BAN Logic. Logic of Authentication 1. BAN Logic. Source. The language of BAN. The language of BAN. Protocol 1 (Needham-Schroeder Shared-Key) [NS78]

Similar documents
Security protocols. Correctness of protocols. Correctness of protocols. II. Logical representation and analysis of protocols.i

CSE BAN Logic Presentation

Logic of Authentication

Protocols II. Computer Security Lecture 12. David Aspinall. 17th February School of Informatics University of Edinburgh

SEMINAR REPORT ON BAN LOGIC

Outline More Security Protocols CS 239 Computer Security February 6, 2006

Logics of authentication

Outline. More Security Protocols CS 239 Security for System Software April 22, Needham-Schroeder Key Exchange

Security protocols and their verification. Mark Ryan University of Birmingham

Lecture 1: Course Introduction

Outline More Security Protocols CS 239 Computer Security February 4, 2004

CS Protocol Design. Prof. Clarkson Spring 2017

Session key establishment protocols

Session key establishment protocols

Applied Cryptography Basic Protocols

Elements of Security

CS Protocols. Prof. Clarkson Spring 2016

Key Establishment. Chester Rebeiro IIT Madras. Stinson : Chapter 10

Cryptography and Network Security. Prof. D. Mukhopadhyay. Department of Computer Science and Engineering. Indian Institute of Technology, Kharagpur

Computer Networks & Security 2016/2017

Session Key Distribution

Module: Cryptographic Protocols. Professor Patrick McDaniel Spring CMPSC443 - Introduction to Computer and Network Security

Issues. Separation of. Distributed system security. Security services. Security policies. Security mechanism

Cryptography & Key Exchange Protocols. Faculty of Computer Science & Engineering HCMC University of Technology

Grenzen der Kryptographie

Mechanising BAN Kerberos by the Inductive Method

Lecture 4: Authentication Protocols

Applied Cryptography and Computer Security CSE 664 Spring 2017

ECE596C: Handout #9. Authentication Using Shared Secrets. Electrical and Computer Engineering, University of Arizona, Loukas Lazos

L7: Key Distributions. Hui Chen, Ph.D. Dept. of Engineering & Computer Science Virginia State University Petersburg, VA 23806

Network Security and Internet Protocols

Key Agreement. Guilin Wang. School of Computer Science, University of Birmingham

Key Establishment and Authentication Protocols EECE 412

Symmetric Encryption

Extensions of BAN. Overview. BAN Logic by Heather Goldsby Michelle Pirtle

Security Handshake Pitfalls

What did we talk about last time? Public key cryptography A little number theory

Cryptographic Protocols 1

Modelling and Analysing of Security Protocol: Lecture 1. Introductions to Modelling Protocols. Tom Chothia CWI

Chapter 9: Key Management

CSCI 667: Concepts of Computer Security. Lecture 9. Prof. Adwait Nadkarni

Acknowledgments. CSE565: Computer Security Lectures 16 & 17 Authentication & Applications

Principles of Security Part 4: Authentication protocols Sections 1 and 2

Cryptographic Checksums

Authenticated Key Agreement without Subgroup Element Verification

Relations Between Secrets: Two Formal Analyses of the Yahalom Protocol

A Limitation of BAN Logic Analysis on a Man-in-the-middle Attack

0/41. Alice Who? Authentication Protocols. Andreas Zeller/Stephan Neuhaus. Lehrstuhl Softwaretechnik Universität des Saarlandes, Saarbrücken

HY-457 Information Systems Security

Lecture 5: Protocols - Authentication and Key Exchange* CS 392/6813: Computer Security Fall Nitesh Saxena

Spring 2010: CS419 Computer Security

Formal Methods for Security Protocols

Computer Security. 08r. Pre-exam 2 Last-minute Review Cryptography. Paul Krzyzanowski. Rutgers University. Spring 2018

Encryption as an Abstract Datatype:

1.264 Lecture 27. Security protocols Symmetric cryptography. Next class: Anderson chapter 10. Exercise due after class

ICT 6541 Applied Cryptography Lecture 8 Entity Authentication/Identification

Key Management. Digital signatures: classical and public key Classic and Public Key exchange. Handwritten Signature

User Authentication Protocols Week 7

Cryptanalysis of Two Password-Authenticated Key Exchange. Protocols between Clients with Different Passwords

