Security protocols. Correctness of protocols. Correctness of protocols. II. Logical representation and analysis of protocols.i

Similar documents
Logic of Authentication

Logics of authentication

SEMINAR REPORT ON BAN LOGIC

BAN Logic. Logic of Authentication 1. BAN Logic. Source. The language of BAN. The language of BAN. Protocol 1 (Needham-Schroeder Shared-Key) [NS78]

CSE BAN Logic Presentation

A Limitation of BAN Logic Analysis on a Man-in-the-middle Attack

Extensions of BAN. Overview. BAN Logic by Heather Goldsby Michelle Pirtle

Outline More Security Protocols CS 239 Computer Security February 6, 2006

Outline. More Security Protocols CS 239 Security for System Software April 22, Needham-Schroeder Key Exchange

Outline More Security Protocols CS 239 Computer Security February 4, 2004

Security protocols and their verification. Mark Ryan University of Birmingham

Formal Methods for Assuring Security of Computer Networks

Presented by Jack G. Nestell. Topics for Discussion. I. Introduction. Discussion on the different logics and methods of reasonings of Formal Methods

Cryptography and Network Security. Prof. D. Mukhopadhyay. Department of Computer Science and Engineering. Indian Institute of Technology, Kharagpur

CPSC 467: Cryptography and Computer Security

Extending Cryptographic Logics of Belief to Key Agreement Protocols

Session key establishment protocols

Session key establishment protocols

An Interface Specification Language for Automatically Analyzing Cryptographic Protocols

Formal Methods for Security Protocols

Secure Multiparty Computation

Modelling and Analysing of Security Protocol: Lecture 1. Introductions to Modelling Protocols. Tom Chothia CWI

Module: Cryptographic Protocols. Professor Patrick McDaniel Spring CMPSC443 - Introduction to Computer and Network Security

0/41. Alice Who? Authentication Protocols. Andreas Zeller/Stephan Neuhaus. Lehrstuhl Softwaretechnik Universität des Saarlandes, Saarbrücken

Network Security CHAPTER 31. Solutions to Review Questions and Exercises. Review Questions

Hello World in HLPSL. Turning ASCII protocol specifications into HLPSL

Verifying Security Protocols with Brutus

The Needham-Schroeder-Lowe Protocol with Event-B

Extending CAPSL for Logic-Based Verifications

CS573 Data Privacy and Security. Cryptographic Primitives and Secure Multiparty Computation. Li Xiong

Lecture 8 - Message Authentication Codes

CPSC 467: Cryptography and Computer Security

University of Wollongong. Research Online

HOST Authentication Overview ECE 525

Network Security and Internet Protocols

Grenzen der Kryptographie

Trust-Propagation Based Authentication Protocol in Multihop Wireless Home Networks

Lecture 1: Course Introduction

Principles of Security Part 4: Authentication protocols Sections 1 and 2

Security Protections for Mobile Agents

Design and Analysis of Protocols The Spyce Way

Authentication in Distributed Systems: Theory and Practice

OneID An architectural overview

Authentication. Overview of Authentication systems. IT352 Network Security Najwa AlGhamdi

Modelling and Automatically Analysing Privacy Properties for Honest-but-Curious Adversaries

CS Protocol Design. Prof. Clarkson Spring 2017

CSC 5930/9010 Modern Cryptography: Public Key Cryptography

Provable Anonymity. Epistemic Logic for Anonymizing Protocols. Ichiro Hasuo. Radboud University Nijmegen The Netherlands

A Short SPAN+AVISPA Tutorial

Test 2 Review. 1. (10 points) Timestamps and nonces are both used in security protocols to prevent replay attacks.

Analysis of an E-voting Protocol using the Inductive Method

L7: Key Distributions. Hui Chen, Ph.D. Dept. of Engineering & Computer Science Virginia State University Petersburg, VA 23806

Article An Enhanced Lightweight Anonymous Authentication Scheme for a Scalable Localization Roaming Service in Wireless Sensor Networks

ECE596C: Handout #9. Authentication Using Shared Secrets. Electrical and Computer Engineering, University of Arizona, Loukas Lazos

A Derivation System for Security Protocols and its Logical Formalization

SPi Calculus: Outline. What is it? Basic SPi Calculus Notation Basic Example Example with Channel Establishment Example using Cryptography

Cryptography CS 555. Topic 16: Key Management and The Need for Public Key Cryptography. CS555 Spring 2012/Topic 16 1

Protocols II. Computer Security Lecture 12. David Aspinall. 17th February School of Informatics University of Edinburgh

Spring 2010: CS419 Computer Security

Computer Networks & Security 2016/2017

Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls

Cryptography: More Primitives

Test 2 Review. (b) Give one significant advantage of a nonce over a timestamp.

1 A Tale of Two Lovers

A HOL Extension of GNY for Automatically Analyzing. Cryptographic Protocols. Stephen H. Brackin ESC/ENS

Elements of Security

NEW FUNCTIONS FOR SECRECY ON REAL PROTOCOLS

Event-B Course. 11. Formal Development of a Security Protocol (the Needham-Schroeder protocol)

Cryptographic Checksums

Public-key Cryptography: Theory and Practice

A SMART CARD BASED AUTHENTICATION SCHEME FOR REMOTE USER LOGIN AND VERIFICATION. Received April 2011; revised September 2011

Data Security and Privacy. Topic 14: Authentication and Key Establishment

Using A Cost-Based Framework For Analyzing Denial Of Service

Authenticated Key Agreement without Subgroup Element Verification

The Needham-Schroeder-Lowe Protocol with Event-B

Introduction to Security

Secure Multiparty Computation

Research Statement. Yehuda Lindell. Dept. of Computer Science Bar-Ilan University, Israel.

