diff -r 0cea882f03c7 -r 99d408cfcfb3 slides/slides04.tex --- a/slides/slides04.tex Tue Oct 22 12:10:01 2013 +0100 +++ b/slides/slides04.tex Tue Oct 22 12:35:11 2013 +0100 @@ -619,6 +619,71 @@ \end{itemize} \end{frame}} %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + + + %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +\mode{ +\begin{frame}[c] +\frametitle{Public-Key Infrastructure} + +\begin{itemize} +\item the idea is to have a certificate authority (CA) +\item you go to the CA to identify yourself +\item CA: ``I, the CA, have verified that public key \bl{$P^{pub}_{Bob}$} belongs to Bob''\bigskip +\item CA must be trusted by everybody +\item What happens if CA issues a false certificate? Who pays in case of loss? (VeriSign +explicitly limits liability to \$100.) +\end{itemize} + +\end{frame}} +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + + + + %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +\mode{ +\begin{frame}[c] +\frametitle{Binding Attacks} + +with public-private keys it is important that the public key is \alert{bound} +to the right owner (verified by a certification authority \bl{$CA$}) + +\begin{center} +\begin{tabular}{l} +\bl{$A \rightarrow CA :$} \bl{$A, B, N_A$}\\ +\bl{$CA \rightarrow A :$} \bl{$CA, \{CA, A, N_A, K^{pub}_{B}\}_{K^{pub}_{A}}$}\\ +\end{tabular} +\end{center}\bigskip + +\bl{$A$} knows \bl{$K^{priv}_A$} and can verify the message came from \bl{$CA$} +in response to \bl{$A$}'s message and trusts \bl{$K^{pub}_{B}$} is \bl{$B$}'s public key + + +\end{frame}} +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + + + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +\mode{ +\begin{frame}[c] +\frametitle{Binding Attacks} + +\begin{center} +\begin{tabular}{l} +\bl{$A \rightarrow I(CA) :$} \bl{$A, B, N_A$}\\ +\bl{$I(A) \rightarrow CA :$} \bl{$A, I, N_A$}\\ +\bl{$CA \rightarrow I(A) :$} \bl{$CA, \{CA, A, N_A, K^{pub}_{I}\}_{K^{pub}_{A}}$}\\ +\bl{$I(CA) \rightarrow A :$} \bl{$CA, \{CA, A, N_A, K^{pub}_{I}\}_{K^{pub}_{A}}$}\\ +\end{tabular} +\end{center}\pause + +\bl{$A$} now encrypts messages for \bl{$B$} with the public key of \bl{$I$} +(which happily decrypts them with its private key) + +\end{frame}} +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% \mode{ @@ -669,6 +734,148 @@ talks to \bl{$B$} masquerading as \bl{$A$} \end{frame}} %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +\mode{ +\begin{frame}[c] +\frametitle{Time-Stamps} + +The Schroeder-Needham protocol can be fixed by including a time-stamp (e.g., in Kerberos): + +\begin{center} +\begin{tabular}{r@ {\hspace{1mm}}l} +\bl{$A \rightarrow S :$} & \bl{$A, B, N_A$}\\ +\bl{$S \rightarrow A :$} & \bl{$\{N_A, B, K_{AB},\{K_{AB}, A, T_S\}_{K_{BS}} \}_{K_{AS}}$}\\ +\bl{$A \rightarrow B :$} & \bl{$\{K_{AB}, A, T_S\}_{K_{BS}} $}\\ +\bl{$B \rightarrow A :$} & \bl{$\{N_B\}_{K_{AB}}$}\\ +\bl{$A \rightarrow B :$} & \bl{$\{N_B-1\}_{K_{AB}}$}\\ +\end{tabular} +\end{center}\bigskip\pause + +but nothing is for free: then you need to synchronise time and possibly become a victim to +timing attacks + +\end{frame}} +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +\mode{ +\begin{frame}[t] +\frametitle{Changing Environment Attacks} + +\begin{itemize} +\item all protocols rely on some assumptions about the environment +(e.g., cryptographic keys cannot be broken)\bigskip\pause +\end{itemize} + +\only<2>{ +\begin{itemize} +\item in the ``good olden days'' (1960/70) rail transport was cheap, so fraud was not +worthwhile +\end{itemize}} + +\only<3>{ +\begin{itemize} +\item when it got expensive, some people bought cheaper monthly tickets for a suburban +station and a nearby one, and one for the destination and a nearby one +\item a large investment later all barriers were automatic and tickets could record state +\end{itemize}} + +\only<4>{ +\begin{itemize} +\item but suddenly the environment changed: rail transport got privatised creating many +competing companies +potentially cheating each other +\item revenue from monthly tickets was distributed according to a formula involving where the ticket was bought\ldots +\end{itemize}} + +\only<5>{ +\begin{itemize} +\item apart from bad outsiders (passengers), you also have bad insiders (rail companies) +\item chaos and litigation ensued +\end{itemize}} + +\end{frame}} +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +\mode{ +\begin{frame}[c] + +A Man-in-the-middle attack in real life: + +\begin{itemize} +\item the card only says yes or no to the terminal if the PIN is correct +\item trick the card in thinking transaction is verified by signature +\item trick the terminal in thinking the transaction was verified by PIN +\end{itemize} + +\begin{minipage}{1.1\textwidth} +\begin{center} +\mbox{}\hspace{-6mm}\includegraphics[scale=0.5]{pics/chip-attack.png} +\includegraphics[scale=0.3]{pics/chipnpinflaw.png} +\end{center} +\end{minipage} + +\end{frame}} +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +\mode{ +\begin{frame}[c] +\frametitle{Problems with EMV} + +\begin{itemize} +\item it is a wrapper for many protocols +\item specification by consensus (resulted unmanageable complexity) +\item its specification is 700 pages in English plus 2000+ pages for testing, additionally some +further parts are secret +\item other attacks have been found + +\item one solution might be to require always online verification of the PIN with the bank +\end{itemize} + +\end{frame}} +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +\mode{ +\begin{frame}[c] +\frametitle{\begin{tabular}{@{}c@{}}Problems with WEP (Wifi)\end{tabular}} + +\begin{itemize} +\item a standard ratified in 1999 +\item the protocol was designed by a committee not including cryptographers +\item it used the RC4 encryption algorithm which is a stream cipher requiring a unique nonce +\item WEP did not allocate enough bits for the nonce +\item for authenticating packets it used CRC checksum which can be easily broken +\item the network password was used to directly encrypt packages (instead of a key negotiation protocol)\bigskip +\item encryption was turned off by default +\end{itemize} + +\end{frame}} +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +\mode{ +\begin{frame}[c] +\frametitle{Protocols are Difficult} + +\begin{itemize} +\item even the systems designed by experts regularly fail\medskip +\item try to make everything explicit (you need to authenticate all data you might rely on)\medskip +\item the one who can fix a system should also be liable for the losses\medskip +\item cryptography is often not {\bf the} answer\bigskip\bigskip +\end{itemize} + +logic is one way protocols are studied in academia +(you can use computers to search for attacks) + +\end{frame}} +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% \mode{ \begin{frame}[c]