\;\rightarrow\; B : \ldots$}}\\
\onslide<2->{\Large \bl{$B\;\rightarrow\; A : \ldots$}}\\
\onslide<2->{\Large \;\;\;\;\;\bl{$:$}}\bigskip
\end{tabular}  
  
 \begin{itemize}
 \item by convention \bl{$A$}, \bl{$B$} are named principals \bl{Alice\ldots}\\
 but most likely they are programs, which just follow some instructions (they are more like roles)\bigskip
\item<2-> indicates one ``protocol run'', or session,  which specifies some 
order in the communication
\item<2-> there can be several sessions in parallel (think of wifi routers) 
\end{itemize} 
  
  \end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   
  
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\begin{frame}[c]
\frametitle{\Large Cryptographic Protocol Failures}

Ross Anderson and Roger Needham wrote:\bigskip

\begin{quote}\rm
\alert{A lot of the recorded frauds were the result of this kind of
  blunder, or from management negligence pure and simple.} However,
there have been a significant number of cases where the designers
protected the right things, used cryptographic algorithms which were
not broken, and yet found that their systems were still successfully
attacked.
\end{quote}

\end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%  

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
  \begin{frame}<1-3>[c]
  \frametitle{Oyster Cards}

  \includegraphics[scale=0.4]{../pics/oysterc.jpg}

  \begin{itemize}
  \item good example of a bad protocol\\ (security by obscurity)\bigskip
  \item<3->  ``Breaching security on Oyster cards should not 
  allow unauthorised use for more than a day, as TfL promises to turn 
  off any cloned cards within 24 hours\ldots''
  \end{itemize}

  \only<2>{
  \begin{textblock}{12}(0.5,0.5)
  \begin{bubble}[11cm]\footnotesize
  {\bf Wirelessly Pickpocketing a Mifare Classic Card}\medskip

  The Mifare Classic is the most widely used contactless smartcard on the
  market. The stream cipher CRYPTO1 used by the Classic has recently been
  reverse engineered and serious attacks have been proposed. The most serious
  of them retrieves a secret key in under a second. In order to clone a card,
  previously proposed attacks require that the adversary either has access to
  an eavesdropped communication session or executes a message-by-message
  man-in-the-middle attack between the victim and a legitimate
  reader. Although this is already disastrous from a cryptographic point of
  view, system integrators maintain that these attacks cannot be performed
  undetected.\smallskip

  This paper proposes four attacks that can be executed by an adversary having
  only wireless access to just a card (and not to a legitimate reader). The
  most serious of them recovers a secret key in less than a second on ordinary
  hardware. Besides the cryptographic weaknesses, we exploit other weaknesses
  in the protocol stack. A vulnerability in the computation of parity bits
  allows an adversary to establish a side channel. Another vulnerability
  regarding nested authentications provides enough plaintext for a speedy
  known-plaintext attack.\hfill{}(a paper from 2009)
  \end{bubble}
  \end{textblock}}

  \end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%     

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\begin{frame}<1->[t]
\frametitle{Another Example}

In an email from Ross Anderson\bigskip\small	

\begin{tabular}{l}
From: Ross Anderson <Ross.Anderson@cl.cam.ac.uk>\\
Sender: cl-security-research-bounces@lists.cam.ac.uk\\
To: cl-security-research@lists.cam.ac.uk\\
Subject: Birmingham case\\
Date: Tue, 13 Aug 2013 15:13:17 +0100\\
\end{tabular}


\only<2>{
\begin{textblock}{12}(0.5,0.8)
\begin{bubble}[11cm]
\footnotesize
As you may know, Volkswagen got an injunction against the University of
Birmingham suppressing the publication of the design of a weak cipher
used in the remote key entry systems in its recent-model cars. The paper
is being given today at Usenix, minus the cipher design.\medskip

I've been contacted by Birmingham University's lawyers who seek to prove
that the cipher can be easily obtained anyway. They are looking for a
student who will download the firmware from any newish VW, disassemble
it and look for the cipher. They'd prefer this to be done by a student
rather than by a professor to emphasise how easy it is.\medskip

Volkswagen's argument was that the Birmingham people had reversed a
locksmithing tool produced by a company in Vietnam, and since their key
fob chip is claimed to be tamper-resistant, this must have involved a
corrupt insider at VW or at its supplier Thales. Birmingham's argument
is that this is nonsense as the cipher is easy to get hold of. Their
lawyers feel this argument would come better from an independent
outsider.\medskip

