Why%20Cryptosystems%20Fail? - PowerPoint PPT Presentation

About This Presentation
Title:

Why%20Cryptosystems%20Fail?

Description:

Designers of cryptosystems are at a disadvantage as compared to other engineers ... All hardware that stores important keys must be physically tamper resistant. ... – PowerPoint PPT presentation

Number of Views:59
Avg rating:3.0/5.0
Slides: 10
Provided by: anan8
Category:

less

Transcript and Presenter's Notes

Title: Why%20Cryptosystems%20Fail?


1
Why Cryptosystems Fail?
  • Ross Anderson
  • Presented by Ananth Rajagopala-Rao

2
Motivation
  • Designers of cryptosystems are at a disadvantage
    as compared to other engineers as they receive no
    feedback on their systems.
  • Governments, banks and military are very
    secretive about their mistakes.
  • The emphasis on research in cryptosystems today
    is misplaced because of this.

3
Case Study ATM systems
  • In USA, banks are required to reimburse all
    disputed transactions unless they can prove a
    fraud by the customer, as a result banks lose
    approx. 15,000 a year.
  • In the UK, there have been several accusations of
    fraud by banks which later turned out to be
    clerical errors.

4
How ATM fraud takes place
  • Most cases till 1994 were extremely simple,
    nobody used any cryptanalysis or other advanced
    techniques.
  • A design goal of the the ATM system is that any
    fraud requires the cooperation of a minimum of
    two persons, most frauds indicate elementary
    design flaws that violate this goal.

5
How ATM works?
  • The account no and the an offset is stored on the
    card.
  • The PIN is a cryptographic function of the a/c
    number the offset stored on the card.
  • The management of the keys for this cryptographic
    function is where a lot of problems arise.
  • If we know the PIN key
  • Given any card we can figure out the PIN.
  • We can forge ATM cards with cheap off the shelf
    hardware.

6
Problems with encryption products
  • All hardware that stores important keys must be
    physically tamper resistant.
  • Of the 10,000 member banks of VISA and
    Mastercard, only about 1,000 have invested in
    such hardware.
  • All these security modules are manufactured by
    IBM, and the IBM manual actually tells how any
    programmer can recover the keys for debugging
    purposes!!!

7
Problems with encryption products (cont.)
  • Key entry into these security modules is through
    obsolete IBM 3178 serial terminals.
  • The key is usually distributed between two high
    ranked officials in the bank.
  • These officials are mostly reluctant to use a
    keyboard, and simple give the key to the
    technician.
  • Even if they do type it in, they use emulation
    s/w on the service technicians laptop, which can
    record the key strokes.

8
Problems with practices of banks
  • Some banks subcontract their ATM system to
    facilities management firms. No back officials
    have any idea about the security implications of
    this.
  • Most keys are exchanged in open correspondence.
  • Some banks place the encryption module inside the
    branch, and transmit PINs in plaintext to ATMs.
  • Point of sale systems at stores??

9
The threat model is wrong
  • Designers concentrate on what possible to happen
    than on what is likely to happen.
  • We overestimate the sophistication of both the
    users of the cryptosystem as well as that of the
    attacker.
  • Grossly underestimate internal threats.
  • Hangover from military applications, DOD funding,
    WW II etc. where the entities in question are
    nations??
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2024 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The PowerPoint PPT presentation: "Why%20Cryptosystems%20Fail?" is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!