# HG changeset patch # User Christian Urban # Date 1444869693 -3600 # Node ID 0516bffd3f5fad6a6771cef70a3831717c18d834 # Parent 6a54ee8b74c353199fa9b71740f21617d43ff9e5 updated diff -r 6a54ee8b74c3 -r 0516bffd3f5f slides/slides04.pdf Binary file slides/slides04.pdf has changed diff -r 6a54ee8b74c3 -r 0516bffd3f5f slides/slides04.tex --- a/slides/slides04.tex Wed Oct 14 10:27:07 2015 +0100 +++ b/slides/slides04.tex Thu Oct 15 01:41:33 2015 +0100 @@ -45,13 +45,32 @@ \end{center} \begin{itemize} -\item no ``cheating'' needed for format string attacks; -\item the main point, no real cheating (Facebook no; printer, router -etc yes) -\end{itemize} +\item no ``cheating'' needed for format string attacks +\item the main point: no cheating to start with +\end{itemize} + \end{frame} %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +\begin{frame}[c] + +\begin{bubble}[10cm]\small How do we implement BOAs? On a +webpage login, for example Facebook, we can't do this. The +script will not let us enter hexadecimal numbers where email +or username is required and plus it will have a max length, +like 32 characters only. In this case, what can we do, since +the method you showed us wouldn't work? +\end{bubble}\bigskip\bigskip\pause + +\begin{itemize} +\item Facebook no +\item printers, routers, cars, IoT etc likely +\end{itemize} + + +\end{frame} +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% \begin{frame}[c] @@ -155,7 +174,7 @@ \hspace{8mm} \begin{bubble}[8cm] -\alert{principle of least privilege:}\\ +\alert{\bf principle of least privilege:}\\ users and programs should only have as much privilege as they need to accomplish a task \end{bubble} @@ -316,10 +335,30 @@ \end{frame} %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +\begin{frame}[c] +\frametitle{Subtleties} + + +\begin{itemize} +\item<1-> Can Bob write \pcode{file}? +\item<2-> What if Bob is member of \pcode{staff}? +\end{itemize}\bigskip + +\begin{center} +${\underbrace{\Large\texttt{-}}_{\text{\makebox[0mm]{directory}}}} + \;{\underbrace{\Large\texttt{r{}-{}-}}_{\text{user}}}\, + {\underbrace{\Large\texttt{r{}w{}-}}_{\text{group}}}\, + {\underbrace{\Large\texttt{r{}w{}x}}_{\text{other}}}\;\;\; + \Large\texttt{bob}\;\;\texttt{staff}\;\;\texttt{file}$ +\end{center} + +\end{frame} +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% \begin{frame}[c] -\frametitle{Login Process} +\frametitle{Login Processes} \begin{itemize} @@ -366,64 +405,6 @@ %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% \begin{frame}[c] -\frametitle{\Large Discretionary Access Control} - -\begin{itemize} -\item Access to objects (files, directories, devices, etc.) is -permitted based on user identity. Each object is owned by a -user. Owners can specify freely (at their discretion) how they want to -share their objects with other users, by specifying which other users -can have which form of access to their objects.\medskip - -\item Discretionary access control is implemented on any modern multi-user -OS (Unix, Windows NT, etc.). -\end{itemize} - -\end{frame} -%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% - -%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% -\begin{frame}[c] -\frametitle{\Large Mandatory Access Control} - -\begin{itemize} -\item Access to objects is controlled by a system-wide policy, for - example to prevent certain flows of information. In some forms, the - system maintains security labels for both objects and subjects - (processes, users) based on which access is granted or - denied. Labels can change as the result of an access. Security - policies are enforced without the cooperation of users or - programs.\medskip - -\item This is implemented in banking or military operating system - versions (SELinux). -\end{itemize} - -\end{frame} -%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% - -%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% -\begin{frame}[c] -\frametitle{\Large Discretionary Access Control} - -In its most generic form usually given by an \alert{Access Control - Matrix} of the form - -\begin{center} -\begin{tabular}{r|c|c|c} - & /mail/jane & edit.exe & postfix \\\hline -jane & r, w & r, x & r, x\\\hline -john & $\varnothing$ & r, w, x& r, x\\\hline -postfix & a & $\varnothing$ & r, x\\ -\end{tabular} -\end{center} - -access privileges: {\bf r}ead, {\bf w}rite, e{\bf x}ecute, {\bf a}ppend -\end{frame} -%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% - -%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% -\begin{frame}[c] \small \lstinputlisting[language={},numbers=none,xleftmargin=-6mm]{lst} @@ -450,21 +431,43 @@ %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% \begin{frame}[c] -\frametitle{Mandatory Access Control} +\frametitle{\Large Discretionary Access Control} + \small - \begin{itemize} -\item Restrictions to allowed information flows are not decided at the - user's discretion (as with Unix \pcode{chmod}), but instead enforced - by system policies. +\item Access to objects (files, directories, devices, etc.) is +permitted based on user identity. Each object is owned by a +user. Owners can specify freely (at their discretion) how they want to +share their objects with other users, by specifying which other users +can have which form of access to their objects.\medskip + +\item Discretionary access control is implemented on any modern multi-user +OS (Unix, Windows NT, etc.). +\end{itemize} + +\end{frame} +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% -\item Mandatory access control mechanisms are aimed in particular at - preventing policy violations by untrusted programs, which typically - have at least the same access privileges as the invoking - user.\medskip\pause +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +\begin{frame}[c] +\frametitle{\Large Mandatory Access Control} -Simple example: Air Gap Security. Uses a completely separate network -and computer hardware for different application classes. +\small +\begin{itemize} +\item Access to objects is controlled by a system-wide policy, for + example to prevent certain flows of information. In some forms, the + system maintains security labels for both objects and subjects + (processes, users) based on which access is granted or + denied. Labels can change as the result of an access. Security + policies are enforced without the cooperation of users or + programs.\medskip + +\item This is implemented in banking or military operating system + versions (SELinux).\pause +\item A simple example: Air Gap Security. Uses a completely separate network +and computer hardware for different application classes (Bin Laden, Bruce Schneier had +airgaps).\pause +\item What do we want to protect: Secrecy or Integrity? \end{itemize} \end{frame} @@ -509,8 +512,8 @@ \item \alert{Write Rule}: A principal \bl{$P$} can write an object \bl{$O$} if and only if \bl{$O$}'s security level is at least as high as \bl{$P$}'s.\medskip - \item Meta-Rule: All principals in a system should have a sufficiently high security level - in order to access an object. + %\item Meta-Rule: All principals in a system should have a sufficiently high security level + %in order to access an object. \end{itemize}\bigskip This restricts information flow $\Rightarrow$ military\bigskip\bigskip\pause @@ -542,7 +545,7 @@ \frametitle{Biba Policy} \small - Data Integrity (rather than data confidentiality) + Data Integrity (rather than data secrecy) \begin{itemize} \item Biba: {\bf `no read down'} - {\bf `no write up'} @@ -610,20 +613,118 @@ hierarchy is too complex\\ \textcolor{gray}{you invite