Why cryptosystems fail ====================== How does the ATM PIN security system work? IBM scheme: Bank encrypts account number with 'PIN key' Decimalized encrypted account number produces 'Natural PIN' Actual PIN is stored as offset from natural PIN How are keys distributed to ATM machines? - Each ATM machine has a 'terminal key' - Two people carry terminal key in two parts, manually input it - PIN key can be sent using terminal key How secure is this? - PIN key must be kept very secure - What if PIN and 'natural PIN' compromised--can't recover easily Inter-bank scheme: ATM encrypts PIN with 'working key'--sends key to its own bank That bank decrypts PIN, re-encrypts with other bank's key, sends on Have to distribute working keys between banks--done using shared 'zone key' What problem is this system solving? [snoopers on the communications link] What is intended policy of ATM system? No systematic fraud should be possible without collusion of two employees Don't allow more than 3 guesses at a PIN What were the actual attacks? - Observe PINs, pick up receipts with acct#. - "Jackpotting" an ATM machine - Software bug (machine treats telephone card like previous ATM card) - Postal interception. - Testing back-doors. - Fake ATM machines. - Change of address, new card issued. - Operators hack ATM hardware to gather PINs. - Programmers can find out the keys. - Programmer arranges for all PINs the same. What does system design not solve? Getting PIN securely to the customer. Secure PIN along entire path (ie typing it). Minimize number of trusted people. Or even identify who is trusted? Audit -- what actually happened? Cameras. Change of address. Would you rather open an account at a bank that admitted it was not very safe, or at a bank which claimed perfect safety? What are the UK banks apparent goals? [not security at all! liability or *image* of safety.] What are customer's goals? Perfect safety? Or to know what actually happened to their account? [Which requires admitting the system isn't safe.] Does that have anything to do with crypto? Do these goals conflict? Which would you prefer? How to make the banks' and custers' goals coincide better? [put burden of proof on banks, as in US] Why don't we see these kinds of problems with credit cards? Surely much weaker even than the PIN system! How much would a smart-card system help? How much money would you be willing to spend on it? Or any better high-tech security scheme? Discussion: What went wrong? Mostly NOT weaknesses in the crypto Equipment vendors assumed customers would have expertise to build systems Plus, even when they didn't, what vendor wants to insult the customer? Many security people recruited from the military Emphasis on security--in particular PIN security Lack of competence in people deploying system E.g., dual controls abolished to "save" money High-turnover (once system built, competent engineers get bored) Hard to tell competent security consultants from incompetent Incompetent consultants from big-name consulting agencies What skills are needed to solve this kind of problem? In UK, liability placed on wrong party, distorted incentives How do people build safety critical systems? - List all possible failure modes - Document how possible failures addressed - Detail these solutions to failure modes - Make sure system will be secure when operated by real users! Two approaches to safety-critical systems: Rail vs. aviation Rail: - Multiple redundant interlocks - Base safety on small hardware/software kernel - System is in control -- operator can fall asleep and train will stop Avionic: - Constant feedback and improvement - Include users in feedback loop -- many levels of pilot's license - User is ultimately in control Which is better? Rail compared to old central communist systems Avionic better for heterogenous networks with many policies Discussion: How would you build an ATM network today: First, use public key cryptography! Analysis of an Electronic Voting System ======================================= What are the goals of our election systems: Anonymity of a voter's ballot - Must be no way for someone to find out how you voted - Must be no way for you to prove to someone else how you voted Why? (Otherwise you could sell your vote / be blackmailed) Tamper resistance Should prevent ballot stuffing, changing/deleting votes, etc. Attacks could be by insiders or outsiders Human factors (avoid fiascos like Palm Beach butterfly ballot) What is a DRE system? Direct recording electronic - eliminates paper ballots How are such voting machines certified? Very dubious process -- very little public information (Note that in Nevada, public gambling machines have much stricter standards) How does the Diebold voting machine work? Setup - must lot in a ballot definition file, election.edb Includes names of candidates, parties, etc. Also includes PPP passwords, phone numbers, etc. Distribute with floppies, over the network, Internet, phone line, etc. Voting - voter checks in and gets a voter card (smart card) When checking in, poll worker programs card Card may include information like party affiliation in a primary Machine shows ballot to voter, who makes selections Machine "cancels" smart card, so voter can't vote multiple times Reporting Votes recorded to local disk and to flash memory Can end election with "ender" or administrative smart card Can take results from flash card, or transmit over phone/network What went wrong? Smart cards did not use cryptography No authentication of smart cards If you know right information, just make your own smart card Only thing you really need is m_VCenter value Which you can infer from other polling locations Or give your own card to poll workers and keep legit card Your card could record how it is programmed, report to collaborator Or by literal man-in-the-middle attack, using stolen voter card Replay attacks Can also vote multiple times E.g., program your card to ignore reset command (just one byte to say whether smart card has been voted already) Is voter serial number a problem? No replay detection, only stored for invalid votes, so can vote again Accessing administrator functionality Just one byte makes the card an administrator card Card sends PIN in cleartext to terminal So can program your own PIN in card Or just look at cart output to see PIN Attacks on recorded votes Data supposedly stored on smart card, but system doesn't detect missing card Votes probably not transmitted over the network securely Configuration information can be tampered with Ballot count is just stored in a file -- can overwrite Ballot definition could be tampered with Could invert results, as machine records only selection #, not candidate If Ballot definitions downloaded over network, possibly no integrity check Could impersonate voting machine when reporting totals to back end Crypto for votes is totally broken: Encrypted with DES in CBC mode, with 0 IV, & plaintext CRC DES is weak cipher Key is hardcoded in program -- so nothing is really secret IV always 0, so encryption deterministic plaintext CRC leaks information on contents of ballot Plus, votes sent over network in order, so can figure out people's votes Randomization happens too late, uses broken PRNG Audit logs not kept reliably (just prints message if no printer) Could also DoS machines to delay start of election Software engineering issues Third party code is part of TCB (WinCE, as well as fmod audio library) Comments indicate known problems How could these problems be avoided/mitigated With a voter-verified audit trail--why does this work?