Tham khảo bài thuyết trình 'security protocols: they’re so not easy!', công nghệ thông tin, an ninh - bảo mật phục vụ nhu cầu học tập, nghiên cứu và làm việc hiệu quả | Security Protocols: They’re so NOT Easy! Lecture Motivation In the last lecture we looked at some high-level descriptions of key distribution and agreement schemes. These protocols cannot be used as they were stated. In implementation of the actual protocol, there are many situations one should be careful of. In this lecture, we will look at some common protocol failures that arise when trying to implement security protocols We will then look at some specific examples of security protocols Lecture Outline Some stories from the Dark Side Design Principles for building security protocols Key tools for building robust security protocols Naming Encryption Signing Timestamps and nonces Examples as we go Wide-Mouthed Frog Denning-Sacco Woo-Lam Needham-Schroeder We’ll end with a look at Kerberos Tales from the Dark Side of Security Prepayment in Electricity Meter Systems: Present a (purchased) digital token to a power meter. Digital token would convey an ID so it could not be duplicated . | Security Protocols: They’re so NOT Easy! Lecture Motivation In the last lecture we looked at some high-level descriptions of key distribution and agreement schemes. These protocols cannot be used as they were stated. In implementation of the actual protocol, there are many situations one should be careful of. In this lecture, we will look at some common protocol failures that arise when trying to implement security protocols We will then look at some specific examples of security protocols Lecture Outline Some stories from the Dark Side Design Principles for building security protocols Key tools for building robust security protocols Naming Encryption Signing Timestamps and nonces Examples as we go Wide-Mouthed Frog Denning-Sacco Woo-Lam Needham-Schroeder We’ll end with a look at Kerberos Tales from the Dark Side of Security Prepayment in Electricity Meter Systems: Present a (purchased) digital token to a power meter. Digital token would convey an ID so it could not be duplicated or forged Problem was that the rate information was not protected Bank Fraud: A bank would allow customers to present a bank card which had a PIN code encrypted and stored on the magnetic strip Teller had a copy of the encryption key and could check the PINs. Flaw in design: adversary could alter the account number on the card to someone else’s, while using his own PIN number he would check out ok but the money would be drawn from someone else’s account! Flaw in design: PIN number was not connected to account #. Tales from the Dark Side of Security, pg. 2 Pay-Per-View TV Hacks: Decoders are personalized with a smart card. Smart card cannot decrypt bulk content, so the bulk decryption is done on the decoder. Many decoders have a microcontroller which passes messages between the cryptoprocessor and the smart card Attackers can go in and modify or replace the microcontroller, or can introduce a PC between the decoder and the card in order to manipulate messages exchanged. Kentucky Fried