Relations Between Secrets: Two Formal Analyses of the Yahalom Protocol

This presentation covers Gen Z s Security capabilities.

A Hierarchy of Authentication Specifications

Smart Cards in Hostile Environments

Security Analysis of the Secure Authentication Protocol by Means of Coloured Petri Nets

An Authentication Service Supporting Domain Based Access Control Policies

Structured Attacks on Cryptographic Protocols. Karl Mahlburg Everett Bull, Advisor

Crypto Background & Concepts SGX Software Attestation

Lecture 18 - Chosen Ciphertext Security

Applied Cryptography and Computer Security CSE 664 Spring 2017

CS Protocols. Prof. Clarkson Spring 2016

Digital Signatures. Secure Digest Functions

Lecture 7 - Applied Cryptography

Inter-Domain Identity-based Authenticated Key Agreement Protocol from the Weil Pairing

Issues. Separation of. Distributed system security. Security services. Security policies. Security mechanism

Key Management. Digital signatures: classical and public key Classic and Public Key exchange. Handwritten Signature

Authentication Part IV NOTE: Part IV includes all of Part III!

Lecture 1: Perfect Security

Specifying authentication using signal events in CSP

Using secure multi-party computation when pocessing distributed health data

ANET: An Anonymous Networking Protocol

An Authentication Model for Wireless Network Services

Transcription:

Security protocols Logical representation and analysis of protocols.i A security protocol is a set of rules, adhered to by the communication parties in order to ensure achieving various security or privacy goals, such as establishing a common cryptographic key, a achieving authentication, etc. We have discussed already several protocol, aiming at: Key exchange; Private electronic payments; E-voting. Correctness of protocols Are they correct at all? How do we establish correctness? We have used semi-formal arguments, like If a message is encrypted with the public key of Alice, then only a participant who knows private key of Alice (presumably Alice herself only) can decrypt it. Typically we have considered possible attacks and argued using the reasoning as above, that attacks are impossible (under some reasonable assumptions). Is that enough? Are we sure that we have considered all possible situations of use? Correctness of protocols. II Security protocols are designed to succeed even in the presence of a malicious agent, often called intruder (adversary); Intruder may have complete or partial control over the communication network and may have different computational capabilities; The correctness of the protocols depends on the assumptions on capabilities of possible intruder; Assumptions are often left implicit; Typically in security we have to deal with numerous nontrivial assumptions.

The power of formal methods Logical representation What should we do about establishing correctness of security protocols? Apply formal methods! Make explicit all the assumptions involved in a protocol; Make a formal model of the protocol (and its execution); Apply formal reasoning, which would establish the correctness of the protocol. Two important aspects: The correctness is established only for a particular formal model of the protocol; and under explicit assumptions (about capabilities of participants, etc) ; Formal aspects of reasoning is an important part of logic; Logical representation and analysis of the security protocols is a particular successful approach for the protocols verification; Non-classical modal epistemic logics dealing with such notions as belief and knowledge, are more suitable here than classical logics dealing primarily with truth. Protocol analysis using a logic BAN logic Derive the specification of an idealized protocol in a logical language from the (usually informal) original specification; Specify the assumptions about the initial state; Attach logical formulae to statements of the protocol as assertions about the state of the system after each statement; Apply logical axioms and inference rules to derive beliefs held by parties in the protocols. M. Burrows, M.Abadi, R. Needham (1989): Logic of authentication, or BAN logic; Suitable for formal analysis of authentication protocols; A protocol is analysed from the point of view of each principal (participant) P. Each message received by P is considered in relation to previous messages received by P and sent by P; The question, one can address using BAN logic, is what a principal should believe, on the basis of the messages it has sent and received.

Formulae of BAN logic Formulae of BAN. II P believes X is a formula of BAN logic saying P is entitled to conclude that X is true, or P has a justification for X; P sees X The principal P receives a message containing X. P might need to perform decryption to extract X. X can be a statement or a simple item of data. P does not necessarily believes X. P controls X P has jurisdiction over X, or P is trusted as an authority on X. For example an authentication server is trusted as an authority on statements about a key it has allocated. P said X At some point in the past, P is known to have sent a message including X Formulae of BAN logic. II Further notation Fresh(X) X has not been sent earlier. It is a fresh value (nonce = number used once). A K is a secret between P and Q and possibly other principals trusted by P and Q (such as authentication server). If is a key, then means encrypted with the key If and are statements, then means and

Main assumption Deduction rules Trusted principals do not lie about their beliefs to other principals. That means if P is trusted, and if a formula X is received in a message (known to have been) sent by P then it can be deduced that P believes X. Deduction rules (or, postulates) of BAN logic have the following format meaning Z follows from a conjunction of statements X and Y Main postulates of BAN logic Main postulated of BAN logic The message meaning rule: The nonce-verification rule ---------------------------------------- ----------------------------------------------------- If P believes that it shares a a secret key K with Q, and if P receives a message containing X encrypted with K then P believes that Q once said X Nonce = number used once = fresh value. If P believes that Q once said X, then P believes that Q once believed X (by main assumption). If additionally P believes X is fresh then P must believe that Q currently believes X.

Main postulated of BAN logic Decomposition postulates The jurisdiction rule: --------------------- --------------------------------- -------------------------------------------------------------------------- If P believes that Q has control over whether or not X true and if P believes that Q believes it to be true, then P must believe in it also. The reason is Q is an authority on the matter as far as P is concerned. -------------------------------------------

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback