Presentation is loading. Please wait.

Presentation is loading. Please wait.

A Logic of Authentication Michael Burrows, Martin Abadi, Roger Needham BAN Logic Presented by : Wenjin Hu.

Similar presentations


Presentation on theme: "A Logic of Authentication Michael Burrows, Martin Abadi, Roger Needham BAN Logic Presented by : Wenjin Hu."— Presentation transcript:

1 A Logic of Authentication Michael Burrows, Martin Abadi, Roger Needham BAN Logic Presented by : Wenjin Hu

2 Using Logic to analyze authentication protocols describing the beliefs of trustworthy parties involved in authentication protocols presenting the evolution of these beliefs as a consequence of communication

3 Purpose: Discover subtleties in different authentication protocols Draw attention to errors in them Suggest improvements Answering: What does this protocol achieve? Does this protocol need more assumptions than another one? Does this protocol do anything unnecessary that could be left out without weakening it? Does this protocol encrypt something that could be sent in clear without weakening it?

4 Outline Introduce BAN logic Demo how BAN logic analyzes protocol BAN logic Defects Discussion on BAN logic

5 Authentication Protocols: Guarantee The principals really are who they say they are They will end up in possession of one or more shared secrets or recognize the use of other principals’ secrets Review:

6 Introduction to BAN Logic Mechanically verify the reasoning Objects Principals, encryption keys, formulas Predicate constructs Interpret organized objects into logical statements with truth values Inference rules (Logic Postulates) a means to reason abut the above predicate constructs A, B, S K, Kab X, {X} K, Na

7 Predicate Constructs P believes X P sees X P said X P controls X Fresh (X) P Q P {X} k  K  K P has jurisdiction over X the principal P is an authority on X and should be trusted on this matter. Shared key Public key The formula X encrypted under the key K

8 Logical Postulates Message-meaning Nonce-verification Jurisdiction Freshness

9 Logical Postulates II Component

10 Steps of Logic Analysis: 1 Derive idealized protocol from the original one Transform the protocol into statements (formula) (3)guidelines of idealization of a protocol (something debating) 2 State assumptions about initial state skills in giving the assumption 3 Attach logical formula to each statement of the protocol, as assertions about the state of the system after each statement 4 Apply logical rules to assumptions and assertions, in order to discover the beliefs held by principals in the protocol 5 Conclude what beliefs are held at the end of the protocol (I)A believes (II)A believes B believes B believes B believes A believes A  B k k k k

11 Logic Demo The Kerberos Protocol 1 A->S: A,B 2 S->A: {Ts, L, K ab, B, {Ts, L, K ab, A} K bs } K as 3 A->B: {Ts, L, K ab, A} K bs, {A, T a } K ab 4 B->A: {T a +1} K ab 2S->A: {Ts, A B, {Ts, A B} K bs } K as 3A->B: {Ts, A B} K bs, {Ta, A B} K ab fromA 4B->A: {Ta, A B} K ab from B Idealized as:

12 Guideline of Idealization A message used as a hint is to be omitted Cleartext is omitted simple because it can be forged  A real message m can be interpreted as a formula X if whenever the recipient gets m he may deduce that the sender must have believed X when he sent m Real nonces are transformed into arbitrary new formulas

13 Logic Demo (Con’t) Idealization 2S->A: {Ts, A B, {Ts, A B} K bs } K as 3A->B: {Ts, A B} K bs, {Ta, A B} K ab fromA 4B->A: {Ta, A B} K ab from B

14 Logic Demo (Con’t) Assumption A believes A SB believes B S S believes A SS believes B S S believes A B A believes (S controls A B) B believes (S controls A B) A believes fresh(Ts)B believes fresh(Ts) A believes fresh(Ta) B believes fresh(Ta)

15 Logic Demo (Con’t) Analysis {Ts, A B, {Ts, A B} K bs } K as Assumption Message-meaning Assertion component Assumption A BeliefJurisdiction Conclusion 1: Nonce -Verification Assumption Belief

16 Logic Demo (Con’t) {Ts, A B} K bs, {Ta, A B} K ab Message-meaning Assertion B Component Assumption Nonce -Verification Assumption Belief Assumption Jurisdiction Conclusion 2: Message-meaning Nonce -Verification Conclusion 3: Belief Assumption

17 Logic Demo (Con’t) {Ta, A B} K ab Message-meaning Assertion A Nonce -Freshness Conclusion 1: Conclusion 2: Conclusion 3: Conclusion 1: Conclusion 4: Belief Assumption

18 Logic Demo (Con’t) Conclusion Beliefs we get Improvement we can find In the analysis of the second message, {Ts, A B}K bs is not needed to be re-encrypted as we look back through the formal analysis

19 The Otway-Rees Protocol Protocol Idealized protocol

20 The Otway-Rees Protocol Idealization The fact that the messages are sent at all, because if the common nonces had not matched nothing would ever have happened.

21 The Otway-Rees Protocol Assumption A believes A S k as B believes B S k bs S believes A S k as S believes B S k bs S believes A B k ab A believes S controls A B k ab B believes S controls A B k ab A believes S controls(B said X)B believes S controls(A said X) A believes Fresh(N a ) S believes Fresh(N b ) A believes Fresh(N c )

22 The Otway-Rees Protocol Analysis

23 The Otway-Rees Protocol Analysis

24 The Otway-Rees Protocol Analysis

25 The Otway-Rees Protocol Beliefs The author has partly used the belief we reached in the middle into the idealized protocol Both A and B gets the new key Kab A is in a better position than B A knows B exists but does not know if B gets the key K ab

26 The Otway-Rees Protocol Conclusion N a can be eliminated Na could just be as well have been done using Nc N b need not be encrypted in the second message Modification

27 BAN Logic Defects

28 BAN Logic Exclusion BAN Logic Declaration: Allow for the possible of hostile principal Neither deal with the authentication of an untrustworthy principal Nor detect weakness of encryption schemes or unauthorized release of secrets

29 The Otway-Rees Protocol Modified protocol

30 The Otway-Rees Protocol One Possible Attack server ignores the replay of M’ M’s freshness is provided by Na we have to doubt it as a nounce. Principal A should be honest!!! I(A)B:M,A,B, {M’,Ni,I,B} Kis I(B)S:M’,A,B, {M’,Ni,I,B} Kis Nb, {M’,A,B} Kbs I(S)B:M, {Ni,K ib } Kis, {Nb,K ib } Kbs B A:M, {Ni,K ib } Kis B S:M,A,B, {M’,Ni,I,B} Kis, Nb, {M,A,B} Kbs

31 Another flaw in BAN Logic The Nessett protocol Idealization Assumptions B believes|A k A A believesA B k ab B believes Fresh(Na) B believes A controls(A B) k ab A believes Fresh(Na)

32 Nessett Protocol Analysis Message-meaning Nonce-verification Jurisdication Message-meaning Nonce-verification

33 Explanation of the Flaw Establishing the property distributing information to a subset of the principals so that some predicated defined over this population obtained Failing to provide the second property distributing information in such a way that another subset of the population is denied accessed to it

34 Argument of the Flaw Assumption that A believes that Kab is a good shared key for A and B. This is clearly inconsistent with the message exchange, where A publishes Kab The inconsistency is not manifested by formalism but is manifested by the wit of man to notice The author admits that it is hard to provide a logic for finding all security problems

35 Flaws in BAN Logic On Protocol Idealization No well-understood semantic rule to govern this job makes this job a very expert one. On Belief In nonce-verification, a principal positively establishes a belief due to the statement made by another principal disregarding the fact that the latter may be cheating. E.g. : P believes that Q said X, where X is a statement “I am not Q”; Q may still be identified (authenticated) as Q even if he said this, just as he may turn out to be someone else even if X is “I am Q” On Protocol Assumption There is no way of knowing in the BAN approach if slightly different assumptions would change an unsatisfactory protocol into a good one. It also cannot be shown that the assumption used for a good protocol are necessary, or are the weakest possible. On Confidentiality The goodness of a session key rests on a statement issued by a trustworthy principal. BAN logic can not tell whether a session key under distribution is exclusively delivered to an expected set of principals.

36 Possible Improvements Challenge & Response Deny Postulates Weakest pre-condition Bottom-up method

37 Critiques on BAN Logic 1 Failure to discover flaws which violate security in a basic sense 2 When the logic finds a bug in a protocol, everyone believes that it is a bug; when the logic finds a proof of correctness, people seem to have trouble believing that it is a proof 3 informality in the logic’s operational semantics

38 Summary Anyway BAN logic is an initial approach towards Formal Analysis of cryptograph protocols The work is pioneering and classic It has provided us a good framework of applying Logic to protocol analysis. Researches have been carried out to adapt it into a logical reasoning computation suitable for computer- aided analysis

39 Reference: [1] M. Burrows, M. Adadi, and R. Needham. “A logic of authentication” [2] D. Nessett. “A Critique of the Burrows, Abadi and Needham Logic” [3] W. Mao and C. Boyd. “Towards Formal Analysis of Security Protocols”

40 Questions and Comments Welcome any discussions on this topic

41 Thank U :P

42 Outtake: If you believe that only you and Bob know X, then you ought to believe that any encrypted message you receive containng X comes originally from Bob. On Secret especially useful to password X combined wit the formula Y; it is intended that Y be a secret, and that its presence prove the identity of whoever utters


Download ppt "A Logic of Authentication Michael Burrows, Martin Abadi, Roger Needham BAN Logic Presented by : Wenjin Hu."

Similar presentations


Ads by Google