Modelling and Analysing of Security Protocol: Lecture 5 BAN logic Tom Chothia CWI.

Slides:

Advertisements

Similar presentations

Modelling and Analysing Security Protocol: Lecture 4 Attacks and Principles Tom Chothia CWI.

Advertisements

CMSC 414 Computer (and Network) Security Lecture 22 Jonathan Katz.

Overview Network security involves protecting a host (or a group of hosts) connected to a network Many of the same problems as with stand-alone computer.

KERBEROS A NETWORK AUTHENTICATION PROTOCOL Nick Parker CS372 Computer Networks.

Key distribution and certification In the case of public key encryption model the authenticity of the public key of each partner in the communication must.

Modelling and Analysing of Security Protocol: Lecture 8 Automatically Checking Protocols II Tom Chothia CWI.

Modelling and Analysing of Security Protocol: Lecture 14 Some Real Life Protocols Tom Chothia CWI.

Modelling and Analysing of Security Protocol: Lecture 7 Automatically Checking Protocols Tom Chothia CWI.

Modelling and Analysing of Security Protocol: Lecture 11 Modelling Checking Tom Chothia CWI.

1 Security Handshake Pitfalls. 2 Authentication Handshakes Secure communication almost always includes an initial authentication handshake: –Authenticate.

Deeper Security Analysis of Web-based Identity Federation Apurva Kumar IBM Research – India.

Debate. Inductive Reasoning When you start with a probable truth, and seek evidence to support it. Most scientific theories are inductive. Evidence is.

BAN Logic A Logic of Authentication Presentation by Heather Goldsby Michelle Pirtle (Mike Burrows, Marin Abadi, Roger Needham) Published 1989, SRC Research.

Knowledge Representation Methods

1 Introduction to Computability Theory Lecture15: Reductions Prof. Amos Israeli.

1 Introduction to Computability Theory Lecture12: Reductions Prof. Amos Israeli.

SMUCSE 5349/73491 Authentication Protocols. SMUCSE 5349/73492 The Premise How do we use perfect cryptographic mechanisms (signatures, public-key and symmetric.

Modelling and Analysing of Security Protocol: Lecture 3 Protocol Goals Tom Chothia CWI.

CMSC 414 Computer and Network Security Lecture 19 Jonathan Katz.

TR1413: Discrete Mathematics For Computer Science Lecture 3: Formal approach to propositional logic.

Providing Trusted Paths Using Untrusted Components Andre L. M. dos Santos Georgia Institute of Technology

Modelling and Analysing of Security Protocol: Lecture 1 Introductions to Modelling Protocols Tom Chothia CWI.

CSE331: Introduction to Networks and Security Lecture 24 Fall 2002.

A Logic of Authentication Michael Burrows, Martin Abadi, Roger Needham BAN Logic Presented by : Wenjin Hu.

Modelling and Analysing of Security Protocol: Lecture 2 Cryptology for Protocols Analysis Tom Chothia CWI.

1 Protocols are programs too The meta-heuristic search for security protocols By John A. Clark.

CMSC 414 Computer and Network Security Lecture 19 Jonathan Katz.

More on AuthenticationCS-4513 D-term More on Authentication CS-4513 Distributed Computing Systems (Slides include materials from Operating System.

Chapter 2 Protocols Controlling communications of principals in systems.

Clarke, R. J (2001) L951-08: 1 Critical Issues in Information Systems BUSS 951 Seminar 8 Arguments.

Alice and Bob’s Revenge? AliceBob Elvis. If there is a protocol If there is a protocol then there must be a shortest protocol 1.Alice  Bob : ??? 2.Bob.

Protocol Composition Logic Arnab Roy joint work with A. Datta, A. Derek, N. Durgin, J.C. Mitchell, D. Pavlovic CS259: Security Analysis of Network Protocols,

Information Security of Embedded Systems : BAN-Logic Prof. Dr. Holger Schlingloff Institut für Informatik und Fraunhofer FIRST.

Debate. Inductive Reasoning When you start with a probable truth, and seek evidence to support it. Most scientific theories are inductive. Evidence is.

1 Authentication Protocols Celia Li Computer Science and Engineering York University.

Programming Satan’s Computer

MA 110: Finite Math Dr. Maria Byrne Instructional Laboratory 0345 When you enter, pick up a quiz and complete it at your desk.

Towards a Logic for Wide- Area Internet Routing Nick Feamster Hari Balakrishnan.

Lecture 18 Page 1 CS 111 Online Design Principles for Secure Systems Economy Complete mediation Open design Separation of privileges Least privilege Least.

Formal Analysis of Security Protocols Dr. Changyu Dong

MA 110: Finite Math Lecture 1/14/2009 Section 1.1 Homework: 5, 9-15, (56 BP)

BAN LOGIC Amit Chetal Monica Desai November 14, 2001

Chapter 3: Basic Protocols Dulal C. Kar. Key Exchange with Symmetric Cryptography Session key –A separate key for one particular communication session.

Security protocols  Authentication protocols (this lecture)  Electronic voting protocols  Fair exchange protocols  Digital cash protocols.

Security protocols and their verification Mark Ryan University of Birmingham Midlands Graduate School University of Birmingham April 2005 Steve Kremer.

Kerberos Named after a mythological three-headed dog that guards the underworld of Hades, Kerberos is a network authentication protocol that was designed.

Using Cryptography for Network Security Common problems: –Authentication - A and B want to prove their identities to one another –Key-distribution - A.

Presented by: Suparita Parakarn Kinzang Wangdi Research Report Presentation Computer Network Security.

Lecture 16: Security CDK4: Chapter 7 CDK5: Chapter 11 TvS: Chapter 9.

Digital Signatures, Message Digest and Authentication Week-9.

1 Needham-Schroeder A --> S: A,B, N A S --> A: {N A,B,K AB,{K AB,A} KBS } KAS A --> B:{K AB,A} KBS B --> A:{N B } KAB A --> B:{N B -1} KAB.

6 June Lecture 2 1 TU Dresden - Ws on Proof Theory and Computation Formal Methods for Security Protocols Catuscia Palamidessi Penn State University,

Kerberos Guilin Wang School of Computer Science 03 Dec

Network Protocols Network Systems Security Mort Anvari.

The School of Electrical Engineering and Computer Science (EECS) CS/ECE Network Security Dr. Attila Altay Yavuz Authentication Protocols (I): Secure Handshake.

Do Now  What does logos appeal to in an advertisement?  Give three examples.

HACNet Simulation-based Validation of Security Protocols Vinay Venkataraghavan Advisors: S.Nair, P.-M. Seidel HACNet Lab Computer Science and Engineering.

TRUSTED FLOW: Why, How and Where??? Moti Yung Columbia University.

1 Authenticated Key Exchange Rocky K. C. Chang 20 March 2007.

International Conference Security in Pervasive Computing(SPC’06) MMC Lab. 임동혁.

KERBEROS SYSTEM Kumar Madugula.

Pertemuan #8 Key Management Kuliah Pengaman Jaringan.

Do now Can you make sure that you have finished your Venn diagrams from last lesson. Can you name 5 famous mathematicians (including one that is still.

Chapter 7. Propositional and Predicate Logic

Logic for Computer Security Protocols

The discursive essay.

Chapter 7. Propositional and Predicate Logic

Loop Invariants CSC 171 FALL 2001 LECTURE 6.

“You have zero privacy anyway, get over it”

Presentation transcript:

Modelling and Analysing of Security Protocol: Lecture 5 BAN logic Tom Chothia CWI

Introduction So far you have learn: – the “vocabulary” of protocols and – to “look hard at it to see if its right”. This is a lot more than most people know! But how can we be sure that a protocol is correct? This lecture: BAN logic - A formal logic of security protocols.

SecureComm Lots of state-of-the-art protocol research including: –“VANET”: Vehicular Ah-hoc NETworks –“Rural area networks”: Put the routers on bus - hours of delays between messages. –Government Emergency Telecommunications Service (GETS): Updating priority telephone systems for VoIP protocols.

A BitTorrent DoS attack Target

A BitTorrent DoS attack Tracker

A BitTorrent DoS attack Tracker Target

OpenFire Open up the network: –so that people attack decoy machines, –not the real machines.

Kerberos A protocol for key establishment and authentication used in Windows, MacOS, Apache, OpenSSH,... 1.A  S : A,B,N A 2.S  A : {K AB,B,L,N A,..} K AS,{K AB,A,L,..} K BS 3.A  B : {A,T A } K AB,{K AB,A,L,..} K BS 4.B  A : {T A +1} K AB

Kerberos Assumption A and S share the key K AS B and S share the key K AS A trusts S to generate a new key B trusts S to generate a new key N is a nonce, T is a timestamp and L is an expiration time.

What Do We Mean By Correct? “Good Key” and “Key Confirmation”: –A believes that K AB is a good key to communicate with B –B believes that K AB is a good key to communicate with A –A believes that B believes that K AB is a good key to communicate with A

Why “A” Believes in the Key? A’s belief in the key comes from the message: 2. {K AB,B,L,N A,..} K AS,{K AB,A,L,..} K BS This line and the assumptions are all “A” needs.

Why “A” Believes in the Key? Step 1: A sees the message part {K AB,B,L,N A,..} K AS As the key K AS is only shared with A and S the part of the message (K AB,B,L,N A ) must have come from S. Rule: If A and S share a key K and A sees a message { M } K (not from A) then A can conclude that S said “M” at some point.

Why “A” Believes in the Key? Step 1: A believes that S said (K AB,B,L,N A ) at some point N A is A’s nonce therefore this cannot be an old message therefore A can conclude that S said (K AB,B,L,N A ) as part of the current run of the protocol. Rule: If A believe that S once said M and M includes a nonce then A can conclude that S currently believes M

Why “A” Believes in the Key? Step 1: A believes that S currently believes (K AB,B,L,N A ) and in particular K AB as a key for A and B. A trusts S to makes keys for A and B, therefore A can accept K AB as a key with B. Rule: If A trusts S to produce keys and A believes that S believes in a key then A believe in the key.

Verify this Argument There are 4 parts to this argument: –The assumptions. –The protocol messages. –The rules. –The application of the rules. If the check each of these parts you can be sure the whole proof is correct.

Logic A “logic” is a formal system of reasoning. They specify rules for knowledge, e.g. Rule: If you know that “A implies B” and you know “A” then you may conclude “B” General Idea: the logic fixes the rules and you or a computer applies them. If the rules lead your goal then you know it’s true.

and rules like: A /\ B A A => B A B   x. A(x) A(y) Logic Classic Logic uses: A /\ B and A \/ B or ~ A not A => B implies  x.A(x) For all  x.A(x) Exist

Proof Trees All men are mortal, Plato is a man, therefore Plato is mortal.  x. Man(x)  Mortal(x) Man(Plato)  Mortal(Plato) Man(Plato) Mortal(Plato)

Logics A logic is “sound” if everything you can deduce from the rules is true. And “complete” if everything that is true can be deduced. There is no sound and complete logic for mathematics... if there was all mathematicians would be out of a job!

BAN logic See paper and JAPE demo

Wide Mouth Frog Protocol A light weight key establishment protocol: 1. A  S : A, {Ta, B, K ab } Kas 2. S  B : {Ts, A, K ab } Kbs What are the assumption?

Conclusion BAN logic give us a formal way to reason about protocols. It’s not “sound” or “complete” but it is very effective. If you have time to a BAN proof of your protocol. If you don’t think about the rules.