situations like\ldots lets be root}\bigskip -\item you can still abuse the system\ldots\bigskip\pause - -\item - policies (a finite system)\\ - computer system (infinite)\medskip\\ -Q: Does your policy ensure that a tainted file cannot affect your -core system files? - +\item you can still abuse the system\ldots \end{itemize} \end{frame} %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +\begin{frame}[c] +\frametitle{Protocols} + +\begin{center} +\includegraphics[scale=0.11]{../pics/keyfob.jpg} +\quad +\includegraphics[scale=0.3025]{../pics/startstop.jpg} +\end{center} + +\begin{itemize} +\item Other examples: Wifi, Http-request, TCP-request, +card readers, RFID (passports)\medskip\pause + +\item The point is that we cannot control the network: An attacker +can install a packet sniffer, inject packets, modify packets, +replay messages\ldots{}fake pretty much everything. +\end{itemize} + +\end{frame} +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +\begin{frame}[c] +\frametitle{Keyless Car Transponders} + +\begin{center} +\includegraphics[scale=0.1]{../pics/keyfob.jpg} +\quad +\includegraphics[scale=0.27]{../pics/startstop.jpg} +\end{center} + +\begin{itemize} +\item There are two security mechanisms: one remote central +locking system and one passive RFID tag (engine immobiliser). +\item How can I get in? How can thieves be kept out? +How to avoid MITM attacks? +\end{itemize}\medskip + +\footnotesize +\hfill Papers: Gone in 360 Seconds: Hijacking with Hitag2,\\ +\hfill Dismantling Megamos Crypto: Wirelessly Lockpicking\\ +\hfill a Vehicle Immobilizer + +\end{frame} +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +\begin{frame}[c] +\frametitle{HTTPS / GSM} + +\begin{center} +\includegraphics[scale=0.25]{../pics/barclays.jpg} +\quad +\includegraphics[scale=0.25]{../pics/phone-signal.jpg} +\end{center} + +\begin{itemize} +\item I am sitting at Starbuck. How can I be sure I am really + visiting Barclays? I have no control of the access + point. +\item How can I achieve that a secret key is established in + order to encrypt my mobile conversation? I have no + control over the access points. +\end{itemize} + +\end{frame} +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +\begin{frame}[c] +\frametitle{Handshakes} + +\begin{itemize} +\item starting a TCP connection between a client and a server +initiates the following three-way handshake protocol: +\end{itemize} + +\begin{columns}[t] +\begin{column}{5cm} +\begin{minipage}[t]{4cm} +\begin{center} +\raisebox{-2cm}{\includegraphics[scale=0.5]{../pics/handshake.png}} +\end{center} +\end{minipage} +\end{column} +\begin{column}{5cm} +\begin{tabular}[t]{rl} +Alice: & Hello server!\\ +Server: & I heard you\\ +Alice: & Thanks +\end{tabular} +\end{column} +\end{columns} + +\only<2>{ +\begin{textblock}{3}(11,5) +\begin{bubble}[3.2cm] +SYNflood attacks:\medskip\\ +\includegraphics[scale=0.4]{../pics/synflood.png} +\end{bubble} +\end{textblock}} + +\end{frame} +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% \begin{frame}[t] \frametitle{Protocols} @@ -648,17 +749,55 @@ %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% \begin{frame}[c] +\frametitle{Handshakes} + +\begin{itemize} +\item starting a TCP connection between a client and a server +initiates the following three-way handshake protocol: +\end{itemize} + +\begin{columns}[t] +\begin{column}{5cm} +\begin{minipage}[t]{4cm} +\begin{center} +\raisebox{-2cm}{\includegraphics[scale=0.5]{../pics/handshake.png}} +\end{center} +\end{minipage} +\end{column} +\begin{column}{5cm} +\begin{tabular}[t]{rl} +Alice: & Hello server!