Let me know if you're interested in having a go, and I'll put you in
touch

Ross
\end{bubble}
\end{textblock}}

\end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%     

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\begin{frame}[c]
\frametitle{\Large Cryptographic Protocol Failures}

Ross Anderson and Roger Needham wrote:\bigskip

\begin{quote}\rm
A lot of the recorded frauds were the result of this kind of blunder,
or from management negligence pure and simple. \alert{However, there
  have been a significant number of cases where the designers
  protected the right things, used cryptographic algorithms which were
  not broken, and yet found that their systems were still successfully
  attacked.}
\end{quote}

\end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%  


%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\mode<presentation>{
\begin{frame}[c]
\frametitle{Authentication Protocols}


Alice (\bl{$A$}) and Bob (\bl{$B$}) share a secret key \bl{$K_{AB}$}\bigskip

Passwords:

\begin{center}
\bl{$B \rightarrow A: K_{AB}$} 
\end{center}\pause\bigskip

Problem: Eavesdropper can capture the secret and replay it; \bl{$A$} cannot confirm the
identity of \bl{$B$}  

\end{frame}}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\mode<presentation>{
\begin{frame}[c]
\frametitle{Authentication Protocols}

Alice (\bl{$A$}) and Bob (\bl{$B$}) share a secret key \bl{$K_{AB}$}\bigskip

Simple Challenge Response:

\begin{center}
\begin{tabular}{ll}
\bl{$A \rightarrow B:$} & \bl{$N$}\\
\bl{$B \rightarrow A:$} & \bl{$\{N\}_{K_{AB}}$}\\
\end{tabular} 
\end{center}


\end{frame}}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\mode<presentation>{
\begin{frame}[c]
\frametitle{Authentication Protocols}

Alice (\bl{$A$}) and Bob (\bl{$B$}) share a secret key \bl{$K_{AB}$}\bigskip

Mutual Challenge Response:

\begin{center}
\begin{tabular}{ll}
\bl{$A \rightarrow B:$} & \bl{$N_A$}\\
\bl{$B \rightarrow A:$} & \bl{$\{N_A, N_B\}_{K_{AB}}$}\\
\bl{$A \rightarrow B:$} & \bl{$N_B$}\\
\end{tabular} 
\end{center}

%\pause
%An attacker \bl{$E$} can launch an impersonation attack by
%intercepting all messages for \bl{$B$} and make \bl{$A$} decrypt her
%own challenges.

\end{frame}}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\begin{frame}[c]
\frametitle{Nonces}

\begin{enumerate}
\item I generate a nonce (random number) and send it to you encrypted with a key we share
\item you increase it by one, encrypt it under a key I know and send
it back to me
\end{enumerate}


I can infer:

\begin{itemize}
\item you must have received my message
\item you could only have generated your answer after I send you my initial
message
\item if only you and me know the key, the message must have come from you
\end{itemize}

\end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\mode<presentation>{
\begin{frame}[c]

\begin{center}
\begin{tabular}{ll}
\bl{$A \rightarrow B$:} & \bl{$N_A$}\\  
\bl{$B \rightarrow A$:} & \bl{$\{N_A, N_B\}_{K_{ab}}$}\\
\bl{$A \rightarrow B$:} & \bl{$N_B$}\\
\end{tabular}
\end{center}

The attack (let $A$ decrypt her own messages):

\begin{center}
\begin{tabular}{ll}
\bl{$A \rightarrow E$:} & \bl{$N_A$}\\ 
\textcolor{gray}{$E \rightarrow A$:} & \textcolor{gray}{$N_A$}\\ 
\textcolor{gray}{$A \rightarrow E$:} & \textcolor{gray}{$\{N_A, N_A'\}_{K_{AB}}$}\\
\bl{$E \rightarrow A$:} & \bl{$\{N_A, N_A'\}_{K_{AB}}$}\\
\bl{$A \rightarrow E$:} & \bl{$N_A' \;\;(= N_B)$}\\
\end{tabular}
\end{center}\pause

\small Solutions: \bl{$K_{AB} \not= K_{BA}$} or include an id in the second message
\end{frame}}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%     

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
  \mode<presentation>{
  \begin{frame}[c]
  \frametitle{Encryption to the Rescue?}


 \begin{itemize}
 \item \bl{$A \,\rightarrow\, B :  \{A, N_A\}_{K_{AB}}$}\hspace{1cm} encrypted\bigskip 
 \item \bl{$B\,\rightarrow\, A : \{N_A, K'_{AB}\}_{K_{AB}}$}\bigskip
 \item \bl{$A \,\rightarrow\, B : \{N_A\}_{K'_{AB}}$}\bigskip
 \end{itemize}\pause
 
means you need to send separate ``Hello'' signals (bad), or worse 
share a single key between many entities
\end{frame}}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%      

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\mode<presentation>{
\begin{frame}[c]
\frametitle{Protocol Attacks}

\begin{itemize}
\item replay attacks
\item reflection attacks
\item man-in-the-middle attacks
\item timing attacks
\item parallel session attacks
\item binding attacks (public key protocols)
\item changing environment / changing assumptions\bigskip

\item (social engineering attacks)
\end{itemize}
\end{frame}}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   


 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\mode<presentation>{
\begin{frame}[c]
\frametitle{Public-Key Infrastructure}

\begin{itemize}
\item the idea is to have a certificate authority (CA)
\item you go to the CA to identify yourself
\item CA: ``I, the CA, have verified that public key \bl{$P^{pub}_{Bob}$} belongs to Bob''\bigskip
\item CA must be trusted by everybody
\item What happens if CA issues a false certificate? Who pays in case of loss? (VeriSign 
explicitly limits liability to \$100.)
\end{itemize}

\end{frame}}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\mode<presentation>{
\begin{frame}[c]
\frametitle{Person-in-the-Middle}

``Normal'' protocol run:\bigskip

\begin{itemize}
\item \bl{$A$} sends public key  to \bl{$B$}
\item \bl{$B$} sends public key  to \bl{$A$}
\item \bl{$A$} sends message encrypted with \bl{$B$}'s public key, \bl{$B$} decrypts it
with its private key
\item \bl{$B$} sends message encrypted with \bl{$A$}'s public key, \bl{$A$} decrypts it
with its private key
\end{itemize}

\end{frame}}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\mode<presentation>{
\begin{frame}[c]
\frametitle{Person-in-the-Middle}

Attack:

\begin{itemize}
\item \bl{$A$} sends public key  to \bl{$B$}  --- \bl{$C$} intercepts this message and send his own public key
\item \bl{$B$} sends public key  to \bl{$A$} --- \bl{$C$} intercepts this message and send his own public key
\item \bl{$A$} sends message encrypted with \bl{$C$}'s public key, \bl{$C$} decrypts it
with its private key, re-encrypts with \bl{$B$}'s public key 
\item similar for other direction
\end{itemize}

\end{frame}}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\mode<presentation>{
\begin{frame}[c]
\frametitle{Person-in-the-Middle}

Prevention:

\begin{itemize}
\item \bl{$A$} sends public key  to \bl{$B$}
\item \bl{$B$} sends public key  to \bl{$A$}
\item \bl{$A$} encrypts message with \bl{$B$}'s public key, send's {\bf half} of the message
\item \bl{$B$} encrypts message with \bl{$A$}'s public key, send's {\bf half} of the message
\item \bl{$A$} sends other half, \bl{$B$} can now decrypt entire message
\item \bl{$B$} sends other half, \bl{$A$} can now decrypt entire message
\end{itemize}\pause

\bl{$C$} would have to invent a totally new message

\end{frame}}
 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\mode<presentation>{
\begin{frame}[c]
\frametitle{Public-Key Infrastructure}

\begin{itemize}
\item the idea is to have a certificate authority (CA)
\item you go to the CA to identify yourself
\item CA: ``I, the CA, have verified that public key \bl{$P^{pub}_{Bob}$} belongs to Bob''\bigskip
\item CA must be trusted by everybody
\item What happens if CA issues a false certificate? Who pays in case of loss? (VeriSign 
explicitly limits liability to \$100.)
\end{itemize}

\end{frame}}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%  
  
 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\mode<presentation>{
\begin{frame}[c]
\frametitle{Binding Attacks}

with public-private keys it is important that the public key is \alert{bound} 
to the right owner (verified by a certification authority \bl{$CA$})

\begin{center}
\begin{tabular}{l}
\bl{$A \rightarrow CA :$} \bl{$A, B, N_A$}\\
\bl{$CA \rightarrow A :$} \bl{$CA, \{CA, A, N_A, K^{pub}_{B}\}_{K^{pub}_{A}}$}\\
\end{tabular}
\end{center}\bigskip

\bl{$A$} knows \bl{$K^{priv}_A$} and can verify the message came from \bl{$CA$}
in response to \bl{$A$}'s message and trusts \bl{$K^{pub}_{B}$} is \bl{$B$}'s public key


\end{frame}}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   



%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\mode<presentation>{
\begin{frame}[c]
\frametitle{Binding Attacks}

\begin{center}
\begin{tabular}{l}
\bl{$A \rightarrow I(CA) :$} \bl{$A, B, N_A$}\\
\bl{$I(A) \rightarrow CA :$} \bl{$A, I, N_A$}\\
\bl{$CA \rightarrow I(A) :$} \bl{$CA, \{CA, A, N_A, K^{pub}_{I}\}_{K^{pub}_{A}}$}\\
\bl{$I(CA) \rightarrow A :$} \bl{$CA, \{CA, A, N_A, K^{pub}_{I}\}_{K^{pub}_{A}}$}\\
\end{tabular}
\end{center}\pause

\bl{$A$} now encrypts messages for \bl{$B$} with the public key of \bl{$I$}
(which happily decrypts them with its private key)

\end{frame}}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   

  
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\mode<presentation>{
\begin{frame}[c]
\frametitle{Replay Attacks}

Schroeder-Needham protocol: exchange of a symmetric key with a trusted 3rd-party \bl{$S$}: 

\begin{center}
\begin{tabular}{r@ {\hspace{1mm}}l}
\bl{$A \rightarrow S :$} & \bl{$A, B, N_A$}\\
\bl{$S \rightarrow A :$} & \bl{$\{N_A, B, K_{AB},\{K_{AB}, A\}_{K_{BS}} \}_{K_{AS}}$}\\
\bl{$A \rightarrow B :$} & \bl{$\{K_{AB}, A\}_{K_{BS}} $}\\
\bl{$B \rightarrow A :$} & \bl{$\{N_B\}_{K_{AB}}$}\\
\bl{$A \rightarrow B :$} & \bl{$\{N_B-1\}_{K_{AB}}$}\\
\end{tabular}
\end{center}\bigskip\pause

at the end of the protocol both \bl{$A$} and \bl{$B$} should be in the possession of the secret key
\bl{$K_{AB}$} and know that the other principal has the key

\end{frame}}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   


%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\mode<presentation>{
\begin{frame}[c]

\begin{center}
\begin{tabular}{l}
\bl{$A \rightarrow S :$} \bl{$A, B, N_A$}\\
\bl{$S \rightarrow A :$} \bl{$\{N_A, B, K_{AB},\{K_{AB}, A\}_{K_{BS}} \}_{K_{AS}}$}\\
\bl{$A \rightarrow B :$} \bl{$\{K_{AB}, A\}_{K_{BS}} $}\\
\bl{$B \rightarrow A :$} \bl{$\{N_B\}_{K_{AB}}$}\\
\bl{$A \rightarrow B :$} \bl{$\{N_B-1\}_{K_{AB}}$}\pause\\
\hspace{5cm}compromise \bl{$K_{AB}$}\pause\\
\bl{$A \rightarrow S :$} \bl{$A, B, N'_A$}\\
\bl{$S \rightarrow A :$} \bl{$\{N'_A, B, K'_{AB},\{K'_{AB}, A\}_{K_{BS}} \}_{K_{AS}}$}\pause\\
\bl{$I(A) \rightarrow B :$} \bl{$\{K_{AB}, A\}_{K_{BS}} $}\hspace{0.5cm} replay of older run\pause\\
\bl{$B \rightarrow I(A) :$} \bl{$\{N'_B\}_{K_{AB}}$}\\
\bl{$I(A) \rightarrow B :$} \bl{$\{N'_B-1\}_{K_{AB}}$}\
\end{tabular}
\end{center}\pause

\bl{$B$} believes it is following the correct protocol,
intruder \bl{$I$} can form the correct response because it knows \bl{$K_{AB}$} and
talks to \bl{$B$} masquerading as \bl{$A$}
\end{frame}}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\mode<presentation>{
\begin{frame}[c]
\frametitle{Time-Stamps}

The Schroeder-Needham protocol can be fixed by including a time-stamp (e.g., in Kerberos):

\begin{center}
\begin{tabular}{r@ {\hspace{1mm}}l}
\bl{$A \rightarrow S :$} & \bl{$A, B, N_A$}\\
\bl{$S \rightarrow A :$} & \bl{$\{N_A, B, K_{AB},\{K_{AB}, A, T_S\}_{K_{BS}} \}_{K_{AS}}$}\\
\bl{$A \rightarrow B :$} & \bl{$\{K_{AB}, A, T_S\}_{K_{BS}} $}\\
\bl{$B \rightarrow A :$} & \bl{$\{N_B\}_{K_{AB}}$}\\
\bl{$A \rightarrow B :$} & \bl{$\{N_B-1\}_{K_{AB}}$}\\
\end{tabular}
\end{center}\bigskip\pause

but nothing is for free: then you need to synchronise time and possibly become a victim to
timing attacks

\end{frame}}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\mode<presentation>{
\begin{frame}[c]

A Man-in-the-middle attack in real life:

\begin{itemize}
\item the card only says yes to the terminal if the PIN is correct
\item trick the card in thinking transaction is verified by signature
\item trick the terminal in thinking the transaction was verified by PIN
\end{itemize}

\begin{minipage}{1.1\textwidth}
\begin{center}
\mbox{}\hspace{-6mm}\includegraphics[scale=0.5]{../pics/chip-attack.png}
\includegraphics[scale=0.3]{../pics/chipnpinflaw.png}
\end{center}
\end{minipage}

\end{frame}}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\mode<presentation>{
\begin{frame}[c]
\frametitle{Problems with EMV}

\begin{itemize}
\item it is a wrapper for many protocols
\item specification by consensus (resulted unmanageable complexity)
\item its specification is 700 pages in English plus 2000+ pages for testing, additionally some 
further parts are secret
\item other attacks have been found
\end{itemize}

\end{frame}}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   


%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\mode<presentation>{
\begin{frame}[c]
\frametitle{\begin{tabular}{@{}c@{}}Problems with WEP (Wifi)\end{tabular}}

\begin{itemize}
\item a standard ratified in 1999
\item the protocol was designed by a committee not including cryptographers
\item it used the RC4 encryption algorithm which is a stream cipher requiring a unique nonce
\item WEP did not allocate enough bits for the nonce
\item for authenticating packets it used CRC checksum which can be easily broken
\item the network password was used to directly encrypt packages (instead of a key negotiation protocol)\bigskip
\item encryption was turned off by default
\end{itemize}

\end{frame}}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   


%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\mode<presentation>{
\begin{frame}[c]
\frametitle{Protocols are Difficult}

\begin{itemize}
\item even the systems designed by experts regularly fail\medskip
\item try to make everything explicit (you need to authenticate all data you might rely on)\medskip
\item the one who can fix a system should also be liable for the losses\medskip
\item cryptography is often not {\bf the} answer\bigskip\bigskip  
\end{itemize}

\end{frame}}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\mode<presentation>{
\begin{frame}[c]
\frametitle{Best Practices}

{\bf Principle 1:} Every message should say what it means: the interpretation of 
a message should not depend on the context.\bigskip\pause

{\bf Principle 2:} If the identity of a principal is essential to the meaning of a message, it is prudent 
to mention the principal’s name explicitly in the message (though difficult).\bigskip


\end{frame}}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\mode<presentation>{
\begin{frame}[c]

{\bf Principle 3:} Be clear about why encryption is being
done. Encryption is not cheap, and not asking precisely why it is
being done can lead to redundancy. Encryption is not synonymous with
security.

\begin{center}
Possible Uses of Encryption

\begin{itemize}
\item Preservation of confidentiality: \bl{$\{X\}_K$} only those that have \bl{$K$} may recover \bl{$X$}.
\item Guarantee authenticity: The partner is indeed some particular principal.
\item Guarantee confidentiality and authenticity: binds two parts of a message --- 
\bl{$\{X,Y\}_K$} is not the same as \bl{$\{X\}_K$} and \bl{$\{Y\}_K$}.
\end{itemize}
\end{center}



\end{frame}}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\mode<presentation>{
\begin{frame}[c]
\frametitle{Best Practices}

{\bf Principle 4:} The protocol designer should know which trust relations his protocol depends on, and why the dependence is necessary. The reasons for particular trust relations being acceptable should be explicit though they will be founded on judgment and policy rather than on logic.\bigskip


Example Certification Authorities: CAs are trusted to certify a key only after proper steps 
have been taken to identify the principal that owns it.

\end{frame}}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   

\end{document}

%%% Local Variables:  
%%% mode: latex
%%% TeX-master: t
%%% End: