Presentation is loading. Please wait.

Presentation is loading. Please wait.

Why Cryptosystems Fail

Published bySteven Atkins Modified over 6 years ago

Similar presentations

Presentation on theme: "Why Cryptosystems Fail"— Presentation transcript:

1 Why Cryptosystems Fail
Review by Jesper Hansson Falkenby

2 Why I chose this paper A big statement that caught my attention
The paper is interesting from a cryptographic point of view But equally interesting from a distributed systems point of view Insight on cryptographic systems from a 20 year old paper’s perspective

3 Outline Paper background What the paper is really about
Simple & sophisticated ATM fraudsATM encryption Encryption hardware Security modules Quality control Key management Security threats Banking security philosophy & implications What the paper is trying to tell us The future & proposed solutions The current Personal thoughts Conclusions

4 Paper background – The author
Ross Anderson Professor of Security Engineering Research includes: Psychology of information security Reliability of security systems Peer-to-peer systems Cryptanalysis Information hiding Privacy issues …and more! The paper was written for more than 20 years ago by Ross Andersson at the University of Cambridge. Ross still works at the same university in the same laboratory, he is still researching about Cryptographic topics, but has adjusted to the more modern technology era, such as mobile phones and peer-to-peer networks.

5 Paper background – Context
Written in 1994 at the computer laboratory of University of Cambridge This was a time when the Internet was becoming a thing A time when (in the U.S.) the government regulated the market of cryptography Every cryptographic system should essentially leave a backdoor for ’trusted’ 3rd party governmental entities Cryptographic systems were mostly prevalent in classified governmental entities

6 So what is the paper about?
Cryptographic systems were also prevalent in banking ATMs So, the focus is thus on traditional banking ATMs Offline ATMs Online ATMs (Networked) Real-world examples of ATM frauds Simple frauds Sophisticated frauds Offline ATM: ATM tied to a specific bank Online ATM: ATM tied to multiple banks

7 Simple ATM frauds – Banking staff
Authorized banking staff abusing their inside knowledge Bank clerks duplicating client cards Technical staff installing listening devices on ATMs

8 Simple ATM frauds – Technical errors
Attackers record unencrypted authorisation responses from ATM machines An unencrypted ’pay’ response from the bank to the machine can thus be imitated, effectively emptying the machine Imitate previously inserted bank card by using a telephone card An attacker would spy on the customer in front, record their PIN and then use a telephone card, thus fooling the machine the same card has been inserted again Yes, this has happened! Testing features still usable while in production Sending new clients banking information through unsafe postal deliveries Attackers installing false terminals and card readers Still very prevalent today!

9 Simple ATM frauds – PIN code schemes
Four-digit PINs are potentially diverse enough to eliminate random guessing, some banks implement weaker PIN schemes, such as: Offline ATMs without full encryption capability Storing your PIN code with a simple ciphering scheme My PIN is 2256, I think of the word ”blue” and store it in the following table: 1 2 3 4 5 6 7 8 9 W B R T Y U I S L J N M K H F A E X G P O

10 Sophisticated ATM frauds
Attacks that exploit subtle technical weaknesses, rather than trivial implementation errors Assumes the targets are error-free Attackers are highly skilled, skills that are often only found in government and military agencies Attackers have high-tech technology equipment mostly only found in the same type of agencies as above

11 ATM encryption – Context
When the paper was written, most ATMs were based on some variants of systems developed by IBM IBM essentially controlled the ATM market DES was the widely accepted and standard encryption algorithm used DES: Data encryption standard

12 ATM encryption – Behind the scenes
A natural PIN is derived from the customer’s account number by using DES To produce the final customer PIN, an offset is used on the natural PIN Account number PIN key FEFEFEFEFEFEFEFE DES result A2CEI26C69AEC82D Decimalised result Natural PIN 0224 Offset 6565 Final (customer) PIN 6789

13 ATM encryption – PIN key secrecy
The problem lies in how to securely store the PIN key The PIN key is usually the encrypted result of a terminal key A combination of two independent printed components The terminal key is manually inputed into the ATM machine So far so good… (for offline ATMs)

14 ATM encryption – Networking complexity
Customers of other banks want to use the same ATM PINs unknown to this bank will thus have to be encrypted Solve this by using working keys The PINs are then decrypted and encrypted using these working keys But, then we also have to encrypt the working keys! Solve that by letting banks set up zone keys and share with other banks Use the zone keys to encrypt working keys that are unique for each day

15 ATM encryption – Networking complexity
So many keys, so little time! ATMs have to communicate with multiple banks Banks have to securely store multiple keys The keys also have to be available at all times for authorization purposes PIN keys for transactions (Very frequent access!) Terminal keys & zone keys (Not so much)

16 Encryption hardware – The IBM monopoly
Banks were basically forced to buy hardware solutions by IBM Banks could potentiall have security modules that even were unable to talk to their terminals! Banks considered using homebrew encryption software instead Could potentially lead to a lot of security holes! The programmer might misuse his or her knowledge and capability Banks also considered emulating hardware in software The emulators often logged every transaction made Maybe you can guess why this is bad

17 Security modules Prevents banking staff and programmers from getting hold of the keys used in the encryption processes They usually have physical keys, only available to highly authorized people such as the manufacturers and maintenance engineers Protected from hardware tampering by having wires connected to switches Easily circumvented by the maintenance engineers Have to have their own master keys for internal use Transferring control of zone and terminal keys from one module to another would require the use of a master key A backup of these keys are commonly stored in PROM chips

18 Quality control Banks integrate not-so-secure security products all the time Lack of expertise How to tell the good from the bad? How do we test the security of some product? Modules might have trapdoors left in them Working keys might use weak encryption Using a day-of-time clock leaves us only with 20 bits of diversity There would be duplications after generating 1,000 keys

19 Quality control – Not the biggest problem
Even the most secure of security products require careful implementation Return codes might not be properly handled A return code could tell whether or not someone is experimenting with the product Banks have key management issues There are cases were banks share PINs with other banks Even cases were PINs are shared to external firms

20 Key management Banks might share their PINs to other banks
Or even to other 3rd party entities! How do we trust the other partner handle the keys in a safe way? At terminal key generation, one can get hold of the two components used Usually the ’trusted’ maintenance engineer Keys might even openly be stored in correspondence files

21 The security threats doesn’t really lie in weak cryptographic algorithms…
Banks cut corners every day to get the job done Actual cryptanalysis is less of a problem… …but banks (at the time) still used weak homebrew encryption algorithms But even when robust algorithms were used a naïve programmer could implement it using weak parameters This is still not the most problematic area

22 The banking security philosophy
No fraud should be possible without the cooperation of two or more banking staff Prone to faulty implementation Prone to corrupt administration The customer usually has no say in the security of faulty ATM operations Central records of customer complaints are usually not recorded So how do we properly monitor frauds? A banking employee without a moral compass might get away with frauds very easily Who would suspect the employee? Would this ever go public?

23 The implications of this philosophy
The number of faulty ATM operations are hard to quantify Banks are pressured into being a fault-free organization Pressure from press and courts One mistake could lead to shutdown or dramatic changes So why would they publicise faulty operations, improper implementations or corrupt staff?

24 What this paper is trying to tell us
The threat model was wrong all along! Designers concentrated on the wrong thing What could possibly happen, rather than what would be likely to happen Designers assumed the banks would have the expertise necessary to implement the security models they produced and sold If the bank didn’t, they assumed expert consultants would be called in ATM security faces a number of different problems Internal fraud External fraud Handling disputes in a fair way

25 The future (from a 90’s perspective)
To be able to deal with the problems ahead, a change in focus has to be made Security businesses have to shift from shipping ’evaluated and certified’ products, to pressure the clients to adopt quality control procedures Change focus by adopting other models used outside the security business Safety-critical systems used in hospitals Or the control systems used in nuclear reactors

26 What is proposed The paper mentions very basic, but fundamental points security systems would have to follow: All failure modes should be clearly listed in the specification The specification should list the prevention strategies used, and also the likelihood of these failure modes to happen In detail, specify how these strategies are implemented For all components of such system, specify what would happen if it suddenly fails By certifiying a product, it should be included to test whether or not it is possible to operate it under the specified skill level

27 But there are other ways to follow…
Railway signalling systems Automatisation to the point where the train operator has little to no purpose Aircraft systems Pilots still have very much control, regardless of the complexity of the systems It basically comes down to reductionist versus holist approaches

28 The current (from a 2015’s perspective)
Most problems mentioned in this paper is still prevalent to this day, in some way or another The problem area has expanded Online banking frauds Smartphone authentication Phishing & computer viruses Highly distributed attacks (Could be caused by viruses, i.e. botnets) Supercomputers (quantum computers) beating encryption algorithms Ok… maybe not.

29 Conclusion Most security failures are actually caused by implementation and management errors Cryptanalysis should not have been the main concern Software engineering principles would become more and more prevalent in banking security development The same questions remain Automatisation or manual management? Control or facilitate? Monolithic systems or diverse architectures?

30 My thoughts about the paper
Everyone who wants to gain an insight into the world of banking security should read this paper The paper is very brief, but to the point More detailed explanations are often referenced when needed Regardless of how old it might be, it is still applicable to some extent into the current technology era

31 Questions?

Download ppt "Why Cryptosystems Fail"

Similar presentations

Why Cryptosystems Fail Nick Feamster CS 6262 Spring 2009.

Why Cryptosystems Fail Nick Feamster CS 6262 Spring 2009.
Chapter 10  ATM 1 Automatic Teller Machines. Chapter 10  ATM 2 Automatic Teller Machines  “…one of the most influential technological innovations of.

Chapter 10  ATM 1 Automatic Teller Machines. Chapter 10  ATM 2 Automatic Teller Machines  “…one of the most influential technological innovations of.
Chapter 10 Boundary Controls. Cryptographic Controls Cryptology is the science of secret codes Cryptography deals with systems for transforming data into.

Chapter 10 Boundary Controls. Cryptographic Controls Cryptology is the science of secret codes Cryptography deals with systems for transforming data into.
Why Cryptosystems Fail?

Why Cryptosystems Fail?
Why Cryptosystems Fail Ross Anderson Proceeding of the 1 st ACM Conference on Computer and Communications Security, 1993 2010-20784 김학봉.

Why Cryptosystems Fail Ross Anderson Proceeding of the 1 st ACM Conference on Computer and Communications Security, 김학봉.
Why cryptosystems Fail Ross Anderson Proceeding of the 1 st ACM Conference on Computer and Communications Security, 1993 SSR Jiyeon Park.

Why cryptosystems Fail Ross Anderson Proceeding of the 1 st ACM Conference on Computer and Communications Security, 1993 SSR Jiyeon Park.
Computers: Tools for an Information Age

Computers: Tools for an Information Age
Why Cryptosystems Fail Ross Anderson Presented by Su Zhang 1.

Why Cryptosystems Fail Ross Anderson Presented by Su Zhang 1.
Network Infrastructure Security. LAN Security Local area networks facilitate the storage and retrieval of programs and data used by a group of people.

Network Infrastructure Security. LAN Security Local area networks facilitate the storage and retrieval of programs and data used by a group of people.
Copyright © 2003 by Prentice Hall Computers: Tools for an Information Age Chapter 14 Systems Analysis and Design: The Big Picture.

Copyright © 2003 by Prentice Hall Computers: Tools for an Information Age Chapter 14 Systems Analysis and Design: The Big Picture.
1 3 Computing System Fundamentals 3.4 Networked Computer Systems.

1 3 Computing System Fundamentals 3.4 Networked Computer Systems.
Lecture 7 Page 1 CS 236 Online Password Management Limit login attempts Encrypt your passwords Protecting the password file Forgotten passwords Generating.

Lecture 7 Page 1 CS 236 Online Password Management Limit login attempts Encrypt your passwords Protecting the password file Forgotten passwords Generating.
Lecture 18 Page 1 CS 111 Online Design Principles for Secure Systems Economy Complete mediation Open design Separation of privileges Least privilege Least.

Lecture 18 Page 1 CS 111 Online Design Principles for Secure Systems Economy Complete mediation Open design Separation of privileges Least privilege Least.
Lecture 19 Page 1 CS 111 Online Symmetric Cryptosystems C = E(K,P) P = D(K,C) E() and D() are not necessarily the same operations.

Lecture 19 Page 1 CS 111 Online Symmetric Cryptosystems C = E(K,P) P = D(K,C) E() and D() are not necessarily the same operations.
Information Systems Security Computer System Life Cycle Security.

Information Systems Security Computer System Life Cycle Security.
Why Cryptosystems Fail Prepared by Geoffrey Foote CSC 593 Secure Software Engineering Seminar Spring Semester 2006 Instructors: Dr. Charles Frank Dr. James.

Why Cryptosystems Fail Prepared by Geoffrey Foote CSC 593 Secure Software Engineering Seminar Spring Semester 2006 Instructors: Dr. Charles Frank Dr. James.
1 Why Cryptosystems Fail Ross Anderson University Computer Laboratory Cambridge

1 Why Cryptosystems Fail Ross Anderson University Computer Laboratory Cambridge
Is Your Company Security Aware? Presented By: Brian Picard GSEC.

Is Your Company Security Aware? Presented By: Brian Picard GSEC.
John Carpenter 2008 702904 & 711908 lecture - 01 1 702904 & 711908 Information Security 2008 Lecture 1: Subject Introduction and Security Fundamentals.

John Carpenter & lecture & Information Security 2008 Lecture 1: Subject Introduction and Security Fundamentals.
Decimalisation Table Attacks for PIN cracking “ It takes an average of 15 guesses to determine a four digit PIN using this technique, instead of the 5000.

Decimalisation Table Attacks for PIN cracking “ It takes an average of 15 guesses to determine a four digit PIN using this technique, instead of the 5000.

Similar presentations

Ads by Google