1 / 28

An Encapsulated Authentication Logic for Reasoning about Key Distribution Protocols

What you may have understood of Dusko’s talk yesterday if he hadn’t been speaking so fast. An Encapsulated Authentication Logic for Reasoning about Key Distribution Protocols. Part I. Iliano Cervesato Tulane University. Catherine Meadows NRL. Dusko Pavlovic Kestrel Institute.

temira
Télécharger la présentation

An Encapsulated Authentication Logic for Reasoning about Key Distribution Protocols

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. What you may have understood of Dusko’s talk yesterday if he hadn’t been speaking so fast An Encapsulated Authentication Logic for Reasoning about Key Distribution Protocols Part I Iliano Cervesato Tulane University Catherine Meadows NRL Dusko Pavlovic Kestrel Institute Protocol eXchange June 10, 2005

  2. Contributions • Separate • Authentication reasoning • Secrecy reasoning • Define a logic of pure authentication • Secrecy as assumptions • Embed it in derivational framework • Apply to shared-key server-assisted key distribution protocols • Taxonomy • Comparative study • Clear understanding of underlying mechanisms I.Cervesato: Encapsulated Authentication Logic

  3. KD0 Server-Assisted SharedKey DistributionProtocols KD1 KD2 KD3 KD4 http://theory.stanford.edu/~iliano/papers/csfw05.pdf DS NSSK0 NSSKfix0 K5core0 K4core0 NSSK1 NSSKfix1 K5core K4core NSSK NSSKfix I.Cervesato: Encapsulated Authentication Logic

  4. Generate k Send k to A Send k to B • Secrecy depends on authentication • ksecret only if sent over authenticated channels Authentication Secrecy • Authentication depends on secrecy Authentication • Cryptographic authentication relies on secrecy of long-term keys Secrecy KeyDistributionProtocols I.Cervesato: Encapsulated Authentication Logic

  5. Authentication Completing partial order of actions Get piping right Local reasoning Positive inference Secrecy Secret goes only to intended recipients Pipes do not leak Global reasoning Negative inference Verifying KD Protocols Historically single monolithic proofs … BUT … secrecy and authentication rely on very different proof methods I.Cervesato: Encapsulated Authentication Logic

  6. Divide et Conquera • Two coordinated logics • Logic of authentication • Relies on secrecy assumptions • Logic of secrecy • Relies on authentication assumptions • Benefits • Much simpler proofs • Modularity • Deeper understanding of • mechanisms • properties I.Cervesato: Encapsulated Authentication Logic

  7. Describing Protocol Runs • Principal actions • <m: A -> B>A – Send • (X: Y -> Z)A – Receive • (m/p(x))A – match • (n n)A , (t t)A – new nonce, timestamp • Runs • Partial order of actions • Every receive has a send • Every match has succeeded • Observations • Protocols • Set of parametric roles • Akin to observations I.Cervesato: Encapsulated Authentication Logic

  8. Authentication Logic • First-Order logic with 3 predicates • aA – action aA has occurred • aA < bB – aA has occurred before bB • aA = bB – aA and bB are the same action Nothing else! • Usage • Given A’s observations, extend them with other principal’s actions • Derive compatible runs A: ObsA F A: Y & ObsA F • Iterated application of axioms I.Cervesato: Encapsulated Authentication Logic

  9. Honesty Principal does not deviate from role honest S Secrecy Key uncompromised for given principals secret(k, G) =k mX< X  G &(x/k y)X X  G A S Z? k m secret(k,[A,S]) Logical Assumptions I.Cervesato: Encapsulated Authentication Logic

  10. X B A A m n n K n secret(K, [A,B]) B A t t Honest B Axioms • Basic truths about domain • Receive axiom Y: ((m))A mX<< ((m))A • Challenge-response axiom A: secret(K, [A,B]) & (n n)A < nA<< ((K n))A (n n)A < nA<< ((n))B < K nB<< ((K n))A • Timestamp axiom A: honest B &tB<< ((t))A ( t)A < (t t)B < tB<< ((t))A < ( t)A • Allow inferring new actions/ordering I.Cervesato: Encapsulated Authentication Logic

  11. KD0 A S B n k KAS k KBS k A KAS k A: (KAS k)A A X KAS k A: (KAS k)A  < KAS kX< < (KAS k)A secret(KAS, [A,S]) & A: (KAS k)A A S A S B < KAS kS<  < (KAS k)A KAS k secret(KAS, [A,S]) & honest S & secret(KAS, [A,S]) A: n k (KAS k)A KAS k KBS k ? KAS kS<KBS kS< (n k)S <  < (KAS k)A secret(KAS, [A,S]) honest S Abstract KeyDistribution • S spontaneously • Generates k • Sends it to A, B • A, B hardwired • Encrypted with KAS, KBS • A observes only (KAS k) • A reconstructs run • Must assume • honest S • secret(KAS, [A,S]) • Not secret(KBS, [B,S]) • B’s reception unknown • Dual for B I.Cervesato: Encapsulated Authentication Logic

  12. Derivational Approach • Use rules, not just axioms • Operate on protocol and properties • Refinements • Transformations • Advantages • Abstract general constructions • Reuse protocol fragments • Structured understanding of • Mechanism • Properties • Relations between protocols • Open-ended taxonomies I.Cervesato: Encapsulated Authentication Logic

  13. KD1 A S B A,B n k KAS k KBS k A A S X A,B A,B n k A: A,BA < (KAS k)AB KAS k KAS k KXS k ? secret(KAS, [A,S]) honest S secret(KAS, [A,S]) & honest S & A: A,BA < (KAS k)A X S B B A,BA X,B  < (KAS k)A KAS kS<KXS kS< (A,X)S < (n k)S < n k KXS k KBS k ? honest S secret(KBS, [B,S]) Key Request • A issues request • A may not be talking to B • Even if S honest • Same holds for B I.Cervesato: Encapsulated Authentication Logic

  14. KD2 A S B A,B n k KAS (B,k) KBS (A,k) A A S B A,B A,B n k KAS (B,k) KAS (B,k) KBS (A,k) ? secret(KAS, [A,S]) honest S Binding • S includes names • A (B) authenticated to B (A) Similar for B • Not how typical KD protocols are set up • S sends to 1 party only I.Cervesato: Encapsulated Authentication Logic

  15. KD3 A S B A,B n k KAS(B,k), KBS(A,k) KBS(A,k) A A A A S B A,B A,B n k KAS (B,k), M KAS (B,k), M KAS (B,k), KBS (A,k) M M ? secret(KAS, [A,S]) honest S Concatenated Relay • S sends all to A • A forwards to B • Seedling of Kerberos 5 • A knows S sent KAS (B,k), KBS (A,k) • A received KAS (B,k), M • A doesn’t know if M = KBS (A,k) • Documented anomaly of Kerberos 5 I.Cervesato: Encapsulated Authentication Logic

  16. KD4 A S B A,B A A A A S B A,B A,B n k KAS(B,k,KBS(A,k)) n k KAS (B,k, M) KAS (B,k, KBS (A,k)) KBS(A,k) M KBS (A,k) ? secret(KAS, [A,S]) honest S Embedded Relay • Encrypted “ticket” • Basis of • NSSK • Denning Sacco • Kerberos 4 I.Cervesato: Encapsulated Authentication Logic

  17. KD4 A S B B A,B n k KAS (B,k, KBS (A,k)) ? X A S B KBS (A,k) KBS (A,k) A,B secret(KBS, [B,S]) honest S n k KAS(B,k,KBS(A,k)) A S B A,B KBS(A,k) n k KAS (B,k, KBS (A,k)) KBS (A,k) secret(KBS, [B,S]) honest S secret(KAS, [A,S]) B’s Point of View • With only • secret(KBS, [B,S]) knows S generated k • With also • secret(KAS, [A,S]) knows A knows k • A may not be honest I.Cervesato: Encapsulated Authentication Logic

  18. secret(KAS, [A,S]) & honest S & A: A,BA < (KAS k)A A S X A,B A,BA n k KAS k KXS k KAS kS<KXS kS< ? < (KAS k)A  secret(KAS, [A,S]) honest S (A,X)S < (n k)S < Additional Properties • Recency • (n k)S bracketed by events controlled by A/B • Otherwise, intruder can infer k and attack protocol • Even if S is honest • Not satisfied so far • Key confirmation • A/B knows that B/A has k • Essential for using k • Only B in KD4 (under assumption) I.Cervesato: Encapsulated Authentication Logic

  19. A S B A S n n n A,B n k KASn KAS (B,k, KBS (A,k)) KBS (A,k) n n A,B,n n k KAS (n,B,k, KBS (A,k)) KBS (A,k) Recency with Nonces • Use challenge-response as bracket I.Cervesato: Encapsulated Authentication Logic

  20. NSSK0 A S B n n n,A,B n k KAS(n,B,k,KBS(A,k)) KBS(A,k) secret(KAS, [A,S]) & honest S & A: (n n)A < A,B,nA < (KAS (n,B,k,M))A < (M)A  (n n)A < A,B,nA <(A,B,n)S < (n k)S < KAS (n,B,k, KBS (A,k))S< < (KAS (n,B,k, KAS (A,k)))A< (KAS (A,k))A Core NSSK • (n k)S bounded by (n n)A • Ensures recency of k to A • A can reconstruct run up to B’s action • No such guarantees for B • Denning-Sacco attack I.Cervesato: Encapsulated Authentication Logic

  21. NSSKfix0 A S B Core NSSK-fix A n n’ KBS(A,n’) n n n,A,B, KBS(A,n’) • Same device for B • Complications • Keeping A as initiator • Sending n’ to A • Achieves recency for B too • Complicated n k KAS(n,B,k,KBS(A,k,n’)) KBS(A,k,n’) I.Cervesato: Encapsulated Authentication Logic

  22. NSSK1 A A S B n n n n A,B,n A,B,n n k KAS (n,B,k, M) KAS (n,B,k, KBS (A,k)) M KBS (A,k) k m k m secret(KAS, [A,S]) secret(k, [A,B,S]) honest S A S B Key Confirmation n n n,A,B n k KAS(n,B,k,KBS(A,k)) • B knows A has k • B tells A he has k bysending agreed message KBS(A,k) k m ExtendstoNSSK-fix I.Cervesato: Encapsulated Authentication Logic

  23. NSSK A S B NSSK does more! n n n,A,B n k KAS(n,B,k,KBS(A,k)) • B concludes with CR • k not confirmed to A • Unless tagging • B already knows A has k • Exchange typical of repeated authentication • B repeatedly request service from A • … but A is initiator! • Similarly for NSSK-fix KBS(A,k) n n’ k n’ k (n’+1) I.Cervesato: Encapsulated Authentication Logic

  24. A S KAS m t t S KAS (m,t) S A A t KAS m KAS (m,t) secret(KAS, [A,S]) Honest S secret(KAS, [A,S]) Recency with Timestamps • Timestamp as bracketingdevice • Requires loosely synchronizedclocks I.Cervesato: Encapsulated Authentication Logic

  25. DS A S B Denning-Sacco A,B n kt t KAS(B,k,t,KBS(A,k,t)) • Use timestamp forrecency • Guarantee recency to both A and B • Same assurance as core NSSK-fix • Only 3 messages KBS(A,k,t) I.Cervesato: Encapsulated Authentication Logic

  26. K4core A S B Core Kerberos 4 A,B n kt t KAS(B,k,t,KBS(A,k,t)) t t’ • = NSSK + key confirmation + repeated authentication • Timestamp ensures recency of each new request • A is client and initiator • Kerberos 4 • 2 rounds of core Kerberos • Many more fields, options, … KBS(A,k,t), k(A,t’) k m[t’] I.Cervesato: Encapsulated Authentication Logic

  27. K5core A S B Kerberos 5 A,B KAS(B,k,t),KBS(A,k,t) n kt t t t’ • Same developmentbut… • Start fromconcatenated variant of Denning Sacco KBS(A,k,t), k(A,t’) k m[t’] I.Cervesato: Encapsulated Authentication Logic

  28. Current Future Work Define Secrecy Logic • Authentication as assumptions • Modular model of secrecy • Dolev-Yao • Information-theoretic • Computational • Apply to examples • Diffie-Hellman hierarchy • Full Kerberos 5 • PKINIT • Implement within Kestrel’s PDA Future I.Cervesato: Encapsulated Authentication Logic

More Related