# HG changeset patch # User Christian Urban # Date 1353388942 0 # Node ID dde58256fc351f85fca01f264c6ee36d4932569d # Parent df7cf3d07bd85b365b7ce3f4021fd18479091f48 updated diff -r df7cf3d07bd8 -r dde58256fc35 pics/chipnpinflaw.png Binary file pics/chipnpinflaw.png has changed diff -r df7cf3d07bd8 -r dde58256fc35 slides08.pdf Binary file slides08.pdf has changed diff -r df7cf3d07bd8 -r dde58256fc35 slides08.tex --- a/slides08.tex Mon Nov 19 22:39:22 2012 +0000 +++ b/slides08.tex Tue Nov 20 05:22:22 2012 +0000 @@ -209,7 +209,9 @@ \end{tabular} \end{center}\bigskip -\onslide<7->{Sounds stupid: ``\ldots answering a question with a counter question''} +\onslide<7->{Sounds stupid: ``\ldots answering a question with a counter question''\medskip\\ +was originally developed at CMU for terminals to connect to +workstations (e.g.~file servers)} \end{frame}} %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% @@ -257,7 +259,7 @@ \begin{itemize} - \item \bl{$A \,\text{sends}\, B : \{A, N_A\}_{K_{AB}}$}\hspace{1cm} encryption\bigskip + \item \bl{$A \,\text{sends}\, B : \{A, N_A\}_{K_{AB}}$}\hspace{1cm} encrypted\bigskip \item \bl{$B\,\text{sends}\, A : \{N_A, K'_{AB}\}_{K_{AB}}$}\bigskip \item \bl{$A \,\text{sends}\, B : \{N_A\}_{K'_{AB}}$}\bigskip \end{itemize}\pause @@ -267,24 +269,205 @@ \end{frame}} %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% - - %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% \mode{ \begin{frame}[c] -\frametitle{Possible Kinds of Attacks} +\frametitle{Protocol Attacks} \begin{itemize} +\item replay attacks \item reflection attacks \item man-in-the-middle attacks -\item replay attacks \item timing attacks +\item parallel session attacks +\item binding attacks (public key protocols) \item changing environment / changing assumptions \end{itemize} \end{frame}} %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% - \end{document} +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +\mode{ +\begin{frame}[c] +\frametitle{Replay Attacks} + +Schroeder-Needham protocol: exchange of a symmetric key with a trusted 3rd-party \bl{$S$}: + +\begin{center} +\begin{tabular}{r@ {\hspace{1mm}}l} +\bl{$A \rightarrow S :$} & \bl{$A, B, N_A$}\\ +\bl{$S \rightarrow A :$} & \bl{$\{N_A, B, K_{AB},\{K_{AB}, A\}_{K_{BS}} \}_{K_{AS}}$}\\ +\bl{$A \rightarrow B :$} & \bl{$\{K_{AB}, A\}_{K_{BS}} $}\\ +\bl{$B \rightarrow A :$} & \bl{$\{N_B\}_{K_{AB}}$}\\ +\bl{$A \rightarrow B :$} & \bl{$\{N_B-1\}_{K_{AB}}$}\\ +\end{tabular} +\end{center}\bigskip\pause + +at the end both \bl{$A$} and \bl{$B$} should be in the possession of the secret key +\bl{$K_{AB}$} and know that the other principal has the key + +\end{frame}} +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +\mode{ +\begin{frame}[c] + +\begin{center} +\begin{tabular}{l} +\bl{$A \rightarrow S :$} \bl{$A, B, N_A$}\\ +\bl{$S \rightarrow A :$} \bl{$\{N_A, B, K_{AB},\{K_{AB}, A\}_{K_{BS}} \}_{K_{AS}}$}\\ +\bl{$A \rightarrow B :$} \bl{$\{K_{AB}, A\}_{K_{BS}} $}\\ +\bl{$B \rightarrow A :$} \bl{$\{N_B\}_{K_{AB}}$}\\ +\bl{$A \rightarrow B :$} \bl{$\{N_B-1\}_{K_{AB}}$}\pause\\ +\hspace{5cm}compromise \bl{$K_{AB}$}\pause\\ +\bl{$A \rightarrow S :$} \bl{$A, B, N'_A$}\\ +\bl{$S \rightarrow A :$} \bl{$\{N'_A, B, K'_{AB},\{K'_{AB}, A\}_{K_{BS}} \}_{K_{AS}}$}\pause\\ +\bl{$I(A) \rightarrow B :$} \bl{$\{K_{AB}, A\}_{K_{BS}} $}\hspace{0.5cm} replay of older run\pause\\ +\bl{$B \rightarrow I(A) :$} \bl{$\{N'_B\}_{K_{AB}}$}\\ +\bl{$I(A) \rightarrow B :$} \bl{$\{N'_B-1\}_{K_{AB}}$}\ +\end{tabular} +\end{center}\pause + +\bl{$B$} believes it is following the correct protocol, +intruder \bl{$I$} can form the correct response because it knows \bl{$K_{AB}$} and +talk to \bl{$B$} masquerading as \bl{$A$} +\end{frame}} +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +\mode{ +\begin{frame}[c] +\frametitle{Replay Attacks} + +Andrew Secure RPC protocol: exchanging a new key +between \bl{$A$} and \bl{$B$} + +\begin{center} +\begin{tabular}{l} +\bl{$A \rightarrow B :$} \bl{$A, \{N_A\}_{K_{AB}}$}\\ +\bl{$B \rightarrow A :$} \bl{$\{N_A+1, N_B\}_{K_{AB}}$}\\ +\bl{$A \rightarrow B :$} \bl{$\{N_B+1\}_{K_{AB}}$}\\ +\bl{$B \rightarrow A :$} \bl{$\{K^{new}_{AB}, N^{new}_B\}_{K_{AB}}$}\\ +\end{tabular} +\end{center}\bigskip\pause + +Assume nonces are represented as bit-sequences of the same length +\begin{center} +\begin{tabular}{@{}l@{}} +\bl{$A \rightarrow B :$} \bl{$A, \{N_A\}_{K_{AB}}$}\\ +\bl{$B \rightarrow A :$} \bl{$\{N_A+1, N_B\}_{K_{AB}}$}\\ +\bl{$A \rightarrow I(B) :$} \bl{$\{N_B+1\}_{K_{AB}}$}\hspace{0.5mm}intercepts\\ +\bl{$I(B) \rightarrow A :$} \bl{$\{N_A+1, N_B\}_{K_{AB}}$}\hspace{0.5mm}resend 2nd msg\\ +\end{tabular} +\end{center} +\end{frame}} +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +\mode{ +\begin{frame}[c] +\frametitle{Binding Attacks} + +with public-private keys it is important that the public key is \alert{bound} +to the right owner (verified by a certification authority \bl{$CA$}) + +\begin{center} +\begin{tabular}{l} +\bl{$A \rightarrow CA :$} \bl{$A, B, N_A$}\\ +\bl{$CA \rightarrow A :$} \bl{$CA, \{CA, A, N_A, K^{pub}_{B}\}_{K^{pub}_{A}}$}\\ +\end{tabular} +\end{center}\bigskip + +\bl{$A$} knows \bl{$K^{prig}_A$} and can verify the message came from \bl{$CA$} +in response to \bl{$A$}'s message and trusts \bl{$K^{pub}_{B}$} is \bl{$B$}'s public key + + +\end{frame}} +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +\mode{ +\begin{frame}[c] +\frametitle{Binding Attacks} + +\begin{center} +\begin{tabular}{l} +\bl{$A \rightarrow I(CA) :$} \bl{$A, B, N_A$}\\ +\bl{$I(A) \rightarrow CA :$} \bl{$A, I, N_A$}\\ +\bl{$CA \rightarrow I(A) :$} \bl{$CA, \{CA, A, N_A, K^{pub}_{I}\}_{K^{pub}_{A}}$}\\ +\bl{$I(CA) \rightarrow A :$} \bl{$CA, \{CA, A, N_A, K^{pub}_{I}\}_{K^{pub}_{A}}$}\\ +\end{tabular} +\end{center}\pause + +\bl{$A$} now encrypts messages for \bl{$B$} with the public key of \bl{$I$} +(which happily decrypts them with its private key) + +\end{frame}} +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +\mode{ +\begin{frame}[c] +\frametitle{``Real-World'' Attacks} + +EMV (Europay, MasterCard, Visa) is a standard for payments by credit cards\bigskip + +It consists of three phases: + +\begin{enumerate} +\item card authentication phase (the terminal reads the information; signs it with a public key +and verifies the signed information) +\item cardholder authentication (PIN; terminal sends PIN to card which verifies it; it can also verify it online +with the bank) +\item transaction authorisation (the terminal asks the card to provide an authentication code for the transaction; +the code is sent to the bank for verification) +\end{enumerate} + +\end{frame}} +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +\mode{ +\begin{frame}[c] + +A Man-in-the-middle attack + +\begin{itemize} +\item the card only says yes or no to the terminal if the PIN is correct +\item trick the card in thinking transaction is verified by signature +\item trick the terminal in thinking the transaction was verified by PIN +\end{itemize} + +\begin{minipage}{1.1\textwidth} +\begin{center} +\mbox{}\hspace{-6mm}\includegraphics[scale=0.5]{pics/chip-attack.png} +\includegraphics[scale=0.3]{pics/chipnpinflaw.png} +\end{center} +\end{minipage} + +\end{frame}} +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +\mode{ +\begin{frame}[c] +\frametitle{Problems with EMV} + +\begin{itemize} +\item it is a wrapper for many protocols +\item specification by consensus (resulted unmanageable complexity) +\item its specification is 700 pages in English plus 2000+ pages for testing, additionally some +further parts are secret +\item other attacks have been found + +\item one solution might be to require always online verification of the PIN with the bank +\end{itemize} + +\end{frame}} +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + +\end{document} %%% Local Variables: %%% mode: latex