--- a/handouts/ho02.tex Tue Oct 20 01:01:17 2015 +0100
+++ b/handouts/ho02.tex Wed Oct 21 13:31:56 2015 +0100
@@ -5,6 +5,19 @@
\begin{document}
\fnote{\copyright{} Christian Urban, 2014, 2015}
+%https://www.usenix.org/sites/default/files/conference/protected-files/jets15_slides_epstein.pdf
+%
+%Jeremy Epstein, SRI International
+%
+%In April 2015, the US Commonwealth of Virginia decertified the Advanced Voting
+%Solutions (AVS) WinVote voting machine, after concluding that it was insecure.
+%This talk presents the results of Virginia's analysis of the WinVote, and
+%explores how we got to the point where a voting machine using an unpatched
+%version of Windows XP from 2004, using hardwired WEP keys and administrator
+%passwords, could be used for over a decade in most of Virginia.
+
+
+
\section*{Handout 2 (E-Voting)}
In security engineering, there are many counter-intuitive
Binary file handouts/ho05.pdf has changed
--- a/handouts/ho05.tex Tue Oct 20 01:01:17 2015 +0100
+++ b/handouts/ho05.tex Wed Oct 21 13:31:56 2015 +0100
@@ -159,12 +159,12 @@
is encrypted, then we use the notation
\[
-\{msg\}_{K_{AB}}
+\{msg\}_{K}
\]
\noindent for messages. The curly braces indicate a kind of
-envelope which can only be opened if you know the key $K_{AB}$
+envelope which can only be opened if you know the key $K$
with which the message has been encrypted. We always assume
that an attacker, say Eve, cannot get to the content of the
message, unless she is also in the possession of the key. We
@@ -178,7 +178,7 @@
this case we would write something like
\[
-\{msg_1, msg_2\}_{K_{AB}}
+\{msg_1, msg_2\}_{K}
\]
\noindent But again Eve would not be able to know
@@ -187,13 +187,13 @@
different keys. In this case we write
\[
-\{\{msg\}_{K_{AB}}\}_{K_{BC}}
+\{\{msg\}_{K_1}\}_{K_2}
\]
\noindent The idea is that even if attacker Eve has the
-key $K_{BC}$ she could decrypt the outer envelop, but
+key $K_2$ she could decrypt the outer envelop, but
still does not get to the message, because it is still
-encrypted with the key $K_{AB}$. Note, however,
+encrypted with the key $K_1$. Note, however,
while an attacker cannot obtain the content of the message
without the key, encrypted messages can be observed
and be recorded and then replayed at another time, or
@@ -307,19 +307,19 @@
corresponds to the challenge (nonce) $B$ has sent earlier.
But what about $A$? Can $A$ make any inferences about whom it
-talks to? It dutifully answered the challenge and hopes its
-bank, say, will be the only one to understand her answer. But
-is this the case? No! Let us consider again an attacker Eve
-who has control over the network. She could have intercepted
-the message $HELLO$ and just replied herself to $A$ using a
-random number\ldots{}for example one which she observed in a
-previous run of this protocol. Remember that if a message is
-sent without curly braces it is sent in clear text. $A$ would
-encrypt the nonce with the key $K_{AB}$ and send it back to
-Eve. She just throws away the answer. $A$ would hope that she
-talked to $B$ because she followed the protocol, but
-unfortunately she cannot be sure who she is talking to---it
-might be Eve.
+talks to? It dutifully answered the challenge and hopes his or
+her bank, say, will be the only one to understand her answer.
+But is this the case? No! Let us consider again an attacker
+Eve who has control over the network. She could have
+intercepted the message $HELLO$ and just replied herself to
+$A$ using a random number\ldots{}for example one which she
+observed in a previous run of this protocol. Remember that if
+a message is sent without curly braces it is sent in clear
+text. $A$ would encrypt the nonce with the key $K_{AB}$ and
+send it back to Eve. She just throws away the answer. $A$
+would hope that she talked to $B$ because she followed the
+protocol, but unfortunately she cannot be sure who she is
+talking to---it might be Eve.
The solution is to follow a \emph{mutual challenge-response}
protocol. There $A$ already starts off with a challenge (nonce)
@@ -343,14 +343,14 @@
would not be able to answer this challenge correctly because
the attacker is assumed to not be in the possession of the key
$K_{AB}$; so is not able to generate this message. It could
-also not have been that it is an old message replayed, because
-$A$ would send out each time a fresh nonce. So with this
-protocol you can ensure also for $A$ that it talks to $B$. I
-leave you to argue that $B$ can be sure to talk to $A$. Of
-course these arguments will depend on the assumptions that
-only $A$ and $B$ know the key $K_{AB}$ and that nobody can
-break the encryption unless they have this key and that the
-nonces are fresh each time the protocol is run.
+also not have been the case that it is an old message
+replayed, because $A$ would send out each time a fresh nonce.
+So with this protocol you can ensure also for $A$ that it
+talks to $B$. I leave you to argue that $B$ can be sure to
+talk to $A$. Of course these arguments will depend on the
+assumptions that only $A$ and $B$ know the key $K_{AB}$ and
+that nobody can break the encryption unless they have this key
+and that the nonces are fresh each time the protocol is run.
The purpose of the nonces, the random numbers that are sent
around, might be a bit opaque. Because they are unpredictable
@@ -391,10 +391,13 @@
must have come from you
\end{itemize}
-\noindent Even if this does not seem much information I can
+\noindent Even if this does not seem much information we can
glean from such an exchange, it is in fact the basic building
block in protocols for establishing some secret or for
-achieving some security goal (like authentication).
+achieving some security goal (like authentication). This is
+what I meant by magic: we send around ``just'' some random
+numbers, but actually can use them to make some meaningful
+inferences.
While the mutual challenge-response protocol solves the
authentication problem, there are some limitations. One is of
@@ -812,61 +815,65 @@
\subsubsection*{Further Reading}
-A blogpost that describes the first few milliseconds of an HTTPS connection
-is at
+\begin{itemize}
+\item A blogpost that describes the first few milliseconds of
+ an HTTPS connection is at
\begin{center}
\url{http://www.moserware.com/2009/06/first-few-milliseconds-of-https.html}
\end{center}
-\noindent
-It disentangles every message sent between a client and a server.
+It disentangles every message sent between a client and a
+server.
-If you want to know more about how cars can be hijacked,
-the paper
+\item If you want to know more about how cars can be hijacked,
+ the paper
\begin{center}
\url{http://www.cs.ru.nl/~rverdult/Gone_in_360_Seconds_Hijacking_with_Hitag2-USENIX_2012.pdf}
\end{center}
-\noindent is quite amusing to read. Obviously an even more
-amusing paper would be ``Dismantling Megamos Crypto:
-Wirelessly Lockpicking a Vehicle Immobilizer'' by the same
-authors, but because of the court injunction by VW,
-we are denied this entertainment.
+is quite amusing to read. Obviously an even more amusing paper
+would ``Dismantling Megamos Crypto: Wirelessly Lockpicking a
+Vehicle Immobilizer'' by the same authors, but because of the
+court injunction by VW, we are denied this entertainment.
+UPDATE: This paper is now in the public domain.
-Person-in-the-middle-attacks from the ``wild'' are described
-with real data in the blog post
+\item Man-in-the-middle-attacks from the ``wild'' are
+ described with real data in the blog post
\begin{center}
\url{http://www.renesys.com/2013/11/mitm-internet-hijacking}
\end{center}
-\noindent The conclusion in this post is that person-in-the-middle-attacks
-can be launched from any place on Earth---it is not required
-that you sit in the ``middle'' of the communication of two people.
-You just have to route their traffic through a node you own.
+The conclusion in this post is that man-in-the-middle-attacks
+can be launched from any place on Earth---it is not required
+that you sit in the ``middle'' of the communication of two
+people. You just have to route their traffic through a node
+you own.
-An article in The Guardian from 2013 reveals how GCHQ and the NSA at a
-G20 Summit in 2009 sniffed emails from Internet cafes, monitored phone
-calls from delegates and attempted to listen on phone calls which were made
-by Russians and which were transmitted via satellite links:
+\item An article in The Guardian from 2013 reveals how GCHQ
+ and the NSA at a G20 Summit in 2009 sniffed emails from
+ Internet cafes, monitored phone calls from delegates and
+ attempted to listen on phone calls which were made by
+ Russians and which were transmitted via satellite links:
\begin{center}
\url{http://www.theguardian.com/uk/2013/jun/16/gchq-intercepted-communications-g20-summits}
\end{center}
-\noindent
\ldots all in the name of having a better position for
negotiations. Hmmm\ldots
-A paper how the NSA can decrypt so much of the encrypted
-Internet traffic:
+\item A paper guessing how the NSA can decrypt so much of the
+encrypted Internet traffic:
\begin{center}
\url{https://weakdh.org/imperfect-forward-secrecy.pdf}
\end{center}
+\end{itemize}
+
\end{document}
%%% Local Variables:
--- a/slides/slides02.tex Tue Oct 20 01:01:17 2015 +0100
+++ b/slides/slides02.tex Wed Oct 21 13:31:56 2015 +0100
@@ -11,11 +11,15 @@
% beamer stuff
\renewcommand{\slidecaption}{SEN 02, King's College London}
+% mention again examination stuff
+%
%Bank vs Voting
%http://www.parliament.vic.gov.au/images/stories/committees/emc/2010_Election/submissions/13_VTeague_EMC_Inquiry_No.6.pdf
-
+%
% first cyber attack
%http://investigations.nbcnews.com/_news/2013/03/18/17314818-cyberattack-on-florida-election-is-first-known-case-in-us-experts-say
+%
+% another comment in the handout
\newcommand{\bl}[1]{\textcolor{blue}{#1}}
--- a/slides/slides04.tex Tue Oct 20 01:01:17 2015 +0100
+++ b/slides/slides04.tex Wed Oct 21 13:31:56 2015 +0100
@@ -359,7 +359,6 @@
\begin{frame}[c]
\frametitle{Subtleties}
-
\begin{itemize}
\item<1-> Can Bob write \pcode{file}?
\item<2-> What if Bob is member of \pcode{staff}?
@@ -707,6 +706,7 @@
\end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\begin{frame}[c]
\frametitle{Handshakes}
Binary file slides/slides05.pdf has changed
--- a/slides/slides05.tex Tue Oct 20 01:01:17 2015 +0100
+++ b/slides/slides05.tex Wed Oct 21 13:31:56 2015 +0100
@@ -39,6 +39,155 @@
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\begin{frame}[c]
+\frametitle{Problems with Key Fobs}
+
+\begin{columns}
+\begin{column}[T]{4cm}
+\includegraphics[scale=0.4]{../pics/car-standard.jpg}
+\end{column}
+
+\begin{column}[T]{6cm}\small
+Circumventing the ignition protection:
+
+\begin{itemize}
+\item either dismantling Megamos crypto,
+\item or use the diagnostic port to program
+ blank keys
+\end{itemize}
+
+\hspace{14mm}
+\includegraphics[scale=0.16]{../pics/Dismantling_Megamos_Crypto.png}
+\end{column}
+\end{columns}
+
+
+
+\end{frame}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\begin{frame}[c]
+\frametitle{Protocols}
+
+\begin{center}
+\includegraphics[scale=0.11]{../pics/keyfob.jpg}
+\quad
+\includegraphics[scale=0.232]{../pics/starbucks.jpg}
+\end{center}
+
+\begin{itemize}
+\item The point is that we have no control over the network
+
+\item We want to avoid that a message exchange (a protocol) can
+be attacked without detection
+\end{itemize}
+
+\end{frame}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\begin{frame}[c]
+\frametitle{G20 Summit in 2009}
+
+\begin{center}
+\includegraphics[scale=0.1]{../pics/snowden.jpg}
+\end{center}
+
+\small
+\begin{itemize}
+\item Snowden documents reveal ``that during G20
+ meetings\dots{}GCHQ used
+ `ground-breaking intelligence capabilities' to intercept
+ the communications of visiting delegations. This
+ included setting up internet cafes where they used an
+ email interception program and key-logging software to
+ spy on delegates' use of computers\ldots''
+
+\item ``The G20 spying appears to have been organised for the
+ more mundane purpose of securing an advantage in
+ meetings.''
+\end{itemize}
+
+\end{frame}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\begin{frame}[c]
+\frametitle{Interlock Protocol}
+
+The interlock protocol (``best bet'' against MITM):
+
+\begin{center}
+\begin{tabular}{ll@{\hspace{2mm}}l}
+1. & \bl{$A \to B :$} & \bl{$K^{pub}_A$}\\
+2. & \bl{$B \to A :$} & \bl{$K^{pub}_B$}\\
+3. & & \bl{$\{A,m\}_{K^{pub}_B} \;\mapsto\; H_1,H_2$}\\
+ & & \bl{$\{B,m'\}_{K^{pub}_A} \;\mapsto\; M_1,M_2$}\\
+4. & \bl{$A \to B :$} & \bl{$H_1$}\\
+5. & \bl{$B \to A :$} & \bl{$\{H_1, M_1\}_{K^{pub}_A}$}\\
+6. & \bl{$A \to B :$} & \bl{$\{H_2, M_1\}_{K^{pub}_B}$}\\
+7. & \bl{$B \to A :$} & \bl{$M_2$}
+\end{tabular}
+\end{center}
+
+\end{frame}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\begin{frame}[c]
+
+\begin{center}
+\begin{tabular}{l@{\hspace{9mm}}l}
+\begin{tabular}[t]{@{}l@{}}
+\bl{$A \to C : K^{pub}_A$}\\
+\bl{$C \to B : K^{pub}_C$}\\
+\bl{$B \to C : K^{pub}_B$}\\
+\bl{$C \to A : K^{pub}_C$}\medskip\\
+\bl{$\{A,m\}_{K^{pub}_C} \;\mapsto\; H_1,H_2$}\\
+\bl{$\{B,n\}_{K^{pub}_C} \;\mapsto\; M_1,M_2$}\bigskip\\
+\bl{$\{C,a\}_{K^{pub}_B} \;\mapsto\; C_1,C_2$}\\
+\bl{$\{C,b\}_{K^{pub}_A} \;\mapsto\; D_1,D_2$}
+\end{tabular} &
+\begin{tabular}[t]{@{}l@{}}
+\bl{$A \to C : H_1$}\\
+\bl{$C \to B : C_1$}\\
+\bl{$B \to C : \{C_1, M_1\}_{K^{pub}_C}$}\\
+\bl{$C \to A : \{H_1, D_1\}_{K^{pub}_A}$}\\
+\bl{$A \to C : \{H_2, D_1\}_{K^{pub}_C}$}\\
+\bl{$C \to B : \{C_2, M_1\}_{K^{pub}_B}$}\\
+\bl{$B \to C : M_2$}\\
+\bl{$C \to A : D_2$}
+\end{tabular}
+\end{tabular}
+\end{center}
+
+\end{frame}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\begin{frame}[c]
+
+\begin{itemize}
+\item you have to ask something that cannot imitated
+ (requires \bl{$A$} and \bl{$B$} know each other)
+\item what happens if \bl{$m$} and \bl{$n$} are voice
+ messages?\bigskip
+
+\item the moral: establishing a secure connection from ``zero'' is
+almost impossible---you need to rely on some established
+trust\medskip
+
+\item that is why we rely on certificates, which however are
+badly, badly realised (just today a POODLE attack against SSL)
+
+\end{itemize}
+
+\end{frame}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\begin{frame}[c]
\frametitle{Protocols}
Some examples where ``over-the-air'' protocols are used:
--- a/slides/slides06.tex Tue Oct 20 01:01:17 2015 +0100
+++ b/slides/slides06.tex Wed Oct 21 13:31:56 2015 +0100
@@ -33,28 +33,6 @@
\end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\begin{frame}[c]
-\frametitle{Problems with Key Fobs}
-
-\begin{columns}
-\begin{column}[T]{4cm}
-\includegraphics[scale=0.4]{../pics/car-standard.jpg}
-\end{column}
-
-\begin{column}[T]{6cm}
-\begin{itemize}
-\item (I learned) jamming the closing
- signal
-\item relay signals\pause
-\item use the diagnostic port to program
- blank keys
-\end{itemize}
-\end{column}
-\end{columns}
-
-\end{frame}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\begin{frame}[c]