Lecture 15: Cryptographic algorithms

Contents Digital Signatures Digital Signature Properties Direct Digital Signatures

Cryptography CS 555. Topic 16: Key Management and The Need for Public Key Cryptography. CS555 Spring 2012/Topic 16 1

Attacking Authentication Protocols

Authentication Handshakes

CIS 6930/4930 Computer and Network Security. Topic 6.2 Authentication Protocols

Extending CAPSL for Logic-Based Verifications

CSC 474/574 Information Systems Security

Security and Privacy in Computer Systems. Lecture 7 The Kerberos authentication system. Security policy, security models, trust Access control models

22-security.txt Tue Nov 27 09:13: Notes on Security Protocols , Fall 2012 Carnegie Mellon University Randal E.

Proofs for Key Establishment Protocols

Message authentication

User Authentication Protocols

A Short SPAN+AVISPA Tutorial

Outline. Login w/ Shared Secret: Variant 1. Login With Shared Secret: Variant 2. Login Only Authentication (One Way) Mutual Authentication

Outline Key Management CS 239 Computer Security February 9, 2004

On Key Distribution Protocols for Repeated Authentication. Paul Syverson. Naval Research Laboratory. Washington, DC

Fall 2010/Lecture 32 1

Elements of Cryptography and Computer and Network Security Computer Science 134 (COMPSCI 134) Fall 2016 Instructor: Karim ElDefrawy

Security Analysis of Bluetooth v2.1 + EDR Pairing Authentication Protocol. John Jersin Jonathan Wheeler. CS259 Stanford University.

Lecture Note 05 Date:

1 Identification protocols

CPSC 467: Cryptography and Computer Security

Paul Syverson. Code Naval Research Laboratory. good encryption algorithm. This example illustrates a

Digital Signatures. Secure Digest Functions

Kurose & Ross, Chapters (5 th ed.)

Cristina Nita-Rotaru. CS355: Cryptography. Lecture 17: X509. PGP. Authentication protocols. Key establishment.

T Cryptography and Data Security

Network Security (NetSec)

CS5232 Formal Specification and Design Techniques. Using PAT to verify the Needham-Schroeder Public Key Protocol

An Interface Specification Language for Automatically Analyzing Cryptographic Protocols

From Coulouris, Dollimore and Kindberg Distributed Systems: Concepts and Design. Edition 4 Pearson Education 2005

Background. Network Security - Certificates, Keys and Signatures - Digital Signatures. Digital Signatures. Dr. John Keeney 3BA33

CSE 3461/5461: Introduction to Computer Networking and Internet Technologies. Network Security. Presentation L

Introduction to Security

CS3235 Seventh set of lecture slides

Security Handshake Pitfalls

1 Achieving IND-CPA security

Diffie-Hellman. Part 1 Cryptography 136

CSC 482/582: Computer Security. Security Protocols

Cryptography and Network Security Chapter 14

Transcription:

Logic of Authentication 1. BAN Logic Ravi Sandhu BAN Logic BAN is a logic of belief. In an analysis, the protocol is first idealized into messages containing assertions, then assumptions are stated, and finally conclusions are inferred based on the assertions in the idealized messages and those assumptions. 4 Source The language of BAN These lectures are primarily based on: Paul Syverson and Iliano Cervesato, The Logic of Authentication Protocols, in R. Focardi, R. Gorrieri (Eds.): Foundations of Security Analysis and Design, Lecture Notes in Computer Science, LNCS 2171, Springer- Verlag 2001. In all of these expressions, X is either a message or a formula. As we will see, every formula can be a message, but not every message is a formula. 2 5 Protocol 1 (Needham-Schroeder Shared-Key) [NS78] The language of BAN Message 1 A S : A, B, n A Message 2 S A : n A, B, k AB, k AB, Ak BS k AS Message 3 A B : k AB, Ak BS Message 4 B A : n B k AB Message 5 A B : n B 1k AB Nonces are random unpredictable values generated by a principal and included in messages so that she can tell any messages later received and containing her nonce must have been produced after she generated and sent the nonce. 3 P believes X : P received X : message; this may require decryption. P said X : P controls X : fresh(x) : (Read X is fresh.) X has not been sent in any message prior to current protocol run 6

