Recent talks: Chip & PIN, traffic analysis, and voting

July 6th, 2007 at 11:39 UTC by Steven J. Murdoch

In the past couple of months, I’ve presented quite a few talks, and in the course of doing so, travelled a lot too (Belgium and Canada last month; America and Denmark still to come). I’ve now published my slides from these talks, which might also be of interest to Light Blue Touchpaper readers, so I’ll summarize the contents here.

Two of the talks were on Chip & PIN, the UK deployment of EMV. The first presentation — “Chip and Spin” — was for the Girton village Neighbourhood Watch meeting. Girton was hit by a spate of card-cloning, eventually traced back to a local garage, so they invited me to give a fairly non-technical overview of the problem. The slides served mainly as an introduction to a few video clips I showed, taken from TV programmes in which I participated. [slides (PDF 1.1M)]

The second Chip & PIN talk was to the COSIC research group at K.U. Leuven. Due to the different audience, this presentation — “EMV flaws and fixes: vulnerabilities in smart card payment systems” — was much more technical. I summarized the EMV protocol, described a number of weaknesses which leave EMV open to attack, along with corresponding defences. Finally, I discussed the more general problem with EMV — that customers are in a poor position to contest fraudulent transactions — and how this situation can be mitigated. [slides (PDF 1.4M)]

If you are interested in further details, much of the material from both of my Chip & PIN talks is discussed in papers from our group, such as “Chip and SPIN“, “The Man-in-the-Middle Defence” and “Keep Your Enemies Close: Distance bounding against smartcard relay attacks

Next I went to Ottawa for the PET Workshop (now renamed the PET Symposium). Here, I gave three talks. The first was for a panel session — “Ethics in Privacy Research”. Since this was a discussion, the slides aren’t particularly interesting but it will hopefully be the subject of an upcoming paper.

Then I gave a short talk at WOTE, on my experiences as an election observer. I summarized the conclusions of the Open Rights Group report (released the day before my talk) and added a few personal observations. Richard Clayton discussed the report in the previous post. [slides (PDF 195K)]

Finally, I presented the paper written by Piotr ZieliƄski and me — “Sampled Traffic Analysis by Internet-Exchange-Level Adversaries”, which I previously mentioned in a recent post. In the talk I gave a graphical summary of the paper’s key points, which I hope will aid in understanding the motivation of the paper and the traffic analysis method we developed. [slides (PDF 2.9M)]

Entry filed under: Banking security, Electronic voting, Privacy technology

3 comments Add your own

  • 1. sskm  |  July 9th, 2007 at 13:53 UTC

    Would you care to comment what you mean by “electronic attorney”? Could it be the customer’s mobile phone?

  • 2. Steven J. Murdoch  |  July 9th, 2007 at 14:32 UTC

    @sskm

    The electronic attorney was introduced in The Man-in-the-Middle Defence by Ross Anderson and Mike Bond.

    It can be any device trusted by the customer, but for EMV it would need to have special hardware for emulating and reading a smartcard, which is not commonly available on any current general-purpose device.

    For wireless payment cards, e.g. PayPass, it might be possible to implement this on top of the NFC support on certain mobile phones.

  • 3. Clive Robinson  |  July 10th, 2007 at 13:30 UTC

    @sskm, Steven J. Murdoch,

    “it might be possible to implement this on top of the NFC support on certain mobile phones”

    One point I have made before mobile phones like many many other devices cannot be considered in any way secure (functionality/software can be loaded at any time by the operator or others).

    Therefore it cannot be trusted (like 99.99% of re-programable/programable devices).

    For the “Electronic Attorney” to be trusted both it and it’s audit trail would need to be efectivly tamper proof by both the person who owns it and others. I am not sure just how many electronic devices come under that description but I will make a small bet that if there are any they are not in an effective cost range…

Leave a Comment

Required

Required, hidden

Some HTML allowed:
<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

Subscribe to the comments via RSS Feed

Calendar

July 2007
M T W T F S S
« Jun   Aug »
 1
2345678
9101112131415
16171819202122
23242526272829
3031