\\ +Server: & I heard you\\ +Alice: & Thanks +\end{tabular} +\end{column} +\end{columns} + +\begin{center} +\begin{tabular}{rl} +\bl{$A \rightarrow S$}: & \bl{SYN}\\ +\bl{$S \rightarrow A$}: & \bl{SYN-ACK}\\ +\bl{$A \rightarrow S$}: & \bl{ACK}\\ +\end{tabular} +\end{center} + +\end{frame} +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +\begin{frame}[c] \frametitle{\Large Cryptographic Protocol Failures} Ross Anderson and Roger Needham wrote:\bigskip \begin{quote}\rm -\alert{A lot of the recorded frauds were the result of this kind of - blunder, or from management negligence pure and simple.} However, +A lot of the recorded frauds were the result of this kind of + blunder, or from management negligence pure and simple. + \alert{However, there have been a significant number of cases where the designers protected the right things, used cryptographic algorithms which were not broken, and yet found that their systems were still successfully -attacked. +attacked.} \end{quote} \end{frame} @@ -757,26 +896,6 @@ %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% \begin{frame}[c] -\frametitle{\Large Cryptographic Protocol Failures} - -Ross Anderson and Roger Needham wrote:\bigskip - -\begin{quote}\rm -A lot of the recorded frauds were the result of this kind of blunder, -or from management negligence pure and simple. \alert{However, there - have been a significant number of cases where the designers - protected the right things, used cryptographic algorithms which were - not broken, and yet found that their systems were still successfully - attacked.} -\end{quote} - -\end{frame} -%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% - - -%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% -\mode{ -\begin{frame}[c] \frametitle{Authentication Protocols} @@ -791,11 +910,21 @@ Problem: Eavesdropper can capture the secret and replay it; \bl{$A$} cannot confirm the identity of \bl{$B$} -\end{frame}} +\end{frame} %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% -\mode{ +\begin{frame}[c] +\frametitle{Authentication?} + +\begin{center} +\raisebox{-2cm}{\includegraphics[scale=0.4]{../pics/dogs.jpg}} +\end{center} + +\end{frame} +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% \begin{frame}[c] \frametitle{Authentication Protocols} @@ -811,11 +940,10 @@ \end{center} -\end{frame}} +\end{frame} %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% -\mode{ \begin{frame}[c] \frametitle{Authentication Protocols} @@ -836,7 +964,7 @@ %intercepting all messages for \bl{$B$} and make \bl{$A$} decrypt her %own challenges. -\end{frame}} +\end{frame} %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% @@ -863,13 +991,12 @@ %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% -\mode{ \begin{frame}[c] \begin{center} \begin{tabular}{ll} \bl{$A \rightarrow B$:} & \bl{$N_A$}\\ -\bl{$B \rightarrow A$:} & \bl{$\{N_A, N_B\}_{K_{ab}}$}\\ +\bl{$B \rightarrow A$:} & \bl{$\{N_A, N_B\}_{K_{AB}}$}\\ \bl{$A \rightarrow B$:} & \bl{$N_B$}\\ \end{tabular} \end{center} @@ -887,13 +1014,12 @@ \end{center}\pause \small Solutions: \bl{$K_{AB} \not= K_{BA}$} or include an id in the second message -\end{frame}} +\end{frame} %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% - \mode{ - \begin{frame}[c] - \frametitle{Encryption to the Rescue?} +\begin{frame}[c] +\frametitle{Encryption to the Rescue?} \begin{itemize} @@ -904,11 +1030,10 @@ means you need to send separate ``Hello'' signals (bad), or worse share a single key between many entities -\end{frame}} +\end{frame} %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% -\mode{ \begin{frame}[c] \frametitle{Protocol Attacks} @@ -923,87 +1048,10 @@ \item (social engineering attacks) \end{itemize} -\end{frame}} -%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% - - - %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% -\mode{ -\begin{frame}[c] -\frametitle{Public-Key Infrastructure} - -\begin{itemize} -\item the idea is to have a certificate authority (CA) -\item you go to the CA to identify yourself -\item CA: ``I, the CA, have verified that public key \bl{$P^{pub}_{Bob}$} belongs to Bob''\bigskip -\item CA must be trusted by everybody -\item What happens if CA issues a false certificate? Who pays in case of loss? (VeriSign -explicitly limits liability to \$100.) -\end{itemize} - -\end{frame}} -%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% - -%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% -\mode{ -\begin{frame}[c] -\frametitle{Person-in-the-Middle} - -``Normal'' protocol run:\bigskip - -\begin{itemize} -\item \bl{$A$} sends public key to \bl{$B$} -\item \bl{$B$} sends public key to \bl{$A$} -\item \bl{$A$} sends message encrypted with \bl{$B$}'s public key, \bl{$B$} decrypts it -with its private key -\item \bl{$B$} sends message encrypted with \bl{$A$}'s public key, \bl{$A$} decrypts it -with its private key -\end{itemize} - -\end{frame}} +\end{frame} %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% -\mode{ -\begin{frame}[c] -\frametitle{Person-in-the-Middle} - -Attack: - -\begin{itemize} -\item \bl{$A$} sends public key to \bl{$B$} --- \bl{$C$} intercepts this message and send his own public key -\item \bl{$B$} sends public key to \bl{$A$} --- \bl{$C$} intercepts this message and send his own public key -\item \bl{$A$} sends message encrypted with \bl{$C$}'s public key, \bl{$C$} decrypts it -with its private key, re-encrypts with \bl{$B$}'s public key -\item similar for other direction -\end{itemize} - -\end{frame}} -%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% - -%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% -\mode{ -\begin{frame}[c] -\frametitle{Person-in-the-Middle} - -Prevention: - -\begin{itemize} -\item \bl{$A$} sends public key to \bl{$B$} -\item \bl{$B$} sends public key to \bl{$A$} -\item \bl{$A$} encrypts message with \bl{$B$}'s public key, send's {\bf half} of the message -\item \bl{$B$} encrypts message with \bl{$A$}'s public key, send's {\bf half} of the message -\item \bl{$A$} sends other half, \bl{$B$} can now decrypt entire message -\item \bl{$B$} sends other half, \bl{$A$} can now decrypt entire message -\end{itemize}\pause - -\bl{$C$} would have to invent a totally new message - -\end{frame}} - %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% - -%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% -\mode{ \begin{frame}[c] \frametitle{Public-Key Infrastructure} @@ -1016,129 +1064,90 @@ explicitly limits liability to \$100.) \end{itemize} -\end{frame}} -%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% - - %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% -\mode{ -\begin{frame}[c] -\frametitle{Binding Attacks} - -with public-private keys it is important that the public key is \alert{bound} -to the right owner (verified by a certification authority \bl{$CA$}) - -\begin{center} -\begin{tabular}{l} -\bl{$A \rightarrow CA :$} \bl{$A, B, N_A$}\\ -\bl{$CA \rightarrow A :$} \bl{$CA, \{CA, A, N_A, K^{pub}_{B}\}_{K^{pub}_{A}}$}\\ -\end{tabular} -\end{center}\bigskip - -\bl{$A$} knows \bl{$K^{priv}_A$} and can verify the message came from \bl{$CA$} -in response to \bl{$A$}'s message and trusts \bl{$K^{pub}_{B}$} is \bl{$B$}'s public key - - -\end{frame}} -%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% - - - -%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% -\mode{ -\begin{frame}[c] -\frametitle{Binding Attacks} - -\begin{center} -\begin{tabular}{l} -\bl{$A \rightarrow I(CA) :$} \bl{$A, B, N_A$}\\ -\bl{$I(A) \rightarrow CA :$} \bl{$A, I, N_A$}\\ -\bl{$CA \rightarrow I(A) :$} \bl{$CA, \{CA, A, N_A, K^{pub}_{I}\}_{K^{pub}_{A}}$}\\ -\bl{$I(CA) \rightarrow A :$} \bl{$CA, \{CA, A, N_A, K^{pub}_{I}\}_{K^{pub}_{A}}$}\\ -\end{tabular} -\end{center}\pause - -\bl{$A$} now encrypts messages for \bl{$B$} with the public key of \bl{$I$} -(which happily decrypts them with its private key) - -\end{frame}} +\end{frame} %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% - %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% -\mode{ \begin{frame}[c] -\frametitle{Replay Attacks} +\frametitle{Man-in-the-Middle} -Schroeder-Needham protocol: exchange of a symmetric key with a trusted 3rd-party \bl{$S$}: +``Normal'' protocol run:\bigskip -\begin{center} -\begin{tabular}{r@ {\hspace{1mm}}l} -\bl{$A \rightarrow S :$} & \bl{$A, B, N_A$}\\ -\bl{$S \rightarrow A :$} & \bl{$\{N_A, B, K_{AB},\{K_{AB}, A\}_{K_{BS}} \}_{K_{AS}}$}\\ -\bl{$A \rightarrow B :$} & \bl{$\{K_{AB}, A\}_{K_{BS}} $}\\ -\bl{$B \rightarrow A :$} & \bl{$\{N_B\}_{K_{AB}}$}\\ -\bl{$A \rightarrow B :$} & \bl{$\{N_B-1\}_{K_{AB}}$}\\ -\end{tabular} -\end{center}\bigskip\pause +\begin{itemize} +\item \bl{$A$} sends public key to \bl{$B$} +\item \bl{$B$} sends public key to \bl{$A$} +\item \bl{$A$} sends message encrypted with \bl{$B$}'s public key, \bl{$B$} decrypts it +with its private key +\item \bl{$B$} sends message encrypted with \bl{$A$}'s public key, \bl{$A$} decrypts it +with its private key +\end{itemize} -at the end of the protocol both \bl{$A$} and \bl{$B$} should be in the possession of the secret key -\bl{$K_{AB}$} and know that the other principal has the key - -\end{frame}} +\end{frame} %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +\begin{frame}[c] +\frametitle{Man-in-the-Middle} -%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% -\mode{ -\begin{frame}[c] +Attack: -\begin{center} -\begin{tabular}{l} -\bl{$A \rightarrow S :$} \bl{$A, B, N_A$}\\ -\bl{$S \rightarrow A :$} \bl{$\{N_A, B, K_{AB},\{K_{AB}, A\}_{K_{BS}} \}_{K_{AS}}$}\\ -\bl{$A \rightarrow B :$} \bl{$\{K_{AB}, A\}_{K_{BS}} $}\\ -\bl{$B \rightarrow A :$} \bl{$\{N_B\}_{K_{AB}}$}\\ -\bl{$A \rightarrow B :$} \bl{$\{N_B-1\}_{K_{AB}}$}\pause\\ -\hspace{5cm}compromise \bl{$K_{AB}$}\pause\\ -\bl{$A \rightarrow S :$} \bl{$A, B, N'_A$}\\ -\bl{$S \rightarrow A :$} \bl{$\{N'_A, B, K'_{AB},\{K'_{AB}, A\}_{K_{BS}} \}_{K_{AS}}$}\pause\\ -\bl{$I(A) \rightarrow B :$} \bl{$\{K_{AB}, A\}_{K_{BS}} $}\hspace{0.5cm} replay of older run\pause\\ -\bl{$B \rightarrow I(A) :$} \bl{$\{N'_B\}_{K_{AB}}$}\\ -\bl{$I(A) \rightarrow B :$} \bl{$\{N'_B-1\}_{K_{AB}}$}\ -\end{tabular} -\end{center}\pause +\begin{itemize} +\item \bl{$A$} sends public key to \bl{$B$} --- \bl{$C$} intercepts this message and send his own public key +\item \bl{$B$} sends public key to \bl{$A$} --- \bl{$C$} intercepts this message and send his own public key +\item \bl{$A$} sends message encrypted with \bl{$C$}'s public key, \bl{$C$} decrypts it +with its private key, re-encrypts with \bl{$B$}'s public key +\item similar for other direction +\end{itemize} -\bl{$B$} believes it is following the correct protocol, -intruder \bl{$I$} can form the correct response because it knows \bl{$K_{AB}$} and -talks to \bl{$B$} masquerading as \bl{$A$} -\end{frame}} +\end{frame} %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% -\mode{ \begin{frame}[c] -\frametitle{Time-Stamps} +\frametitle{Man-in-the-Middle} + +Potential Prevention? -The Schroeder-Needham protocol can be fixed by including a time-stamp (e.g., in Kerberos): +\begin{itemize} +\item \bl{$A$} sends public key to \bl{$B$} +\item \bl{$B$} sends public key to \bl{$A$} +\item \bl{$A$} encrypts message with \bl{$B$}'s public key, send's {\bf half} of the message +\item \bl{$B$} encrypts message with \bl{$A$}'s public key, send's {\bf half} of the message +\item \bl{$A$} sends other half, \bl{$B$} can now decrypt entire message +\item \bl{$B$} sends other half, \bl{$A$} can now decrypt entire message +\end{itemize}\pause + +%\bl{$C$} would have to invent a totally new message +\alert{Under which circumstances does this protocol prevent +MiM-attacks, or does it?} + +\end{frame} +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% -\begin{center} -\begin{tabular}{r@ {\hspace{1mm}}l} -\bl{$A \rightarrow S :$} & \bl{$A, B, N_A$}\\ -\bl{$S \rightarrow A :$} & \bl{$\{N_A, B, K_{AB},\{K_{AB}, A, T_S\}_{K_{BS}} \}_{K_{AS}}$}\\ -\bl{$A \rightarrow B :$} & \bl{$\{K_{AB}, A, T_S\}_{K_{BS}} $}\\ -\bl{$B \rightarrow A :$} & \bl{$\{N_B\}_{K_{AB}}$}\\ -\bl{$A \rightarrow B :$} & \bl{$\{N_B-1\}_{K_{AB}}$}\\ -\end{tabular} -\end{center}\bigskip\pause +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +\begin{frame}[c] +\frametitle{Car Transponder (HiTag2)} -but nothing is for free: then you need to synchronise time and possibly become a victim to -timing attacks +\begin{enumerate} +\item \bl{$C$} generates a random number \bl{$N$} +\item \bl{$C$} calculates \bl{$(F,G) = \{N\}_K$} +\item \bl{$C \to T$}: \bl{$N, F$} +\item \bl{$T$} calculates \bl{$(F',G') = \{N\}_K$} +\item \bl{$T$} checks that \bl{$F = F'$} +\item \bl{$T \to C$}: \bl{$N, G'$} +\item \bl{$C$} checks that \bl{$G = G'$} +\end{enumerate}\pause -\end{frame}} +\small +This process means that the transponder believes the car knows +the key \bl{$K$}, and the car believes the transponder knows +the key \bl{$K$}. They have authenticated themselves +to each other, or have they? + +\end{frame} %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% -\mode{ \begin{frame}[c] A Man-in-the-middle attack in real life: @@ -1156,11 +1165,10 @@ \end{center} \end{minipage} -\end{frame}} +\end{frame} %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% -\mode{ \begin{frame}[c] \frametitle{Problems with EMV} @@ -1172,31 +1180,11 @@ \item other attacks have been found \end{itemize} -\end{frame}} +\end{frame} %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% -\mode{ -\begin{frame}[c] -\frametitle{\begin{tabular}{@{}c@{}}Problems with WEP (Wifi)\end{tabular}} - -\begin{itemize} -\item a standard ratified in 1999 -\item the protocol was designed by a committee not including cryptographers -\item it used the RC4 encryption algorithm which is a stream cipher requiring a unique nonce -\item WEP did not allocate enough bits for the nonce -\item for authenticating packets it used CRC checksum which can be easily broken -\item the network password was used to directly encrypt packages (instead of a key negotiation protocol)\bigskip -\item encryption was turned off by default -\end{itemize} - -\end{frame}} -%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% - - -%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% -\mode{ \begin{frame}[c] \frametitle{Protocols are Difficult} @@ -1207,11 +1195,10 @@ \item cryptography is often not {\bf the} answer\bigskip\bigskip \end{itemize} -\end{frame}} +\end{frame} %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% -\mode{ \begin{frame}[c] \frametitle{Best Practices} @@ -1221,12 +1208,10 @@ {\bf Principle 2:} If the identity of a principal is essential to the meaning of a message, it is prudent to mention the principal’s name explicitly in the message (though difficult).\bigskip - -\end{frame}} +\end{frame} %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% -\mode{ \begin{frame}[c] {\bf Principle 3:} Be clear about why encryption is being @@ -1245,13 +1230,10 @@ \end{itemize} \end{center} - - -\end{frame}} +\end{frame} %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% -\mode{ \begin{frame}[c] \frametitle{Best Practices} @@ -1261,7 +1243,7 @@ Example Certification Authorities: CAs are trusted to certify a key only after proper steps have been taken to identify the principal that owns it. -\end{frame}} +\end{frame} %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% \end{document}