diff -r 73ca7e916739 -r 337a8f5cb1ad slides/slides05.tex --- a/slides/slides05.tex Fri Oct 21 21:15:47 2016 +0100 +++ b/slides/slides05.tex Wed Oct 26 00:52:18 2016 +0100 @@ -42,6 +42,53 @@ %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% \begin{frame}[c] +\frametitle{Protocols} + +\begin{center} +\includegraphics[scale=0.11]{../pics/keyfob.jpg} +\quad +\includegraphics[scale=0.3025]{../pics/startstop.jpg} +\end{center} + +\begin{itemize} +\item Other examples: Wifi, Http-request, TCP-request, +card readers, RFID (passports)\ldots\medskip\pause + +\item The point is that we cannot control the network: An attacker +can install a packet sniffer, inject packets, modify packets, +replay messages\ldots{}fake pretty much everything. +\end{itemize} + +\end{frame} +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +\begin{frame}[c] +\frametitle{Keyless Car Transponders} + +\begin{center} +\includegraphics[scale=0.1]{../pics/keyfob.jpg} +\quad +\includegraphics[scale=0.27]{../pics/startstop.jpg} +\end{center} + +\begin{itemize} +\item There are two security mechanisms: one remote central +locking system and one passive RFID tag (engine immobiliser). +\item How can I get in? How can thieves be kept out? +How to avoid MITM attacks? +\end{itemize}\medskip + +\footnotesize +\hfill Papers: Gone in 360 Seconds: Hijacking with Hitag2,\\ +\hfill Dismantling Megamos Crypto: Wirelessly Lockpicking\\ +\hfill a Vehicle Immobilizer + +\end{frame} +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +\begin{frame}[c] \frametitle{Problems with Key Fobs} \begin{columns} @@ -63,53 +110,31 @@ \end{column} \end{columns} - - \end{frame} %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% \begin{frame}[c] -\frametitle{Nonces} +\frametitle{HTTPS / GSM} -\begin{enumerate} -\item I generate a nonce (random number) and send it to you encrypted with a key we share -\item you increase it by one, encrypt it under a key I know and send -it back to me -\end{enumerate} - - -I can infer: +\begin{center} +\includegraphics[scale=0.25]{../pics/barclays.jpg} +\quad +\includegraphics[scale=0.25]{../pics/phone-signal.jpg} +\end{center} \begin{itemize} -\item you must have received my message -\item you could only have generated your answer after I have - sent you my initial message -\item if only you and me know the key, the message must have come from you +\item I am sitting at Starbuck. How can I be sure I am really + visiting Barclays? I have no control of the access + point. +\item How can I achieve that a secret key is established in + order to encrypt my mobile conversation? I have no + control over the access points. \end{itemize} \end{frame} -%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% - -%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% -\begin{frame}[c] -\frametitle{Protocols} - -\begin{center} -\includegraphics[scale=0.11]{../pics/keyfob.jpg} -\quad -\includegraphics[scale=0.232]{../pics/starbucks.jpg} -\end{center} - -\begin{itemize} -\item The point is that we have no control over the network - -\item We want to avoid that a message exchange (a protocol) can -be attacked without detection -\end{itemize} - -\end{frame} -%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% \begin{frame}[c] @@ -139,6 +164,518 @@ %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% \begin{frame}[c] +\frametitle{Handshakes} + +\begin{itemize} +\item starting a TCP connection between a client and a server +initiates the following three-way handshake protocol: +\end{itemize} + +\begin{columns}[t] +\begin{column}{5cm} +\begin{minipage}[t]{4cm} +\begin{center} +\raisebox{-2cm}{\includegraphics[scale=0.5]{../pics/handshake.png}} +\end{center} +\end{minipage} +\end{column} +\begin{column}{5cm} +\begin{tabular}[t]{rl} +Alice: & Hello server!\\ +Server: & I heard you\\ +Alice: & Thanks +\end{tabular} +\end{column} +\end{columns} + +\only<2>{ +\begin{textblock}{3}(11,5) +\begin{bubble}[3.2cm] +SYNflood attacks:\medskip\\ +\includegraphics[scale=0.4]{../pics/synflood.png} +\end{bubble} +\end{textblock}} + +\end{frame} +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + \begin{frame}[t] + \frametitle{Protocols} + +\mbox{} + +\begin{tabular}{l} +{\Large \bl{$A\;\rightarrow\; B : \ldots$}}\\ +\onslide<2->{\Large \bl{$B\;\rightarrow\; A : \ldots$}}\\ +\onslide<2->{\Large \;\;\;\;\;\bl{$:$}}\bigskip +\end{tabular} + + \begin{itemize} + \item by convention \bl{$A$}, \bl{$B$} are named principals \bl{Alice\ldots}\\ + but most likely they are programs, which just follow some instructions (they are more like roles)\bigskip +\item<2-> indicates one ``protocol run'', or session, which specifies some +order in the communication +\item<2-> there can be several sessions in parallel (think of wifi routers) +\end{itemize} + + \end{frame} +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +\begin{frame}[c] +\frametitle{Handshakes} + +\begin{itemize} +\item starting a TCP connection between a client and a server +initiates the following three-way handshake protocol: +\end{itemize} + +\begin{columns}[t] +\begin{column}{5cm} +\begin{minipage}[t]{4cm} +\begin{center} +\raisebox{-2cm}{\includegraphics[scale=0.5]{../pics/handshake.png}} +\end{center} +\end{minipage} +\end{column} +\begin{column}{5cm} +\begin{tabular}[t]{rl} +Alice: & Hello server!\\ +Server: & I heard you\\ +Alice: & Thanks +\end{tabular} +\end{column} +\end{columns} + +\begin{center} +\begin{tabular}{rl} +\bl{$A \rightarrow S$}: & \bl{SYN}\\ +\bl{$S \rightarrow A$}: & \bl{SYN-ACK}\\ +\bl{$A \rightarrow S$}: & \bl{ACK}\\ +\end{tabular} +\end{center} + +\end{frame} +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +\begin{frame}[c] +\frametitle{\Large Cryptographic Protocol Failures} + +Ross Anderson and Roger Needham wrote:\bigskip + +\begin{quote}\rm +A lot of the recorded frauds were the result of this kind of + blunder, or from management negligence pure and simple. + \alert{However, +there have been a significant number of cases where the designers +protected the right things, used cryptographic algorithms which were +not broken, and yet found that their systems were still successfully +attacked.} +\end{quote} + +\end{frame} +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + \begin{frame}<1-3>[c] + \frametitle{Oyster Cards} + + \includegraphics[scale=0.4]{../pics/oysterc.jpg} + + \begin{itemize} + \item good example of a bad protocol\\ (security by obscurity)\bigskip + \item<3-> {\it``Breaching security on Oyster cards should not + allow unauthorised use for more than a day, as TfL promises to turn + off any cloned cards within 24 hours\ldots''} + \end{itemize} + + \only<2>{ + \begin{textblock}{12}(0.5,0.5) + \begin{bubble}[11cm]\footnotesize + {\bf Wirelessly Pickpocketing a Mifare Classic Card}\medskip + + The Mifare Classic is the most widely used contactless smartcard on the + market. The stream cipher CRYPTO1 used by the Classic has recently been + reverse engineered and serious attacks have been proposed. The most serious + of them retrieves a secret key in under a second. In order to clone a card, + previously proposed attacks require that the adversary either has access to + an eavesdropped communication session or executes a message-by-message + man-in-the-middle attack between the victim and a legitimate + reader. Although this is already disastrous from a cryptographic point of + view, system integrators maintain that these attacks cannot be performed + undetected.\smallskip + + This paper proposes four attacks that can be executed by an adversary having + only wireless access to just a card (and not to a legitimate reader). The + most serious of them recovers a secret key in less than a second on ordinary + hardware. Besides the cryptographic weaknesses, we exploit other weaknesses + in the protocol stack. A vulnerability in the computation of parity bits + allows an adversary to establish a side channel. Another vulnerability + regarding nested authentications provides enough plaintext for a speedy + known-plaintext attack.\hfill{}(a paper from 2009) + \end{bubble} + \end{textblock}} + + \end{frame} +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +\begin{frame}<1->[t] +\frametitle{Another Example} + +In an email from Ross Anderson\bigskip\small + +\begin{tabular}{l} +From: Ross Anderson \\ +Sender: cl-security-research-bounces@lists.cam.ac.uk\\ +To: cl-security-research@lists.cam.ac.uk\\ +Subject: Birmingham case\\ +Date: Tue, 13 Aug 2013 15:13:17 +0100\\ +\end{tabular} + + +\only<2>{ +\begin{textblock}{12}(0.5,0.8) +\begin{bubble}[11cm] +\footnotesize +As you may know, Volkswagen got an injunction against the University of +Birmingham suppressing the publication of the design of a weak cipher +used in the remote key entry systems in its recent-model cars. The paper +is being given today at Usenix, minus the cipher design.\medskip + +I've been contacted by Birmingham University's lawyers who seek to prove +that the cipher can be easily obtained anyway. They are looking for a +student who will download the firmware from any newish VW, disassemble +it and look for the cipher. They'd prefer this to be done by a student +rather than by a professor to emphasise how easy it is.\medskip + +Volkswagen's argument was that the Birmingham people had reversed a +locksmithing tool produced by a company in Vietnam, and since their key +fob chip is claimed to be tamper-resistant, this must have involved a +corrupt insider at VW or at its supplier Thales. Birmingham's argument +is that this is nonsense as the cipher is easy to get hold of. Their +lawyers feel this argument would come better from an independent +outsider.\medskip + +Let me know if you're interested in having a go, and I'll put you in +touch + +Ross +\end{bubble} +\end{textblock}} + +\end{frame} +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +\begin{frame}[c] +\frametitle{Authentication Protocols} + + +Alice (\bl{$A$}) and Bob (\bl{$B$}) share a secret key \bl{$K_{AB}$}\bigskip + +Passwords: + +\begin{center} +\bl{$B \rightarrow A: K_{AB}$} +\end{center}\pause\bigskip + +Problem: Eavesdropper can capture the secret and replay it; \bl{$A$} cannot confirm the +identity of \bl{$B$} + +\end{frame} +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +\begin{frame}[c] +\frametitle{Authentication?} + +\begin{center} +\raisebox{-2cm}{\includegraphics[scale=0.4]{../pics/dogs.jpg}} +\end{center} + +\end{frame} +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +\begin{frame}[c] +\frametitle{Authentication Protocols} + +Alice (\bl{$A$}) and Bob (\bl{$B$}) share a secret key \bl{$K_{AB}$}\bigskip + +Simple Challenge Response: + +\begin{center} +\begin{tabular}{ll} +\bl{$A \rightarrow B:$} & \bl{$N$}\\ +\bl{$B \rightarrow A:$} & \bl{$\{N\}_{K_{AB}}$}\\ +\end{tabular} +\end{center} + + +\end{frame} +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +\begin{frame}[c] +\frametitle{Authentication Protocols} + +Alice (\bl{$A$}) and Bob (\bl{$B$}) share a secret key \bl{$K_{AB}$}\bigskip + +Mutual Challenge Response: + +\begin{center} +\begin{tabular}{ll} +\bl{$A \rightarrow B:$} & \bl{$N_A$}\\ +\bl{$B \rightarrow A:$} & \bl{$\{N_A, N_B\}_{K_{AB}}$}\\ +\bl{$A \rightarrow B:$} & \bl{$N_B$}\\ +\end{tabular} +\end{center} + +%\pause +%An attacker \bl{$E$} can launch an impersonation attack by +%intercepting all messages for \bl{$B$} and make \bl{$A$} decrypt her +%own challenges. + +\end{frame} +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +\begin{frame}[c] +\frametitle{Nonces} + +\begin{enumerate} +\item I generate a nonce (random number) and send it to you encrypted with a key we share +\item you increase it by one, encrypt it under a key I know and send +it back to me +\end{enumerate}\medskip + + +I can infer: + +\begin{itemize} +\item you must have received my message +\item you could only have generated your answer after I send you my initial +message +\item if only you and me know the key, the message must have come from you +\end{itemize} + +\end{frame} +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +\begin{frame}[c] + +\begin{center} +\begin{tabular}{ll} +\bl{$A \rightarrow B$:} & \bl{$N_A$}\\ +\bl{$B \rightarrow A$:} & \bl{$\{N_A, N_B\}_{K_{AB}}$}\\ +\bl{$A \rightarrow B$:} & \bl{$N_B$}\\ +\end{tabular} +\end{center} + +The attack (let $A$ decrypt her own messages): + +\begin{center} +\begin{tabular}{ll} +\bl{$A \rightarrow E$:} & \bl{$N_A$}\\ +\textcolor{gray}{$E \rightarrow A$:} & \textcolor{gray}{$N_A$}\\ +\textcolor{gray}{$A \rightarrow E$:} & \textcolor{gray}{$\{N_A, N_A'\}_{K_{AB}}$}\\ +\bl{$E \rightarrow A$:} & \bl{$\{N_A, N_A'\}_{K_{AB}}$}\\ +\bl{$A \rightarrow E$:} & \bl{$N_A' \;\;(= N_B)$}\\ +\end{tabular} +\end{center}\pause + +\small Solutions: \bl{$K_{AB} \not= K_{BA}$} or include an id in the second message +\end{frame} +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +\begin{frame}[c] +\frametitle{Encryption to the Rescue?} + + + \begin{itemize} + \item \bl{$A \,\rightarrow\, B : \{A, N_A\}_{K_{AB}}$}\hspace{1cm} encrypted\bigskip + \item \bl{$B\,\rightarrow\, A : \{N_A, K'_{AB}\}_{K_{AB}}$}\bigskip + \item \bl{$A \,\rightarrow\, B : \{N_A\}_{K'_{AB}}$}\bigskip + \end{itemize}\pause + +means you need to send separate ``Hello'' signals (bad), or worse +share a single key between many entities +\end{frame} +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +\begin{frame}[c] +\frametitle{Protocol Attacks} + +\begin{itemize} +\item replay attacks +\item reflection attacks +\item man-in-the-middle attacks +\item timing attacks +\item parallel session attacks +\item binding attacks (public key protocols) +\item changing environment / changing assumptions\bigskip + +\item (social engineering attacks) +\end{itemize} +\end{frame} +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +\begin{frame}[c] +\frametitle{Public-Key Infrastructure} + +\begin{itemize} +\item the idea is to have a certificate authority (CA) +\item you go to the CA to identify yourself +\item CA: ``I, the CA, have verified that public key \bl{$P^{pub}_{Bob}$} belongs to Bob''\bigskip +\item CA must be trusted by everybody +\item What happens if CA issues a false certificate? Who pays in case of loss? (VeriSign +explicitly limits liability to \$100.) +\end{itemize} + +\end{frame} +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +\begin{frame}[c] +\frametitle{Man-in-the-Middle} + +``Normal'' protocol run:\bigskip + +\begin{itemize} +\item \bl{$A$} sends public key to \bl{$B$} +\item \bl{$B$} sends public key to \bl{$A$} +\item \bl{$A$} sends message encrypted with \bl{$B$}'s public key, \bl{$B$} decrypts it +with its private key +\item \bl{$B$} sends message encrypted with \bl{$A$}'s public key, \bl{$A$} decrypts it +with its private key +\end{itemize} + +\end{frame} +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +\begin{frame}[c] +\frametitle{Man-in-the-Middle} + +Attack: + +\begin{itemize} +\item \bl{$A$} sends public key to \bl{$B$} --- \bl{$C$} intercepts this message and send his own public key +\item \bl{$B$} sends public key to \bl{$A$} --- \bl{$C$} intercepts this message and send his own public key +\item \bl{$A$} sends message encrypted with \bl{$C$}'s public key, \bl{$C$} decrypts it +with its private key, re-encrypts with \bl{$B$}'s public key +\item similar for other direction +\end{itemize} + +\end{frame} +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +\begin{frame}[c] +\frametitle{Man-in-the-Middle} + +Potential Prevention? + +\begin{itemize} +\item \bl{$A$} sends public key to \bl{$B$} +\item \bl{$B$} sends public key to \bl{$A$} +\item \bl{$A$} encrypts message with \bl{$B$}'s public key, send's {\bf half} of the message +\item \bl{$B$} encrypts message with \bl{$A$}'s public key, send's {\bf half} of the message +\item \bl{$A$} sends other half, \bl{$B$} can now decrypt entire message +\item \bl{$B$} sends other half, \bl{$A$} can now decrypt entire message +\end{itemize}\pause + +%\bl{$C$} would have to invent a totally new message +\alert{Under which circumstances does this protocol prevent +MiM-attacks, or does it?} + +\end{frame} +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +\begin{frame}[c] +\frametitle{Car Transponder (HiTag2)} + +\begin{enumerate} +\item \bl{$C$} generates a random number \bl{$N$} +\item \bl{$C$} calculates \bl{$(F,G) = \{N\}_K$} +\item \bl{$C \to T$}: \bl{$N, F$} +\item \bl{$T$} calculates \bl{$(F',G') = \{N\}_K$} +\item \bl{$T$} checks that \bl{$F = F'$} +\item \bl{$T \to C$}: \bl{$N, G'$} +\item \bl{$C$} checks that \bl{$G = G'$} +\end{enumerate}\pause + +\small +This process means that the transponder believes the car knows +the key \bl{$K$}, and the car believes the transponder knows +the key \bl{$K$}. They have authenticated themselves +to each other, or have they? + +\end{frame} +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +\begin{frame}[c] + +A Man-in-the-middle attack in real life: + +\begin{itemize} +\item the card only says yes to the terminal if the PIN is correct +\item trick the card in thinking transaction is verified by signature +\item trick the terminal in thinking the transaction was verified by PIN +\end{itemize} + +\begin{minipage}{1.1\textwidth} +\begin{center} +\mbox{}\hspace{-6mm}\includegraphics[scale=0.5]{../pics/chip-attack.png} +\includegraphics[scale=0.3]{../pics/chipnpinflaw.png} +\end{center} +\end{minipage} + +\end{frame} +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +\begin{frame}[c] +\frametitle{Problems with EMV} + +\begin{itemize} +\item it is a wrapper for many protocols +\item specification by consensus (resulted unmanageable complexity) +\item its specification is 700 pages in English plus 2000+ pages for testing, additionally some +further parts are secret +\item other attacks have been found +\end{itemize} + +\end{frame} +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +\begin{frame}[c] +\frametitle{Protocols are Difficult} + +\begin{itemize} +\item even the systems designed by experts regularly fail\medskip +\item the one who can fix a system should also be liable for the losses\medskip +\item cryptography is often not the problem\bigskip\bigskip +\end{itemize} + +\end{frame} +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + + + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +\begin{frame}[c] \frametitle{A Simple PK Protocol} @@ -266,8 +803,8 @@ \item what happens if \bl{$m$} and \bl{$m'$} are voice messages?\bigskip\pause -\item So \bl{$C$} can either leave the communication unchanged - (Hellman-Diffie), or invent a complete new conversation +\item So \bl{$C$} can either leave the communication unchanged, + or invent a complete new conversation \end{itemize}