added new slides
authorChristian Urban <christian dot urban at kcl dot ac dot uk>
Tue, 22 Oct 2013 12:35:11 +0100 (2013-10-22)
changeset 120 99d408cfcfb3
parent 119 0cea882f03c7
child 121 01f7e799e6ce
added new slides
Binary file slides/slides04.pdf has changed
--- a/slides/slides04.tex	Tue Oct 22 12:10:01 2013 +0100
+++ b/slides/slides04.tex	Tue Oct 22 12:35:11 2013 +0100
@@ -619,6 +619,71 @@
+ %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\frametitle{Public-Key Infrastructure}
+\item the idea is to have a certificate authority (CA)
+\item you go to the CA to identify yourself
+\item CA: ``I, the CA, have verified that public key \bl{$P^{pub}_{Bob}$} belongs to Bob''\bigskip
+\item CA must be trusted by everybody
+\item What happens if CA issues a false certificate? Who pays in case of loss? (VeriSign 
+explicitly limits liability to \$100.)
+ %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\frametitle{Binding Attacks}
+with public-private keys it is important that the public key is \alert{bound} 
+to the right owner (verified by a certification authority \bl{$CA$})
+\bl{$A \rightarrow CA :$} \bl{$A, B, N_A$}\\
+\bl{$CA \rightarrow A :$} \bl{$CA, \{CA, A, N_A, K^{pub}_{B}\}_{K^{pub}_{A}}$}\\
+\bl{$A$} knows \bl{$K^{priv}_A$} and can verify the message came from \bl{$CA$}
+in response to \bl{$A$}'s message and trusts \bl{$K^{pub}_{B}$} is \bl{$B$}'s public key
+\frametitle{Binding Attacks}
+\bl{$A \rightarrow I(CA) :$} \bl{$A, B, N_A$}\\
+\bl{$I(A) \rightarrow CA :$} \bl{$A, I, N_A$}\\
+\bl{$CA \rightarrow I(A) :$} \bl{$CA, \{CA, A, N_A, K^{pub}_{I}\}_{K^{pub}_{A}}$}\\
+\bl{$I(CA) \rightarrow A :$} \bl{$CA, \{CA, A, N_A, K^{pub}_{I}\}_{K^{pub}_{A}}$}\\
+\bl{$A$} now encrypts messages for \bl{$B$} with the public key of \bl{$I$}
+(which happily decrypts them with its private key)
@@ -669,6 +734,148 @@
 talks to \bl{$B$} masquerading as \bl{$A$}
+The Schroeder-Needham protocol can be fixed by including a time-stamp (e.g., in Kerberos):
+\begin{tabular}{r@ {\hspace{1mm}}l}
+\bl{$A \rightarrow S :$} & \bl{$A, B, N_A$}\\
+\bl{$S \rightarrow A :$} & \bl{$\{N_A, B, K_{AB},\{K_{AB}, A, T_S\}_{K_{BS}} \}_{K_{AS}}$}\\
+\bl{$A \rightarrow B :$} & \bl{$\{K_{AB}, A, T_S\}_{K_{BS}} $}\\
+\bl{$B \rightarrow A :$} & \bl{$\{N_B\}_{K_{AB}}$}\\
+\bl{$A \rightarrow B :$} & \bl{$\{N_B-1\}_{K_{AB}}$}\\
+but nothing is for free: then you need to synchronise time and possibly become a victim to
+timing attacks
+\frametitle{Changing Environment Attacks}
+\item all protocols rely on some assumptions about the environment
+(e.g., cryptographic keys cannot be broken)\bigskip\pause
+\item in the ``good olden days'' (1960/70) rail transport was cheap, so fraud was not
+\item when it got expensive, some people bought cheaper monthly tickets for a suburban 
+station and a nearby one, and one for the destination and a nearby one
+\item a large investment later all barriers were automatic and tickets could record state
+\item but suddenly the environment changed: rail transport got privatised creating many 
+competing companies
+potentially cheating each other
+\item revenue from monthly tickets was distributed according to a formula involving where the ticket was bought\ldots
+\item apart from bad outsiders (passengers), you also have bad insiders (rail companies)
+\item chaos and litigation ensued
+A Man-in-the-middle attack in real life:
+\item the card only says yes or no to the terminal if the PIN is correct
+\item trick the card in thinking transaction is verified by signature
+\item trick the terminal in thinking the transaction was verified by PIN
+\frametitle{Problems with EMV}
+\item it is a wrapper for many protocols
+\item specification by consensus (resulted unmanageable complexity)
+\item its specification is 700 pages in English plus 2000+ pages for testing, additionally some 
+further parts are secret
+\item other attacks have been found
+\item one solution might be to require always online verification of the PIN with the bank
+\frametitle{\begin{tabular}{@{}c@{}}Problems with WEP (Wifi)\end{tabular}}
+\item a standard ratified in 1999
+\item the protocol was designed by a committee not including cryptographers
+\item it used the RC4 encryption algorithm which is a stream cipher requiring a unique nonce
+\item WEP did not allocate enough bits for the nonce
+\item for authenticating packets it used CRC checksum which can be easily broken
+\item the network password was used to directly encrypt packages (instead of a key negotiation protocol)\bigskip
+\item encryption was turned off by default
+\frametitle{Protocols are Difficult}
+\item even the systems designed by experts regularly fail\medskip
+\item try to make everything explicit (you need to authenticate all data you might rely on)\medskip
+\item the one who can fix a system should also be liable for the losses\medskip
+\item cryptography is often not {\bf the} answer\bigskip\bigskip  
+logic is one way protocols are studied in academia
+(you can use computers to search for attacks)