Logic of Authentication

Transcription

1 Logic of Authentication Dennis Kafura Derived from materials authored by: Burrows, Abadi, Needham 1

2 Goals and Scope Goals develop a formalism to reason about authentication protocols uses determine guarantees provided by a protocol compare assumptions needed by different protocols identify extraneous protocol steps Out of scope concerns defects in practical implementations (e.g., deadlocks) hostile or malicious parties 2

3 Outline Notation Symbols for keys, principals, etc. Constructs related to beliefs, signatures, etc. Formalism Logic postulates : formal rules for reasoning about beliefs Annotations of protocol steps Usual logical primitives (conjunction denoted by, ) Method Form idealized protocol Define assumptions Prove properties based on logic postulates Examples Kerberos Andrews Secure RPC handshake Needham-Schroeder Public Key Protocol CCITT/X.509 Protocol 3

4 Notation Principals A, B, S, Keys Shared keys: K ab, K bs Public keys: K a, K b, Secret keys: K a -1, K b -1, Statements N a, N b, 4

5 Constructs P believes X P sees X P said X P controls X fresh(x) P K Q K P P =X= Q {X} K <X> Y P is entitled to believe that (or may act as if) X is true P received a message containing X P sent a message containing X at some time in the past P is authoritative for X X is within the current run of the protocol K is a shared secret key between P and Q P has public key K X is a shared secret between P and Q X encrypted with K X combined with Y 5

6 Logic Postulates (1) (1) Message meaning rules: Secret key Public key Shared secret 6

7 Logic Postulates (2) (2) Nonce Verification rule: (3) Jurisdiction rule: 7

8 Logic Postulates (3) (4) Visibility rules: (5) Freshness rule: 8

9 Annotations and Goals The steps in a protocol are annotated with logical formulas before the first step and after each step: if X holds before the message P Q : Y then both X and Q sees Y holds afterwards, if Y can be derived from X by the logical postulates then Y holds whenever X holds. Conjunctions can be broken (i.e., if P said (X,Y) then P said X) The logic can be used to prove various authentication goals, such as: 9

10 Kerberos: messages Real protocol: Idealized protocol: 10

11 Kerberos: assumptions 11

12 Kerberos: message 2 (1) A sees { T S, A K ab B, {T S, A K ab B} K bs } Kas by annotation rule. (2) A believes S said (T S, A K ab B, {T S, A K ab B} K bs ) by assumption A believes A K as S and message meaning rule. (3) A believes S said (T S, A K ab B) by breaking conjunctions. (4) A believes S believes (T S, A K ab B) by assumption A believes fresh(t S ) and nonce verification rule. (5) A believes S believes (A K ab B) by breaking conjunctions. (6) A believes S controls (A K ab B) by instantiating K ab in assumption A believes S controls (A K B). (7) A believes (A K ab B) by jurisdiction rule. 12

13 Kerberos: message 3 (part 1) (1) B sees {T S, A K ab B} K bs, {T a, A K ab B} K ab by annotation rule. (2) B believes S said (T S, A K ab B), by breaking conjunctions, assumption A believes A K bs S and message meaning rule. (3) B believes S believes (T S, A K ab B) by assumption A believes fresh(t S ) and nonce verification rule. (4) B believes S believes (A K ab B) by breaking conjunctions. (5) B believes S controls (A K ab B) by instantiating K ab in assumption B believes S controls (A K B). (6) B believes (A K ab B) by jurisdiction rule. 13

14 Kerberos: message 3 (part 2) (1) B sees {T a, A K ab B} K ab by breaking conjunctions and annotation rule. (2) B believes A said (T a, A K ab B), by proof that B believes A K ab B and message meaning rule. (3) B believes A believes (T a, A K ab B) by assumption B believes fresh(t a ) and nonce verification rule. (4) B believes A believes (A K ab B) by breaking conjunctions. 14

15 Kerberos: message 4 (1) A sees {T a, A K ab B} K ab by breaking conjunctions and annotation rule. (2) A believes B said (T a, A K ab B), by proof that B believes A K ab B and message meaning rule. (3) A believes B believes (T a, A K ab B) by assumption A believes fresh(t a ) and nonce verification rule. (4) A believes B believes (A K ab B) by breaking conjunctions. 15