--- a/slides/slides05.tex Fri Oct 21 21:15:47 2016 +0100
+++ b/slides/slides05.tex Wed Oct 26 00:52:18 2016 +0100
@@ -42,6 +42,53 @@
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\begin{frame}[c]
+\frametitle{Protocols}
+
+\begin{center}
+\includegraphics[scale=0.11]{../pics/keyfob.jpg}
+\quad
+\includegraphics[scale=0.3025]{../pics/startstop.jpg}
+\end{center}
+
+\begin{itemize}
+\item Other examples: Wifi, Http-request, TCP-request,
+card readers, RFID (passports)\ldots\medskip\pause
+
+\item The point is that we cannot control the network: An attacker
+can install a packet sniffer, inject packets, modify packets,
+replay messages\ldots{}fake pretty much everything.
+\end{itemize}
+
+\end{frame}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\begin{frame}[c]
+\frametitle{Keyless Car Transponders}
+
+\begin{center}
+\includegraphics[scale=0.1]{../pics/keyfob.jpg}
+\quad
+\includegraphics[scale=0.27]{../pics/startstop.jpg}
+\end{center}
+
+\begin{itemize}
+\item There are two security mechanisms: one remote central
+locking system and one passive RFID tag (engine immobiliser).
+\item How can I get in? How can thieves be kept out?
+How to avoid MITM attacks?
+\end{itemize}\medskip
+
+\footnotesize
+\hfill Papers: Gone in 360 Seconds: Hijacking with Hitag2,\\
+\hfill Dismantling Megamos Crypto: Wirelessly Lockpicking\\
+\hfill a Vehicle Immobilizer
+
+\end{frame}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\begin{frame}[c]
\frametitle{Problems with Key Fobs}
\begin{columns}
@@ -63,53 +110,31 @@
\end{column}
\end{columns}
-
-
\end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\begin{frame}[c]
-\frametitle{Nonces}
+\frametitle{HTTPS / GSM}
-\begin{enumerate}
-\item I generate a nonce (random number) and send it to you encrypted with a key we share
-\item you increase it by one, encrypt it under a key I know and send
-it back to me
-\end{enumerate}
-
-
-I can infer:
+\begin{center}
+\includegraphics[scale=0.25]{../pics/barclays.jpg}
+\quad
+\includegraphics[scale=0.25]{../pics/phone-signal.jpg}
+\end{center}
\begin{itemize}
-\item you must have received my message
-\item you could only have generated your answer after I have
- sent you my initial message
-\item if only you and me know the key, the message must have come from you
+\item I am sitting at Starbuck. How can I be sure I am really
+ visiting Barclays? I have no control of the access
+ point.
+\item How can I achieve that a secret key is established in
+ order to encrypt my mobile conversation? I have no
+ control over the access points.
\end{itemize}
\end{frame}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\begin{frame}[c]
-\frametitle{Protocols}
-
-\begin{center}
-\includegraphics[scale=0.11]{../pics/keyfob.jpg}
-\quad
-\includegraphics[scale=0.232]{../pics/starbucks.jpg}
-\end{center}
-
-\begin{itemize}
-\item The point is that we have no control over the network
-
-\item We want to avoid that a message exchange (a protocol) can
-be attacked without detection
-\end{itemize}
-
-\end{frame}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\begin{frame}[c]
@@ -139,6 +164,518 @@
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\begin{frame}[c]
+\frametitle{Handshakes}
+
+\begin{itemize}
+\item starting a TCP connection between a client and a server
+initiates the following three-way handshake protocol:
+\end{itemize}
+
+\begin{columns}[t]
+\begin{column}{5cm}
+\begin{minipage}[t]{4cm}
+\begin{center}
+\raisebox{-2cm}{\includegraphics[scale=0.5]{../pics/handshake.png}}
+\end{center}
+\end{minipage}
+\end{column}
+\begin{column}{5cm}
+\begin{tabular}[t]{rl}
+Alice: & Hello server!\\
+Server: & I heard you\\
+Alice: & Thanks
+\end{tabular}
+\end{column}
+\end{columns}
+
+\only<2>{
+\begin{textblock}{3}(11,5)
+\begin{bubble}[3.2cm]
+SYNflood attacks:\medskip\\
+\includegraphics[scale=0.4]{../pics/synflood.png}
+\end{bubble}
+\end{textblock}}
+
+\end{frame}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+ \begin{frame}[t]
+ \frametitle{Protocols}
+
+\mbox{}
+
+\begin{tabular}{l}
+{\Large \bl{$A\;\rightarrow\; B : \ldots$}}\\
+\onslide<2->{\Large \bl{$B\;\rightarrow\; A : \ldots$}}\\
+\onslide<2->{\Large \;\;\;\;\;\bl{$:$}}\bigskip
+\end{tabular}
+
+ \begin{itemize}
+ \item by convention \bl{$A$}, \bl{$B$} are named principals \bl{Alice\ldots}\\
+ but most likely they are programs, which just follow some instructions (they are more like roles)\bigskip
+\item<2-> indicates one ``protocol run'', or session, which specifies some
+order in the communication
+\item<2-> there can be several sessions in parallel (think of wifi routers)
+\end{itemize}
+
+ \end{frame}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\begin{frame}[c]
+\frametitle{Handshakes}
+
+\begin{itemize}
+\item starting a TCP connection between a client and a server
+initiates the following three-way handshake protocol:
+\end{itemize}
+
+\begin{columns}[t]
+\begin{column}{5cm}
+\begin{minipage}[t]{4cm}
+\begin{center}
+\raisebox{-2cm}{\includegraphics[scale=0.5]{../pics/handshake.png}}
+\end{center}
+\end{minipage}
+\end{column}
+\begin{column}{5cm}
+\begin{tabular}[t]{rl}
+Alice: & Hello server!\\
+Server: & I heard you\\
+Alice: & Thanks
+\end{tabular}
+\end{column}
+\end{columns}
+
+\begin{center}
+\begin{tabular}{rl}
+\bl{$A \rightarrow S$}: & \bl{SYN}\\
+\bl{$S \rightarrow A$}: & \bl{SYN-ACK}\\
+\bl{$A \rightarrow S$}: & \bl{ACK}\\
+\end{tabular}
+\end{center}
+
+\end{frame}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\begin{frame}[c]
+\frametitle{\Large Cryptographic Protocol Failures}
+
+Ross Anderson and Roger Needham wrote:\bigskip
+
+\begin{quote}\rm
+A lot of the recorded frauds were the result of this kind of
+ blunder, or from management negligence pure and simple.
+ \alert{However,
+there have been a significant number of cases where the designers
+protected the right things, used cryptographic algorithms which were
+not broken, and yet found that their systems were still successfully
+attacked.}
+\end{quote}
+
+\end{frame}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+ \begin{frame}<1-3>[c]
+ \frametitle{Oyster Cards}
+
+ \includegraphics[scale=0.4]{../pics/oysterc.jpg}
+
+ \begin{itemize}
+ \item good example of a bad protocol\\ (security by obscurity)\bigskip
+ \item<3-> {\it``Breaching security on Oyster cards should not
+ allow unauthorised use for more than a day, as TfL promises to turn
+ off any cloned cards within 24 hours\ldots''}
+ \end{itemize}
+
+ \only<2>{
+ \begin{textblock}{12}(0.5,0.5)
+ \begin{bubble}[11cm]\footnotesize
+ {\bf Wirelessly Pickpocketing a Mifare Classic Card}\medskip
+
+ The Mifare Classic is the most widely used contactless smartcard on the
+ market. The stream cipher CRYPTO1 used by the Classic has recently been
+ reverse engineered and serious attacks have been proposed. The most serious
+ of them retrieves a secret key in under a second. In order to clone a card,
+ previously proposed attacks require that the adversary either has access to
+ an eavesdropped communication session or executes a message-by-message
+ man-in-the-middle attack between the victim and a legitimate
+ reader. Although this is already disastrous from a cryptographic point of
+ view, system integrators maintain that these attacks cannot be performed
+ undetected.\smallskip
+
+ This paper proposes four attacks that can be executed by an adversary having
+ only wireless access to just a card (and not to a legitimate reader). The
+ most serious of them recovers a secret key in less than a second on ordinary
+ hardware. Besides the cryptographic weaknesses, we exploit other weaknesses
+ in the protocol stack. A vulnerability in the computation of parity bits
+ allows an adversary to establish a side channel. Another vulnerability
+ regarding nested authentications provides enough plaintext for a speedy
+ known-plaintext attack.\hfill{}(a paper from 2009)
+ \end{bubble}
+ \end{textblock}}
+
+ \end{frame}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\begin{frame}<1->[t]
+\frametitle{Another Example}
+
+In an email from Ross Anderson\bigskip\small
+
+\begin{tabular}{l}
+From: Ross Anderson <Ross.Anderson@cl.cam.ac.uk>\\
+Sender: cl-security-research-bounces@lists.cam.ac.uk\\
+To: cl-security-research@lists.cam.ac.uk\\
+Subject: Birmingham case\\
+Date: Tue, 13 Aug 2013 15:13:17 +0100\\
+\end{tabular}
+
+
+\only<2>{
+\begin{textblock}{12}(0.5,0.8)
+\begin{bubble}[11cm]
+\footnotesize
+As you may know, Volkswagen got an injunction against the University of
+Birmingham suppressing the publication of the design of a weak cipher
+used in the remote key entry systems in its recent-model cars. The paper
+is being given today at Usenix, minus the cipher design.\medskip
+
+I've been contacted by Birmingham University's lawyers who seek to prove
+that the cipher can be easily obtained anyway. They are looking for a
+student who will download the firmware from any newish VW, disassemble
+it and look for the cipher. They'd prefer this to be done by a student
+rather than by a professor to emphasise how easy it is.\medskip
+
+Volkswagen's argument was that the Birmingham people had reversed a
+locksmithing tool produced by a company in Vietnam, and since their key
+fob chip is claimed to be tamper-resistant, this must have involved a
+corrupt insider at VW or at its supplier Thales. Birmingham's argument
+is that this is nonsense as the cipher is easy to get hold of. Their
+lawyers feel this argument would come better from an independent
+outsider.\medskip
+
+Let me know if you're interested in having a go, and I'll put you in
+touch
+
+Ross
+\end{bubble}
+\end{textblock}}
+
+\end{frame}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\begin{frame}[c]
+\frametitle{Authentication Protocols}
+
+
+Alice (\bl{$A$}) and Bob (\bl{$B$}) share a secret key \bl{$K_{AB}$}\bigskip
+
+Passwords:
+
+\begin{center}
+\bl{$B \rightarrow A: K_{AB}$}
+\end{center}\pause\bigskip
+
+Problem: Eavesdropper can capture the secret and replay it; \bl{$A$} cannot confirm the
+identity of \bl{$B$}
+
+\end{frame}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\begin{frame}[c]
+\frametitle{Authentication?}
+
+\begin{center}
+\raisebox{-2cm}{\includegraphics[scale=0.4]{../pics/dogs.jpg}}
+\end{center}
+
+\end{frame}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\begin{frame}[c]
+\frametitle{Authentication Protocols}
+
+Alice (\bl{$A$}) and Bob (\bl{$B$}) share a secret key \bl{$K_{AB}$}\bigskip
+
+Simple Challenge Response:
+
+\begin{center}
+\begin{tabular}{ll}
+\bl{$A \rightarrow B:$} & \bl{$N$}\\
+\bl{$B \rightarrow A:$} & \bl{$\{N\}_{K_{AB}}$}\\
+\end{tabular}
+\end{center}
+
+
+\end{frame}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\begin{frame}[c]
+\frametitle{Authentication Protocols}
+
+Alice (\bl{$A$}) and Bob (\bl{$B$}) share a secret key \bl{$K_{AB}$}\bigskip
+
+Mutual Challenge Response:
+
+\begin{center}
+\begin{tabular}{ll}
+\bl{$A \rightarrow B:$} & \bl{$N_A$}\\
+\bl{$B \rightarrow A:$} & \bl{$\{N_A, N_B\}_{K_{AB}}$}\\
+\bl{$A \rightarrow B:$} & \bl{$N_B$}\\
+\end{tabular}
+\end{center}
+
+%\pause
+%An attacker \bl{$E$} can launch an impersonation attack by
+%intercepting all messages for \bl{$B$} and make \bl{$A$} decrypt her
+%own challenges.
+
+\end{frame}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\begin{frame}[c]
+\frametitle{Nonces}
+
+\begin{enumerate}
+\item I generate a nonce (random number) and send it to you encrypted with a key we share
+\item you increase it by one, encrypt it under a key I know and send
+it back to me
+\end{enumerate}\medskip
+
+
+I can infer:
+
+\begin{itemize}
+\item you must have received my message
+\item you could only have generated your answer after I send you my initial
+message
+\item if only you and me know the key, the message must have come from you
+\end{itemize}
+
+\end{frame}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\begin{frame}[c]
+
+\begin{center}
+\begin{tabular}{ll}
+\bl{$A \rightarrow B$:} & \bl{$N_A$}\\
+\bl{$B \rightarrow A$:} & \bl{$\{N_A, N_B\}_{K_{AB}}$}\\
+\bl{$A \rightarrow B$:} & \bl{$N_B$}\\
+\end{tabular}
+\end{center}
+
+The attack (let $A$ decrypt her own messages):
+
+\begin{center}
+\begin{tabular}{ll}
+\bl{$A \rightarrow E$:} & \bl{$N_A$}\\
+\textcolor{gray}{$E \rightarrow A$:} & \textcolor{gray}{$N_A$}\\
+\textcolor{gray}{$A \rightarrow E$:} & \textcolor{gray}{$\{N_A, N_A'\}_{K_{AB}}$}\\
+\bl{$E \rightarrow A$:} & \bl{$\{N_A, N_A'\}_{K_{AB}}$}\\
+\bl{$A \rightarrow E$:} & \bl{$N_A' \;\;(= N_B)$}\\
+\end{tabular}
+\end{center}\pause
+
+\small Solutions: \bl{$K_{AB} \not= K_{BA}$} or include an id in the second message
+\end{frame}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\begin{frame}[c]
+\frametitle{Encryption to the Rescue?}
+
+
+ \begin{itemize}
+ \item \bl{$A \,\rightarrow\, B : \{A, N_A\}_{K_{AB}}$}\hspace{1cm} encrypted\bigskip
+ \item \bl{$B\,\rightarrow\, A : \{N_A, K'_{AB}\}_{K_{AB}}$}\bigskip
+ \item \bl{$A \,\rightarrow\, B : \{N_A\}_{K'_{AB}}$}\bigskip
+ \end{itemize}\pause
+
+means you need to send separate ``Hello'' signals (bad), or worse
+share a single key between many entities
+\end{frame}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\begin{frame}[c]
+\frametitle{Protocol Attacks}
+
+\begin{itemize}
+\item replay attacks
+\item reflection attacks
+\item man-in-the-middle attacks
+\item timing attacks
+\item parallel session attacks
+\item binding attacks (public key protocols)
+\item changing environment / changing assumptions\bigskip
+
+\item (social engineering attacks)
+\end{itemize}
+\end{frame}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\begin{frame}[c]
+\frametitle{Public-Key Infrastructure}
+
+\begin{itemize}
+\item the idea is to have a certificate authority (CA)
+\item you go to the CA to identify yourself
+\item CA: ``I, the CA, have verified that public key \bl{$P^{pub}_{Bob}$} belongs to Bob''\bigskip
+\item CA must be trusted by everybody
+\item What happens if CA issues a false certificate? Who pays in case of loss? (VeriSign
+explicitly limits liability to \$100.)
+\end{itemize}
+
+\end{frame}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\begin{frame}[c]
+\frametitle{Man-in-the-Middle}
+
+``Normal'' protocol run:\bigskip
+
+\begin{itemize}
+\item \bl{$A$} sends public key to \bl{$B$}
+\item \bl{$B$} sends public key to \bl{$A$}
+\item \bl{$A$} sends message encrypted with \bl{$B$}'s public key, \bl{$B$} decrypts it
+with its private key
+\item \bl{$B$} sends message encrypted with \bl{$A$}'s public key, \bl{$A$} decrypts it
+with its private key
+\end{itemize}
+
+\end{frame}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\begin{frame}[c]
+\frametitle{Man-in-the-Middle}
+
+Attack:
+
+\begin{itemize}
+\item \bl{$A$} sends public key to \bl{$B$} --- \bl{$C$} intercepts this message and send his own public key
+\item \bl{$B$} sends public key to \bl{$A$} --- \bl{$C$} intercepts this message and send his own public key
+\item \bl{$A$} sends message encrypted with \bl{$C$}'s public key, \bl{$C$} decrypts it
+with its private key, re-encrypts with \bl{$B$}'s public key
+\item similar for other direction
+\end{itemize}
+
+\end{frame}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\begin{frame}[c]
+\frametitle{Man-in-the-Middle}
+
+Potential Prevention?
+
+\begin{itemize}
+\item \bl{$A$} sends public key to \bl{$B$}
+\item \bl{$B$} sends public key to \bl{$A$}
+\item \bl{$A$} encrypts message with \bl{$B$}'s public key, send's {\bf half} of the message
+\item \bl{$B$} encrypts message with \bl{$A$}'s public key, send's {\bf half} of the message
+\item \bl{$A$} sends other half, \bl{$B$} can now decrypt entire message
+\item \bl{$B$} sends other half, \bl{$A$} can now decrypt entire message
+\end{itemize}\pause
+
+%\bl{$C$} would have to invent a totally new message
+\alert{Under which circumstances does this protocol prevent
+MiM-attacks, or does it?}
+
+\end{frame}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\begin{frame}[c]
+\frametitle{Car Transponder (HiTag2)}
+
+\begin{enumerate}
+\item \bl{$C$} generates a random number \bl{$N$}
+\item \bl{$C$} calculates \bl{$(F,G) = \{N\}_K$}
+\item \bl{$C \to T$}: \bl{$N, F$}
+\item \bl{$T$} calculates \bl{$(F',G') = \{N\}_K$}
+\item \bl{$T$} checks that \bl{$F = F'$}
+\item \bl{$T \to C$}: \bl{$N, G'$}
+\item \bl{$C$} checks that \bl{$G = G'$}
+\end{enumerate}\pause
+
+\small
+This process means that the transponder believes the car knows
+the key \bl{$K$}, and the car believes the transponder knows
+the key \bl{$K$}. They have authenticated themselves
+to each other, or have they?
+
+\end{frame}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\begin{frame}[c]
+
+A Man-in-the-middle attack in real life:
+
+\begin{itemize}
+\item the card only says yes to the terminal if the PIN is correct
+\item trick the card in thinking transaction is verified by signature
+\item trick the terminal in thinking the transaction was verified by PIN
+\end{itemize}
+
+\begin{minipage}{1.1\textwidth}
+\begin{center}
+\mbox{}\hspace{-6mm}\includegraphics[scale=0.5]{../pics/chip-attack.png}
+\includegraphics[scale=0.3]{../pics/chipnpinflaw.png}
+\end{center}
+\end{minipage}
+
+\end{frame}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\begin{frame}[c]
+\frametitle{Problems with EMV}
+
+\begin{itemize}
+\item it is a wrapper for many protocols
+\item specification by consensus (resulted unmanageable complexity)
+\item its specification is 700 pages in English plus 2000+ pages for testing, additionally some
+further parts are secret
+\item other attacks have been found
+\end{itemize}
+
+\end{frame}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\begin{frame}[c]
+\frametitle{Protocols are Difficult}
+
+\begin{itemize}
+\item even the systems designed by experts regularly fail\medskip
+\item the one who can fix a system should also be liable for the losses\medskip
+\item cryptography is often not the problem\bigskip\bigskip
+\end{itemize}
+
+\end{frame}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\begin{frame}[c]
\frametitle{A Simple PK Protocol}
@@ -266,8 +803,8 @@
\item what happens if \bl{$m$} and \bl{$m'$} are voice
messages?\bigskip\pause
-\item So \bl{$C$} can either leave the communication unchanged
- (Hellman-Diffie), or invent a complete new conversation
+\item So \bl{$C$} can either leave the communication unchanged,
+ or invent a complete new conversation
\end{itemize}