# HG changeset patch # User Christian Urban # Date 1353392245 0 # Node ID 56dbc339ec8722d1bcc0c2cf86905759cd06bd9f # Parent dde58256fc351f85fca01f264c6ee36d4932569d updated diff -r dde58256fc35 -r 56dbc339ec87 slides08.pdf Binary file slides08.pdf has changed diff -r dde58256fc35 -r 56dbc339ec87 slides08.tex --- a/slides08.tex Tue Nov 20 05:22:22 2012 +0000 +++ b/slides08.tex Tue Nov 20 06:17:25 2012 +0000 @@ -245,10 +245,14 @@ \end{textblock} \only<3->{ -\begin{textblock}{6}(0.3,12) +\begin{textblock}{6}(0.3,9) being outsmarted by Angola/Cuba ended SA involvement \end{textblock}} +\only<4->{ +\begin{textblock}{6}(0.3,13) +IFF opened up a nice side-channel attack +\end{textblock}} \end{frame}} %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% @@ -386,6 +390,8 @@ \end{frame}} %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + + %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% \mode{ \begin{frame}[c] @@ -406,32 +412,62 @@ \end{frame}} %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% \mode{ \begin{frame}[c] -\frametitle{``Real-World'' Attacks} - -EMV (Europay, MasterCard, Visa) is a standard for payments by credit cards\bigskip - -It consists of three phases: -\begin{enumerate} -\item card authentication phase (the terminal reads the information; signs it with a public key -and verifies the signed information) -\item cardholder authentication (PIN; terminal sends PIN to card which verifies it; it can also verify it online -with the bank) -\item transaction authorisation (the terminal asks the card to provide an authentication code for the transaction; -the code is sent to the bank for verification) -\end{enumerate} +There are plenty of other protocols and attacks. This could go on ``forever''.\pause\bigskip + +attacks because of changing environment \end{frame}} %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% \mode{ +\begin{frame}[t] +\frametitle{Changing Environment Attacks} + +\begin{itemize} +\item all protocols rely on some assumptions about the environment +(e.g., cryptographic keys cannot be broken)\bigskip\pause +\end{itemize} + +\only<2>{ +\begin{itemize} +\item in the ``good olden days'' (1960/70) rail transport was cheap, so fraud was not +worthwhile +\end{itemize}} + +\only<3>{ +\begin{itemize} +\item when it got expensive, some people bought cheaper monthly tickets for a suburban +station and a nearby one, and one for the destination and a nearby one +\item a large investment later all barriers were automatic and tickets can record state +\end{itemize}} + +\only<4>{ +\begin{itemize} +\item But suddenly the environment changed: rail transport got privatised creating many companies +cheating each other +\item revenue from monthly tickets was distributed according to a formula where the ticket was bought +\end{itemize}} + +\only<5>{ +\begin{itemize} +\item apart from bad outsiders (passengers) you also had bad insiders (rail companies) +\item chaos and litigation ensued +\end{itemize}} + +\end{frame}} +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +\mode{ \begin{frame}[c] -A Man-in-the-middle attack +A Man-in-the-middle attack in real life: \begin{itemize} \item the card only says yes or no to the terminal if the PIN is correct @@ -467,6 +503,44 @@ \end{frame}} %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +\mode{ +\begin{frame}[c] +\frametitle{Good Practices} + +\begin{itemize} +\item explicit principles (you authenticate all data you might rely on) +\item the one who can fix a system should also be liable for the losses +\end{itemize} + +\end{frame}} +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +\mode{ +\begin{frame}[c] +\frametitle{Privacy et al} + +Some terminology: + +\begin{itemize} +\item \alert{secrecy} is the mechanism used to limit the number of +principals with access to information (eg, cryptography or access controls) + +\item \alert{confidentiality} is the obligation to protect the secrets of other people +or organizations (secrecy for the benefit of an organisation) + +\item \alert{anonymity} is the ability to leave no evidence of an activity (eg, sharing a secret) + +\item \alert{privacy} is the ability or right to protect your personal secrets +(secrecy for the benefit of an individual) + +\end{itemize} + +\end{frame}} +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + + \end{document} %%% Local Variables: