Presentation is loading. Please wait.

Presentation is loading. Please wait.

Programming Satan’s Computer

Published byMarylou Cora Grant Modified over 9 years ago

Similar presentations

Presentation on theme: "Programming Satan’s Computer"— Presentation transcript:

1 Programming Satan’s Computer
Ross Anderson and Roger Needham Presented by Bert Bruce

2 Satan’s Computer Computer under the control of an inimical force
Can alter or intercept data Need to be able to detect when this happens

3 Overview Use of cryptography
Doesn’t mean there is security Doesn’t mean data is protected The key to security is overall system and protocol design

4 Examples Prepaid Smartcard Encoded the current value
Didn’t encode the rate Attacker can change the rate to be very low Then attacker gets much more for his money

5 Examples ATM Card Magnet stripe holds Account # and PIN (like name and password) Account # is embossed on card, so no point in encoding that PIN is encoded ATM machine reads Account # To verify, user must enter PIN that matches the one on the card

6 Examples ATM Card (cont.)
ATM doesn’t have table matching Account # and PIN Attacker can alter the Account # on the magnetic stripe and leave PIN alone Attacker doesn’t need to know encryption algorithm ATM machine accepts attackers valid PIN but uses altered Account # Correct Method: Account # and PIN should be encrypted together

7 Examples Hacking Pay-per-view TV Hardware includes
Authentication (Smartcard) Microcontroller Video decoder System can be hacked by Replacing any one of these Interposing attackers processor into one of the communications channels between these

8 Messaging Model C B A S S Attacker
Authentication or Certification Server

9 Wide Mouthed Frog Protocol
Uses symmetric encryption A wants to send to B using a short-lived encryption key S shares permanent keys with A and B: KAS and KBS A sends a timestamp, the name of the recipient (B) and the short-lived key to S (encrypted with KAS) S sends to B its own timestamp, the sender (A) and the key from A (encrypted with KBS)

10 Wide Mouthed Frog Protocol
Now A and B have the temporary key and can exchange messages After they are done, key should time out But attacker can keep the key alive with the hope of stealing either A or B’s hardware (e.g. Smartcard)

11 Wide Mouthed Frog Protocol
Attack method: C sends original message from S to B back to S This looks to S like a request to set up key with A, so S sets new timestamp C then intercepts message from S to A and sends it back to S, etc. This keeps the temporary alive for an indefinite time If C can get A or B’s cards, can then decrypt using the key

12 Challenge-Response Protocols
Use shared key Protocol: A tells B he wants to converse B sends random number back to A A encrypts and returns it B decrypts – if match, then B knows it came from A

13 Challenge-Response Protocol
Woo and Lam Variant A and B share keys with S, not each other B sends A’s name and encrypted message to S S decrypts A’s message and re-encrypts for B and sends it to B But if C starts communication with B at same time, can replace message from S to B regarding A with its own message Then B thinks C is A

14 Challenge-Response Protocol
Solution is to include encrypted names in the messages as well Then C can’t pretend to be A Moral: if identity of principal is essential to meaning of message, include the identity in the message Don’t assume identity just because of from where it appears to come

15 Digital Signatures Based on symmetric Public Key Encryption
Signer encrypts using private key Anyone can decrypt using the signer’s public key A signs message w/ private key and encrypts with B’s public key B decrypts message w/ private key and checks signature w/ A’s public key Redundant info in message can insure C hasn’t substituted his own message

16 Other Public Key Issues
C can post a public key and claim it is from A This means security is required in key management But even then, if names not included in messages, C can masquerade as someone else

17 Middle Person Attack C pretends to be someone else by passing encrypted messages unchanged C passes message to B as if from A B responds to A. C can’t decode, he just passes to A A responds to C thinking message is from C C decodes and re-encodes response to B with B’s public key Again needs names in messages to prevent

18 Protocol Verification Logics
Define logic rule language and apply to a protocol to attempt to find flaws Rules propagate assumptions/beliefs Either find flaw or can substantiate beliefs Several logics tried – results mixed One issue – do rules include “freshness” Public key methods are hard to formalize Most gain seems to come from formalization of protocol rather than automation

19 Some Robustness Principles
Be explicit – goals, assumptions, purpose Put identity in message if it essential to meaning of message A signature attached to an encrypted message means nothing Signer may know nothing of contents Don’t confuse decryption with signature – 1st can be faked, 2nd can’t Uniquely identify protocol; runs – don’t allow replays

20 Explicitness Principle
A cryptographic protocol should make any necessary naming, typing and freshness information explicit in its messages; designers must also be explicit about their starting assumptions and goals as well as any algorithm properties which could be used in an attack KISS doesn’t always work if simplicity removes vital information

21 Conclusions / Summary Programming a computer under malicious control is very difficult 2 possible approaches Formal methods Good rules of thumb Not necessary or sufficient – just useful Bottom line is be explicit More explicit ->can be more sure attacker has not intervened Possibly these principles apply to all programming Sometimes Murphy is as evil as Satan

Download ppt "Programming Satan’s Computer"

Similar presentations

Last Class: The Problem BobAlice Eve Private Message Eavesdropping.

Last Class: The Problem BobAlice Eve Private Message Eavesdropping.
1 Security in Wireless Protocols Bluetooth, 802.11, ZigBee.

1 Security in Wireless Protocols Bluetooth, , ZigBee.
Building web applications on top of encrypted data using Mylar Presented by Tenglu Liang Tai Liu.

Building web applications on top of encrypted data using Mylar Presented by Tenglu Liang Tai Liu.
Internet and Intranet Protocols and Applications Lecture 9a: Secure Sockets Layer (SSL) March, 2004 Arthur Goldberg Computer Science Department New York.

Internet and Intranet Protocols and Applications Lecture 9a: Secure Sockets Layer (SSL) March, 2004 Arthur Goldberg Computer Science Department New York.
Sri Lanka Institute of Information Technology

Sri Lanka Institute of Information Technology
Interlock Protocol - Akanksha Srivastava 2002A7PS589.

Interlock Protocol - Akanksha Srivastava 2002A7PS589.
Authentication & Kerberos

Authentication & Kerberos
1 Digital Signatures & Authentication Protocols. 2 Digital Signatures have looked at message authentication –but does not address issues of lack of trust.

1 Digital Signatures & Authentication Protocols. 2 Digital Signatures have looked at message authentication –but does not address issues of lack of trust.
Department of Information Engineering1 Major Concerns in Electronic Commerce Authentication –there must be proof of identity of the parties in an electronic.

Department of Information Engineering1 Major Concerns in Electronic Commerce Authentication –there must be proof of identity of the parties in an electronic.
Security Overview Hofstra University University College for Continuing Education - Advanced Java Programming Lecturer: Engin Yalt May 24, 2006.

Security Overview Hofstra University University College for Continuing Education - Advanced Java Programming Lecturer: Engin Yalt May 24, 2006.
Mar 11, 2003Mårten Trolin1 Previous lecture Diffie-Hellman key agreement Authentication Certificates Certificate Authorities.

Mar 11, 2003Mårten Trolin1 Previous lecture Diffie-Hellman key agreement Authentication Certificates Certificate Authorities.
Apr 22, 2003Mårten Trolin1 Agenda Course high-lights – Symmetric and asymmetric cryptography – Digital signatures and MACs – Certificates – Protocols Interactive.

Apr 22, 2003Mårten Trolin1 Agenda Course high-lights – Symmetric and asymmetric cryptography – Digital signatures and MACs – Certificates – Protocols Interactive.
Mar 4, 2003Mårten Trolin1 This lecture Diffie-Hellman key agreement Authentication Certificates Certificate Authorities.

Mar 4, 2003Mårten Trolin1 This lecture Diffie-Hellman key agreement Authentication Certificates Certificate Authorities.
Key Management public-key encryption helps address key distribution problems have two aspects of this: –distribution of public keys –use of public-key.

Key Management public-key encryption helps address key distribution problems have two aspects of this: –distribution of public keys –use of public-key.
8-1 What is network security? Confidentiality: only sender, intended receiver should “understand” message contents m sender encrypts message m receiver.

8-1 What is network security? Confidentiality: only sender, intended receiver should “understand” message contents m sender encrypts message m receiver.
Cryptographic Technologies

Cryptographic Technologies
Authenticated Key Exchange. Lecture Outline Example of how poor security design can cause problems Design Principles for building security protocols Key.

Authenticated Key Exchange. Lecture Outline Example of how poor security design can cause problems Design Principles for building security protocols Key.
EEC 693/793 Special Topics in Electrical Engineering Secure and Dependable Computing Lecture 7 Wenbing Zhao Department of Electrical and Computer Engineering.

EEC 693/793 Special Topics in Electrical Engineering Secure and Dependable Computing Lecture 7 Wenbing Zhao Department of Electrical and Computer Engineering.
More on AuthenticationCS-4513 D-term 20081 More on Authentication CS-4513 Distributed Computing Systems (Slides include materials from Operating System.

More on AuthenticationCS-4513 D-term More on Authentication CS-4513 Distributed Computing Systems (Slides include materials from Operating System.
EEC 688/788 Secure and Dependable Computing Lecture 7 Wenbing Zhao Department of Electrical and Computer Engineering Cleveland State University

EEC 688/788 Secure and Dependable Computing Lecture 7 Wenbing Zhao Department of Electrical and Computer Engineering Cleveland State University

Similar presentations

Ads by Google