Logic of Authentication

Similar documents
Security protocols. Correctness of protocols. Correctness of protocols. II. Logical representation and analysis of protocols.i

SEMINAR REPORT ON BAN LOGIC

BAN Logic. Logic of Authentication 1. BAN Logic. Source. The language of BAN. The language of BAN. Protocol 1 (Needham-Schroeder Shared-Key) [NS78]

Logics of authentication

CSE BAN Logic Presentation

Outline More Security Protocols CS 239 Computer Security February 6, 2006

Outline. More Security Protocols CS 239 Security for System Software April 22, Needham-Schroeder Key Exchange

Outline More Security Protocols CS 239 Computer Security February 4, 2004

Modelling and Analysing of Security Protocol: Lecture 1. Introductions to Modelling Protocols. Tom Chothia CWI

Extensions of BAN. Overview. BAN Logic by Heather Goldsby Michelle Pirtle

Protocols II. Computer Security Lecture 12. David Aspinall. 17th February School of Informatics University of Edinburgh

Elements of Security

Session key establishment protocols

Session key establishment protocols

Extending Cryptographic Logics of Belief to Key Agreement Protocols

Encryption as an Abstract Datatype:

Lecture 1: Course Introduction

Formal Methods for Assuring Security of Computer Networks

University of Wollongong. Research Online

Cryptography and Network Security. Prof. D. Mukhopadhyay. Department of Computer Science and Engineering. Indian Institute of Technology, Kharagpur

Proofs for Key Establishment Protocols

Lecture 5: Protocols - Authentication and Key Exchange* CS 392/6813: Computer Security Fall Nitesh Saxena

Grenzen der Kryptographie

0/41. Alice Who? Authentication Protocols. Andreas Zeller/Stephan Neuhaus. Lehrstuhl Softwaretechnik Universität des Saarlandes, Saarbrücken

Security protocols and their verification. Mark Ryan University of Birmingham

Formal Methods for Security Protocols

Security Handshake Pitfalls

Event-B Course. 11. Formal Development of a Security Protocol (the Needham-Schroeder protocol)

Lecture 8 - Message Authentication Codes

Cryptography CS 555. Topic 16: Key Management and The Need for Public Key Cryptography. CS555 Spring 2012/Topic 16 1

Principles of Security Part 4: Authentication protocols Sections 1 and 2

A Limitation of BAN Logic Analysis on a Man-in-the-middle Attack

Security Handshake Pitfalls

On Belief Evolution in Authentication Protocols. Rajashekar Kailar and Virgil D. Gligor. Department of Electrical Engineering

Applied Cryptography Basic Protocols

Authentication Handshakes

An Interface Specification Language for Automatically Analyzing Cryptographic Protocols

Outline. Login w/ Shared Secret: Variant 1. Login With Shared Secret: Variant 2. Login Only Authentication (One Way) Mutual Authentication

Lecture 19: cryptographic algorithms

Security Handshake Pitfalls

CSC 474/574 Information Systems Security

Lecture 15: Cryptographic algorithms

Lecture 4: Authentication Protocols

SAT-based Verifiction of NSPKT Protocol Including Delays in the Network

Extending CAPSL for Logic-Based Verifications

CIS 6930/4930 Computer and Network Security. Topic 6.2 Authentication Protocols

Network Security and Internet Protocols

Digital Signatures. Secure Digest Functions

Elements of Cryptography and Computer and Network Security Computer Science 134 (COMPSCI 134) Fall 2016 Instructor: Karim ElDefrawy

Fall 2010/Lecture 32 1

Acknowledgments. CSE565: Computer Security Lectures 16 & 17 Authentication & Applications

Computer Networks & Security 2016/2017

Verifying Real-World Security Protocols from finding attacks to proving security theorems

Mechanising BAN Kerberos by the Inductive Method

CS Protocol Design. Prof. Clarkson Spring 2017

Spring 2010: CS419 Computer Security

Presented by Jack G. Nestell. Topics for Discussion. I. Introduction. Discussion on the different logics and methods of reasonings of Formal Methods

Elements of Cryptography and Computer and Network Security Computer Science 134 (COMPSCI 134) Fall 2016 Instructor: Karim ElDefrawy

A second consideration in the design of Kerberos. targeted applications used simple, stateless, request

Breaking and Fixing Public-Key Kerberos

Breaking and Fixing Public-Key Kerberos

An Authentication Service Supporting Domain Based Access Control Policies

Security and Privacy in Computer Systems. Lecture 7 The Kerberos authentication system. Security policy, security models, trust Access control models

Authentication in Distributed Systems

Datasäkerhetsmetoder föreläsning 7

Advanced Cryptography 1st Semester Symmetric Encryption

Module: Cryptographic Protocols. Professor Patrick McDaniel Spring CMPSC443 - Introduction to Computer and Network Security

Authentication in Distributed Systems: Theory and Practice

Softwaretechnik. Program verification. Albert-Ludwigs-Universität Freiburg. June 28, Softwaretechnik June 28, / 24

VERIFICATION AND ANALYSIS OF AN IMPROVED AUTHENTICATION PROTOCOL FOR MOBILE IP

KEY DISTRIBUTION AND USER AUTHENTICATION

Lecture Nov. 21 st 2006 Dan Wendlandt ISP D ISP B ISP C ISP A. Bob. Alice. Denial-of-Service. Password Cracking. Traffic.