k The language of BAN BAN Rules: Nonce Verification P k Q : (Read k is a good key for P and Q.) k will never be discovered by any principal but P, Q, or a principal trusted by P or Q. (The last case is necessary, since the server often sees, indeed generates, k.) PK(P, k) : (Read k is a public key of P.) The secret key, k 1, corresponding to k will never be discovered by any principal but P or a principal trusted by P. {X}k : Short for Xk from P (Read X encrypted with k (from P).) This is the notation for encryption. Principals can recognize their own messages. Encrypted messages are uniquely readable and verifiable as such by holders of the right keys. 7 P believes fresh(x) P believes Q believes X This rule allows promotion from the past to the present (something said some time in the past to a present belief). In order to be applied, X should not contain any encrypted text. 10 BAN Rules: Message Meaning P believes P k Q P received Xk BAN Rules: Jurisdiction P believes Q controls X P believes Q believes X P believes X If P receives X encrypted with k and if P believes k is a good key for talking with Q, then P believes Q once said X. In applying symmetric keys, there is no explicit distinction between signing and encryption. 8 The jurisdiction rule allows inferences that a principal believes a key is good, even though it is a random string that he has never seen before. 11 BAN Rules: Message Meaning BAN Rules: Belief Conjuncatenation P believes PK(Q, k) P received Xk 1 P believes X P believes Y P believes (X, Y ) There is no explicit distinction between signing and encryption. Both are represented by {X }k or {X }k -1. The distinction is implicit in the notation for the key used: k or k -1. The obvious rules apply to beliefs concerning concatenations of messages/conjunctions of formulae. Concatenations of messages and conjunctions of formulae are both represented as (X, Y ) in the above rules. 9 12

BAN Rules: Belief Conjuncatenation BAN Protocol Analysis P believes Q believes (X, Y ) P believes Q believes X P believes Q said (X, Y ) We do not list all of the rules; we give only a representative sampling. 1. Idealize the protocol. 2. Write assumptions about the initial state. 3. Annotate the protocol: For each message transmission P Q : M in the protocol, assert Q received M. 4. Use the logic to derive the beliefs held by protocol principals. 13 16 BAN Rules: Freshness Conjuncatenation Protocol 1 (Needham-Schroeder Shared-Key) [NS78] P believes fresh(x) P believes fresh(x, Y ) For some inexplicable reason, this is a commonly misunderstood BAN rule. Some try to deny it; others try to assert the converse rule. Be wary of these mistakes. Message 1 A S : A, B, n A Message 2 S A : n A, B, k AB, k AB, Ak BS k AS Message 3 A B : k AB, Ak BS Message 4 B A : n B k AB Message 5 A B : n B 1k AB 14 17 BAN Rules: Receiving Rules: Seeing is Receiving Idealized Needham-Schroeder Shared- Key [BAN89a] P believes P k Q P received Xk P received X P received (X, Y ) P received X Message 2 S A : n A, A kab B, fresh(k AB ), A kab Bk BS k AS from S Message 3 A B : A kab Bk BS from S Message 4 B A : n B A kab Bk AB from B Message 5 A B : n B,A kab Bk AB from A A principal receiving a message also receives submessages he can uncover. 15 18

NSKK Idealization NSSK Annotated Protocol First message is omitted Plaintext is omitted It is assumed that principals recognize their own messages. Thus, with a shared key, if a recipient can decrypt a message, she can tell who it is from. As this is often implicitly clear, the from field is often omitted. What is inside the encrypted messages is also altered. Specifically, the key k AB is replaced by assertions about it. Also in the last message n B - 1 is changed to just n B. P8. A received n A, A kab B, fresh(k AB ), A kab Bk BS k AS from S P9. B received A kab Bk BS from S P10. A received n B, A kab Bk AB from B P11. B received nb, A kab Bk AB from A Basically read directly from idealized protocol 19 22 NSSK Initial State Assumptions P1. A believes A kas S P2. B believes B kbs S P3. A believes S controls A k B P4. B believes S controls A k B P5. A believes S controls fresh(a k B) P6. A believes fresh(n A ) P7. B believes fresh(n B ) 1. A believes S said (n A, A kab B, fresh(a kab B), A kab Bk BS ) By Message Meaning using P1, P8. 2. A believes fresh(n A, A kab B, fresh(a kab B), A kab Bk BS ) By Freshness Conjuncatenation using 1, P6. 3. A believes S believes (n A, A kab B, fresh(a kab B),A kab Bk BS ) By Nonce Verification using 2, 1. 4. A believes S believes (A kab B) By Belief Conjuncatenation using 3. 5. A believes S believes (fresh(a kab B)) By Belief Conjuncatenation using 3. 20 23 NSSK Initial State Assumptions P1, P2 are beliefs in quality of longterm keys S has similar beliefs but are not relevant P3, P4, P5 are jurisdiction beliefs P6, P7 are beliefs in freshness of each principal s nonces 6. A believes (A kab B) By Jurisdiction using 4, P3. 7. A believes fresh(a kab B) By Jurisdiction using 4, P5. We have derived Alice s belief in the goodness and in the freshness of k AB. How about Bob? 21 24

8. B believes S said (A kab B) By Message Meaning using P2, P9. This gives us Bob s belief in the goodness of k AB. Unlike Alice, Bob has sent no nonce at this point in the protocol. To get Bob s belief in freshness we need the following assumption. P12. B believes fresh(a kab B) [Dubious] Similarly we can get A believes B believes A kab B By Belief Conjuncatenation using 13. See page 73, need clarification about use of nb This is different than P6, P7 which were based on nonces that the believing principal generates. Here Bob believes that a random value generated by someone else is fresh. 25 28 NSSK: Denning-Sacco Attack [DS81] 9. B believes S believes A kab B Message 3 E A B : k AB, Ak BS By Nonce Verification using P12, 8. Message 4 B E A : n B k AB 10.B believes A kab B Message 5 E A B : n B 1k AB By Jurisdiction using P4, 9. E A is the attacker masquerading as A using an old compromised session key k AB within the lifetime of the long-term key k BS The attack is not directly uncovered by BAN but BAN analysis shows the desired beliefs of B cannot be derived without the dubious assumption P12 B believes fresh(a kab B)that underlies this attack. 26 29 The Nessett Protocol [Nes90] 11. A believes B said (n B, A kab B) By Message Meaning using 6, P10. Message 1 A B : n A,k AB k A 1 12. A believes fresh(n B, A kab B) Message 2 B A : n B k AB By Freshness Conjuncatenation using 7. 13. A believes B believes (n B, A kab B) An obviously insecure protocol, yet proved secure using BAN By Nonce Verification using 12, 11. 14. A believes B believes A kab B By Belief Conjuncatenation using 13. 27 30

The Nessett Protocol [Nes90] Nessett Protocol Derivations for Alice Idealized Nessett Protocol Message 1 A B : {n A, A kab B}k -1 A Message 2 B A : A kab B kab Annotation Premises P1. B received {n A, A kab B}k -1 A P2. A received A kab B kab 6. A believes B said A kab B By Message Meaning using P4, P2. 7. A believes B believes A kab B By Nonce Verification using P5, 6. These are Alice s second order beliefs in the goodness of k AB. (Her first order belief was assumed.) 31 34 The Nessett Protocol [Nes90] The Nesset Protocol Initial State Assumptions P3. B believes PK(k A, A) P4. A believes A kab B P5. A believes fresh(a kab B) P6. B believes fresh(n A ) P7. B believes A controls (A kab B) Note P6 whereby n a is more naturally thought of as a timestamp rather than a nonce Nessett traces the source of the flaw to the scope of BAN. It addresses who gets and acknowledges a key (authentication), but it does not address who should not get a key (confidentiality). Burrows et al. respond to Nessett in [BAN90b] by noting that their paper explicitly limits discussion to authentication of honest principals. They explicitly do not attempt to detect unauthorized release of secrets. Alice s action is inconsistent with meaning of A believes A kab B. What is needed is a way to reflect this mathematically. Suppose we could derive A believes C has k AB (for arbitrary C). Increasing expressiveness would let us formally demonstrate this. 32 35 Nessett Protocol Derivations for Bob 1. B believes A said (n A, A kab B) By Message Meaning using P3, P1. 2. B believes fresh(n A, A kab B) By Freshness Conjuncatenation using P6. 3. B believes A believes (n A, A kab B) By Nonce Verification using 2, 1. 4. B believes A believes A kab B Beyond BAN GNY90 AT91 vo93 And others SvO94, SvO96 unifies these By Belief Conjuncatenation using 3. 5. B believes A kab B By Jurisdiction using P7, 4. 33 36

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback