1 / 42

A Logic of Authentication

A Logic of Authentication. BAN Logic. Michael Burrows, Martin Abadi, Roger Needham. Presented by : Wenjin Hu. Using Logic to analyze authentication protocols. describing the beliefs of trustworthy parties involved in authentication protocols presenting

malcolm-tyson
Télécharger la présentation

A Logic of Authentication

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. A Logic of Authentication BAN Logic Michael Burrows, Martin Abadi, Roger Needham Presented by : Wenjin Hu

  2. Using Logic to analyze authentication protocols describing • the beliefs of trustworthy parties involved in authentication protocols presenting • the evolution of these beliefs as a consequence of communication

  3. Purpose: • Discover subtleties in different authentication protocols • Draw attention to errors in them • Suggest improvements Answering: What does this protocol achieve? Does this protocol need more assumptions than another one? Does this protocol do anything unnecessary that could be left out without weakening it? Does this protocol encrypt something that could be sent in clear without weakening it?

  4. Outline • Introduce BAN logic • Demo how BAN logic analyzes protocol • BAN logic Defects • Discussion on BAN logic

  5. Review: Authentication Protocols: Guarantee • The principals really are who they say they are • They will end up in possession of one or more shared secrets or recognize the use of other principals’ secrets

  6. Objects Principals, encryption keys, formulas Predicate constructs Interpret organized objects into logical statements with truth values Inference rules (Logic Postulates) a means to reason abut the above predicate constructs Mechanically verify the reasoning Introduction to BAN Logic A, B, S K, Kab X, {X}K, Na

  7. K Predicate Constructs • P believes X • P sees X • P said X • P controls X • Fresh (X) • P Q • P • {X}k P has jurisdiction over X the principal P is an authority on X and should be trusted on this matter.  K Shared key Public key The formula X encrypted under the key K

  8. Logical Postulates • Message-meaning • Nonce-verification • Jurisdiction • Freshness

  9. Logical Postulates II • Component

  10. k k k k A B A B A B A B (I)A believes (II)A believes B believes B believes B believes A believes Steps of Logic Analysis: 1 Derive idealized protocol from the original one Transform the protocol into statements (formula) (3)guidelines of idealization of a protocol (something debating) 2 State assumptions about initial state skills in giving the assumption 3 Attach logical formula to each statement of the protocol, as assertions about the state of the system after each statement 4 Apply logical rules to assumptions and assertions, in order to discover the beliefs held by principals in the protocol 5 Conclude what beliefs are held at the end of the protocol

  11. Logic Demo • The Kerberos Protocol 1 A->S: A,B 2 S->A: {Ts, L, Kab, B, {Ts, L, Kab, A}Kbs }Kas 3 A->B: {Ts, L, Kab, A}Kbs, {A, Ta}Kab 4 B->A: {Ta+1}Kab Idealized as: • S->A: {Ts, A B, {Ts, A B}Kbs}Kas • A->B: {Ts, A B}Kbs, {Ta, A B}KabfromA • B->A: {Ta, A B}Kabfrom B

  12. Guideline of Idealization • A message used as a hint is to be omitted Cleartext is omitted simple because it can be forged  • A real message m can be interpreted as a formula X if whenever the recipient gets m he may deduce that the sender must have believed X when he sent m • Real nonces are transformed into arbitrary new formulas

  13. Logic Demo (Con’t) • Idealization • S->A: {Ts, A B, {Ts, A B}Kbs}Kas • A->B: {Ts, A B}Kbs, {Ta, A B}KabfromA • B->A: {Ta, A B}Kabfrom B

  14. A believes A S B believes B S S believes A S S believes B S S believes A B A believes (S controls A B) B believes (S controls A B) A believes fresh(Ts) B believes fresh(Ts) A believes fresh(Ta) B believes fresh(Ta) Logic Demo (Con’t) • Assumption

  15. Assumption Message-meaning Belief Belief component Nonce -Verification Assumption Jurisdiction Belief Assumption Conclusion 1: Logic Demo (Con’t) {Ts, A B, {Ts, A B}Kbs}Kas A • Analysis Assertion

  16. Component Assumption Belief Message-meaning Message-meaning Nonce -Verification Nonce -Verification Assumption Belief Conclusion 2: Belief Assumption Assumption Jurisdiction Conclusion 3: {Ts, A B}Kbs, {Ta, A B}Kab Logic Demo (Con’t) Assertion B

  17. Message-meaning Conclusion 1: Nonce -Freshness Belief Assumption Conclusion 4: Logic Demo (Con’t) Conclusion 1: Conclusion 2: Conclusion 3: {Ta, A B}Kab Assertion A

  18. Logic Demo (Con’t) • Conclusion Beliefs we get Improvement we can find In the analysis of the second message, {Ts, A B}Kbs is not needed to be re-encrypted as we look back through the formal analysis

  19. Idealized protocol The Otway-Rees Protocol • Protocol

  20. The Otway-Rees Protocol • Idealization The fact that the messages are sent at all, because if the common nonces had not matched nothing would ever have happened.

  21. k k as bs A believes A S B believes B S k k as bs S believes A S S believes B S k ab S believes A B k k ab ab A believes S controls A B B believes S controls A B A believes S controls ( B said X ) B believes S controls ( A said X ) S believes Fresh ( N ) A believes Fresh ( N ) b a A believes Fresh ( N ) c The Otway-Rees Protocol • Assumption

  22. The Otway-Rees Protocol • Analysis

  23. The Otway-Rees Protocol • Analysis

  24. The Otway-Rees Protocol • Analysis

  25. The Otway-Rees Protocol • Beliefs The author has partly used the belief we reached in the middle into the idealized protocol Both A and B gets the new key Kab A is in a better position than B A knows B exists but does not know if B gets the key Kab

  26. Modification The Otway-Rees Protocol • Conclusion Na can be eliminated Na could just be as well have been done using Nc Nb need not be encrypted in the second message

  27. BAN Logic Defects

  28. BAN Logic Exclusion BAN Logic Declaration: • Allow for the possible of hostile principal • Neither deal with the authentication of an untrustworthy principal • Nor detect weakness of encryption schemes or unauthorized release of secrets

  29. The Otway-Rees Protocol • Modified protocol

  30. M’s freshness is provided by Na we have to doubt it as a nounce. Principal A should be honest!!! The Otway-Rees Protocol I ( A ) B : M , A , B , { M’ , Ni , I , B } Kis B S : M , A , B , { M’ , Ni , I , B } , Kis • One Possible Attack Nb , { M , A , B } Kbs I ( B ) S : M’ , A , B , { M’ , Ni , I , B } Kis Nb , { M’ , A , B } Kbs I ( S ) B : M , { Ni , K } , { Nb , K } ib Kis ib Kbs B A : M , { Ni , K } ib Kis server ignores the replay of M’

  31. Idealization Another flaw in BAN Logic • The Nessett protocol Assumptions k A B believes | A k ab A believes A B A believes Fresh ( Na ) B believes Fresh ( Na ) kab B believes A controls ( A B )

  32. Nessett Protocol • Analysis Message-meaning Message-meaning Nonce-verification Nonce-verification Jurisdication

  33. Explanation of the Flaw • Establishing the property distributing information to a subset of the principals so that some predicated defined over this population obtained • Failing to provide the second property distributing information in such a way that another subset of the population is denied accessed to it

  34. Argument of the Flaw • Assumption that A believes that Kab is a good shared key for A and B. This is clearly inconsistent with the message exchange, where A publishes Kab • The inconsistency is not manifested by formalism but is manifested by the wit of man to notice • The author admits that it is hard to provide a logic for finding all security problems

  35. Flaws in BAN Logic • On Protocol Idealization No well-understood semantic rule to govern this job makes this job a very expert one. • On Belief In nonce-verification, a principal positively establishes a belief due to the statement made by another principal disregarding the fact that the latter may be cheating. E.g. : P believes that Q said X, where X is a statement “I am not Q”; Q may still be identified (authenticated) as Q even if he said this, just as he may turn out to be someone else even if X is “I am Q” • On Protocol Assumption There is no way of knowing in the BAN approach if slightly different assumptions would change an unsatisfactory protocol into a good one. It also cannot be shown that the assumption used for a good protocol are necessary, or are the weakest possible. • On Confidentiality The goodness of a session key rests on a statement issued by a trustworthy principal. BAN logic can not tell whether a session key under distribution is exclusively delivered to an expected set of principals.

  36. Possible Improvements • Challenge & Response • Deny Postulates • Weakest pre-condition Bottom-up method

  37. Critiques on BAN Logic • 1 Failure to discover flaws which violate security in a basic sense • 2 When the logic finds a bug in a protocol, everyone believes that it is a bug; when the logic finds a proof of correctness, people seem to have trouble believing that it is a proof • 3 informality in the logic’s operational semantics

  38. Summary Anyway • BAN logic is an initial approach towards Formal Analysis of cryptograph protocols • The work is pioneering and classic • It has provided us a good framework of applying Logic to protocol analysis. Researches have been carried out to adapt it into a logical reasoning computation suitable for computer-aided analysis

  39. Reference: • [1] M. Burrows, M. Adadi, and R. Needham. “A logic of authentication” • [2] D. Nessett. “A Critique of the Burrows, Abadi and Needham Logic” • [3] W. Mao and C. Boyd. “Towards Formal Analysis of Security Protocols”

  40. Questions and Comments Welcome any discussions on this topic

  41. Thank U  :P

  42. Outtake: On Secret • If you believe that only you and Bob know X, then you ought to believe that any encrypted message you receive containng X comes originally from Bob. • X combined wit the formula Y; it is intended that Y be a secret, and that its presence prove the identity of whoever utters especially useful to password

More Related