Combined CPV-TLV Security Protocol Verifier

Security Handshake Pitfalls

Maude Implementation of MSR

Cryptographic Protocols 1

L7: Key Distributions. Hui Chen, Ph.D. Dept. of Engineering & Computer Science Virginia State University Petersburg, VA 23806

for Compound Authentication

Key Management. Digital signatures: classical and public key Classic and Public Key exchange. Handwritten Signature

Introduction to Security

A Derivation System for Security Protocols and its Logical Formalization

What did we talk about last time? Public key cryptography A little number theory

A Protocol for Secure Public Instant Messaging

Maude Implementation of MSR Demo

Cryptography and Network Security

Network Security (NetSec)

A Derivation System for Security Protocols and its Logical Formalization

Information Security CS 526

Protocol: A Comparison of Two Approaches. Catherine A. Meadows. Code Naval Research Laboratory.

Relations Between Secrets: Two Formal Analyses of the Yahalom Protocol

Unit-VI. User Authentication Mechanisms.

Security protocols. Security protocols are concerned with properties such as authenticity and secrecy.

CSCI 667: Concepts of Computer Security. Lecture 9. Prof. Adwait Nadkarni

Verifying Security Protocols with Brutus

T Cryptography and Data Security

SPi Calculus: Outline. What is it? Basic SPi Calculus Notation Basic Example Example with Channel Establishment Example using Cryptography

User Authentication Protocols

Authenticity by Typing for Security Protocols

A Computational Analysis of the Needham-Schröeder-(Lowe) Protocol

Key Agreement. Guilin Wang. School of Computer Science, University of Birmingham

Transcription:

Logic of Authentication Dennis Kafura Derived from materials authored by: Burrows, Abadi, Needham 1

Goals and Scope Goals develop a formalism to reason about authentication protocols uses determine guarantees provided by a protocol compare assumptions needed by different protocols identify extraneous protocol steps Out of scope concerns defects in practical implementations (e.g., deadlocks) hostile or malicious parties 2

Outline Notation Symbols for keys, principals, etc. Constructs related to beliefs, signatures, etc. Formalism Logic postulates : formal rules for reasoning about beliefs Annotations of protocol steps Usual logical primitives (conjunction denoted by, ) Method Form idealized protocol Define assumptions Prove properties based on logic postulates Examples Kerberos Andrews Secure RPC handshake Needham-Schroeder Public Key Protocol CCITT/X.509 Protocol 3

Notation Principals A, B, S, Keys Shared keys: K ab, K bs Public keys: K a, K b, Secret keys: K a -1, K b -1, Statements N a, N b, 4

Constructs P believes X P sees X P said X P controls X fresh(x) P K Q K P P =X= Q {X} K <X> Y P is entitled to believe that (or may act as if) X is true P received a message containing X P sent a message containing X at some time in the past P is authoritative for X X is within the current run of the protocol K is a shared secret key between P and Q P has public key K X is a shared secret between P and Q X encrypted with K X combined with Y 5

Logic Postulates (1) (1) Message meaning rules: Secret key Public key Shared secret 6

Logic Postulates (2) (2) Nonce Verification rule: (3) Jurisdiction rule: 7

Logic Postulates (3) (4) Visibility rules: (5) Freshness rule: 8

Annotations and Goals The steps in a protocol are annotated with logical formulas before the first step and after each step: if X holds before the message P Q : Y then both X and Q sees Y holds afterwards, if Y can be derived from X by the logical postulates then Y holds whenever X holds. Conjunctions can be broken (i.e., if P said (X,Y) then P said X) The logic can be used to prove various authentication goals, such as: 9

Kerberos: messages Real protocol: Idealized protocol: 10

Kerberos: assumptions 11

Kerberos: message 2 (1) A sees { T S, A K ab B, {T S, A K ab B} K bs } Kas by annotation rule. (2) A believes S said (T S, A K ab B, {T S, A K ab B} K bs ) by assumption A believes A K as S and message meaning rule. (3) A believes S said (T S, A K ab B) by breaking conjunctions. (4) A believes S believes (T S, A K ab B) by assumption A believes fresh(t S ) and nonce verification rule. (5) A believes S believes (A K ab B) by breaking conjunctions. (6) A believes S controls (A K ab B) by instantiating K ab in assumption A believes S controls (A K B). (7) A believes (A K ab B) by jurisdiction rule. 12

Kerberos: message 3 (part 1) (1) B sees {T S, A K ab B} K bs, {T a, A K ab B} K ab by annotation rule. (2) B believes S said (T S, A K ab B), by breaking conjunctions, assumption A believes A K bs S and message meaning rule. (3) B believes S believes (T S, A K ab B) by assumption A believes fresh(t S ) and nonce verification rule. (4) B believes S believes (A K ab B) by breaking conjunctions. (5) B believes S controls (A K ab B) by instantiating K ab in assumption B believes S controls (A K B). (6) B believes (A K ab B) by jurisdiction rule. 13

Kerberos: message 3 (part 2) (1) B sees {T a, A K ab B} K ab by breaking conjunctions and annotation rule. (2) B believes A said (T a, A K ab B), by proof that B believes A K ab B and message meaning rule. (3) B believes A believes (T a, A K ab B) by assumption B believes fresh(t a ) and nonce verification rule. (4) B believes A believes (A K ab B) by breaking conjunctions. 14

Kerberos: message 4 (1) A sees {T a, A K ab B} K ab by breaking conjunctions and annotation rule. (2) A believes B said (T a, A K ab B), by proof that B believes A K ab B and message meaning rule. (3) A believes B believes (T a, A K ab B) by assumption A believes fresh(t a ) and nonce verification rule. (4) A believes B believes (A K ab B) by breaking conjunctions. 15

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback