Why Cryptosystems Fail?

Slides:



Advertisements
Similar presentations
Chapter 10 Encryption: A Matter of Trust. Awad –Electronic Commerce 1/e © 2002 Prentice Hall 2 OBJECTIVES What is Encryption? Basic Cryptographic Algorithm.
Advertisements

Why Cryptosystems Fail Nick Feamster CS 6262 Spring 2009.
Lecture 9 e-Banking. Introduction The most used methods to pay for a service or merchandise are: –The real money (so called “cash”) –cheque (or check.
SECURITY IN E-COMMERCE VARNA FREE UNIVERSITY Prof. Teodora Bakardjieva.
ICT at Work Banking and Finance.
Crime and Security in the Networked Economy Part 4.
Harvesting High Value Foreign Currency Transactions from EMV Contactless Credit Cards without the PIN 21st ACM Conference on Computer and Communications.
Credit Cards. What are Credit Cards? Pre-approved credit which can be used for the purchase of items now and payment of them later.
Direct Attacks on Computational Devices
Chapter 10  ATM 1 Automatic Teller Machines. Chapter 10  ATM 2 Automatic Teller Machines  “…one of the most influential technological innovations of.
Copyright © 2015 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education.
SECURITY Chapter 15 CNS Crackers "malicious computer users" Varying intentions and abilities What motivates people to break into computer systems?
Principles of Information Security, 2nd edition1 Cryptography.
Mar 11, 2003Mårten Trolin1 Previous lecture Diffie-Hellman key agreement Authentication Certificates Certificate Authorities.
Chapter 9 - Control in Computerized Environment ATG 383 – Spring 2002.
Chapter 9 Banking and Book keeping Protecting yourself from you.
Chapter 10 Boundary Controls. Cryptographic Controls Cryptology is the science of secret codes Cryptography deals with systems for transforming data into.
Why Cryptosystems Fail Ross Anderson Proceeding of the 1 st ACM Conference on Computer and Communications Security, 김학봉.
CMSC 414 Computer and Network Security Lecture 8 Jonathan Katz.
Why cryptosystems Fail Ross Anderson Proceeding of the 1 st ACM Conference on Computer and Communications Security, 1993 SSR Jiyeon Park.
Current Topics. Trends in Banking G & K Chps. 16, 17 & 18 G & K Chps. 16, 17 & 18 Financial Services Financial Services Electronic Banking Electronic.
CMSC 414 Computer (and Network) Security Lecture 24 Jonathan Katz.
Why Cryptosystems Fail Ross Anderson Presented by Su Zhang 1.
Financial Transactions on Internet Financial transactions require the cooperation of more than two parties. Transaction must be very low cost so that small.
1 PIN Security Management and Concerns Susan Langford Sr. Cryptographer CACR Information Security Workshop.
(Usually have to be 18 years old to open & get ATM or debit card)
Presented By: Michael Munaco
AS Level ICT Selection and use of input devices and input media: Capturing transaction data.
3. 18 Methods of making and receiving payments Methods of making and receiving payments Banks and bank accounts  All businesses have bank accounts.
Banking: Checking Account What is a Checking Account? An account where money is deposited and kept for day-to-day expenses Also called demand deposit.
Banking:
Will You Ever Use Your ATM Again? Presented by: Bob Clary Carolyn McLellan Jane Mosher Karen Weil-Yates.
Chapter 14 Encryption: A Matter Of Trust. Awad –Electronic Commerce 2/e © 2004 Pearson Prentice Hall 2 OBJECTIVES What is Encryption? Basic Cryptographic.
Why Cryptosystems Fail Prepared by Geoffrey Foote CSC 593 Secure Software Engineering Seminar Spring Semester 2006 Instructors: Dr. Charles Frank Dr. James.
© 2014 CustomerXPs Software Pvt Ltd | | Confidential 1 Tentacles of Fraud #StarfishBanks CustomerXPs Software Private Limited.
1 Why Cryptosystems Fail Ross Anderson University Computer Laboratory Cambridge
Information Technology HARDWARE Dr. GUVEN Aerospace Engineer (P.hD) Nuclear Science and Technology Engineer (M.Sc)
Network Security Lecture 26 Presented by: Dr. Munam Ali Shah.
CHAPTER 6 Cryptography. An Overview It is origin from the Greek word kruptos which means hidden. The objective is to hide information so that only the.
An Investigation into E-Commerce Frauds and their Security Implications By Kevin Boardman Supervisor: John Ebden 29 July 2004.
Cryptography, Authentication and Digital Signatures
CDP Standard Grade1 Commercial Data Processing Standard Grade Computing Studies.
Security Protocols and E-commerce University of Palestine Eng. Wisam Zaqoot April 2010 ITSS 4201 Internet Insurance and Information Hiding.
ECE Lecture 1 Security Services.
1 Boundary Control Chapter Materi: Boundary controls:  Cryptographic controls  Access controls  Personal identification numbers  Digital signatures.
1 Lecture 8: Authentication of People what you know (password schemes) what you have (keys, smart cards, etc.) what you are (voice recognition, fingerprints,
Web Security : Secure Socket Layer Secure Electronic Transaction.
Eng. Hector M Lugo-Cordero, MS CIS4361 Department of Electrical Engineering and Computer Science February, 2012 University of Central Florida.
1 Hardware Security AbdelRahman abu_absah Teacher: Dr. Sanaa al_sayegh.
API-Level Attacks on Embedded Systems By Mike Bond and Ross Anderson “… by presenting valid commands to the security processor, but in an unexpected sequence,
CRYPTOGRAPHY PRESENTED BY : NILAY JAYSWAL BRANCH : COMPUTER SCIENCE & ENGINEERING ENTRY NO. : 14BCS033 1.
Why Cryptosystems Fail R. Anderson, Proceedings of the 1st ACM Conference on Computer and Communications Security, 1993 Reviewed by Yunkyu Sung
Writing Secure Programs. Program Security CSCE Farkas/Eastman - Fall Program Flaws Taxonomy of flaws: how (genesis) when (time) where (location)
Computer Studies Today Chapter 2 1 » Payroll system » Mailing list system » Ticketing system » Point-of-sale system » Electronic funds transfer system.
Vijay V Vijayakumar.  Implementations  Server Side Security  Transmission Security  Client Side Security  ATM’s.
EMV Operation and Attacks Tyler Moore CS7403, University of Tulsa Reading: Anderson Security Engineering, Ch (136—138), (328—343) Papers.
1 Chapter 10 Cash and cash equivalents. Overview 2 What we will be looking at: - What are “cash and cash equivalents”? - The bank account - Means of payment.
1 OPERATING SYSTEMS. 2 CONTENTS 1.What is an Operating System? 2.OS Functions 3.OS Services 4.Structure of OS 5.Evolution of OS.
SECURITY FEATURES OF ATM
ABYSS : An Architecture for Software Protection
Why Cryptosystems Fail Ross Anderson University Computer Laboratory
Why Cryptosystems Fail
WHY CRYPTOSYSTEMS FAIL
The KGB the Computer and Me
PNC Bank Student Banking
Presentation transcript:

Why Cryptosystems Fail? Ross Anderson Presented by Ananth Rajagopala-Rao

Motivation Designers of cryptosystems are at a disadvantage as compared to other engineers as they receive no feedback on their systems. Governments, banks and military are very secretive about their mistakes. The emphasis on research in cryptosystems today is misplaced because of this.

Case Study – ATM systems In USA, banks are required to reimburse all disputed transactions unless they can prove a fraud by the customer, as a result banks lose approx. $15,000 a year. In the UK, there have been several accusations of fraud by banks which later turned out to be clerical errors.

How ATM fraud takes place Most cases till 1994 were extremely simple, nobody used any cryptanalysis or other advanced techniques. A design goal of the the ATM system is that any fraud requires the cooperation of a minimum of two persons, most frauds indicate elementary design flaws that violate this goal.

How ATM works? The account no and the an offset is stored on the card. The PIN is a cryptographic function of the a/c number + the offset stored on the card. The management of the keys for this cryptographic function is where a lot of problems arise. If we know the PIN key Given any card we can figure out the PIN. We can forge ATM cards with cheap off the shelf hardware.

Problems with encryption products All hardware that stores important keys must be physically tamper resistant. Of the 10,000 member banks of VISA and Mastercard, only about 1,000 have invested in such hardware. All these security modules are manufactured by IBM, and the IBM manual actually tells how any programmer can recover the keys for debugging purposes!!!

Problems with encryption products (cont.) Key entry into these security modules is through obsolete IBM 3178 serial terminals. The key is usually distributed between two high ranked officials in the bank. These officials are mostly reluctant to use a keyboard, and simple give the key to the technician. Even if they do type it in, they use emulation s/w on the service technicians laptop, which can record the key strokes.

Problems with practices of banks Some banks subcontract their ATM system to ‘facilities management’ firms. No back officials have any idea about the security implications of this. Most keys are exchanged in open correspondence. Some banks place the encryption module inside the branch, and transmit PINs in plaintext to ATMs. Point of sale systems at stores??

The threat model is wrong Designers concentrate on what possible to happen than on what is likely to happen. We overestimate the sophistication of both the users of the cryptosystem as well as that of the attacker. Grossly underestimate “internal” threats. Hangover from military applications, DOD funding, WW II etc. where the entities in question are nations??

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.