Presentation is loading. Please wait.

Presentation is loading. Please wait.

An Encapsulated Authentication Logic for Reasoning about Key Distribution Protocols Iliano Cervesato Tulane University Protocol eXchangeJune 10, 2005 Catherine.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "An Encapsulated Authentication Logic for Reasoning about Key Distribution Protocols Iliano Cervesato Tulane University Protocol eXchangeJune 10, 2005 Catherine."— Presentation transcript:

1 An Encapsulated Authentication Logic for Reasoning about Key Distribution Protocols Iliano Cervesato Tulane University Protocol eXchangeJune 10, 2005 Catherine Meadows NRL Dusko Pavlovic Kestrel Institute What you may have understood of Dusko’s talk yesterday if he hadn’t been speaking so fast Part I

2 I.Cervesato: Encapsulated Authentication Logic1/27 Contributions  Separate  Authentication reasoning  Secrecy reasoning  Define a logic of pure authentication  Secrecy as assumptions  Embed it in derivational framework  Apply to shared-key server-assisted key distribution protocols  Taxonomy  Comparative study  Clear understanding of underlying mechanisms

3 I.Cervesato: Encapsulated Authentication Logic2/27 Server-Assisted Shared Key Distribution Protocols KD 0 KD 1 KD 2 KD 3 KD 4 NSSK 0 NSSKfix 0 DS NSSKfix 1 NSSKfix NSSK 1 NSSK K4core 0 K4core K5core 0 K5core http://theory.stanford.edu/~iliano/papers/csfw05.pdf

4 I.Cervesato: Encapsulated Authentication Logic3/27 Secrecy  k secret only if sent over authenticated channels Key Distribution Protocols Authentication  Cryptographic authentication relies on secrecy of long-term keys Secrecy  Secrecy depends on authentication  Authentication depends on secrecy Authentication Generate k Send k to BSend k to A

5 I.Cervesato: Encapsulated Authentication Logic4/27 Verifying KD Protocols  Authentication  Completing partial order of actions  Get piping right  Local reasoning  Positive inference  Secrecy  Secret goes only to intended recipients  Pipes do not leak  Global reasoning  Negative inference Historically single monolithic proofs … BUT … secrecy and authentication rely on very different proof methods

6 I.Cervesato: Encapsulated Authentication Logic5/27 Divide et Conquera  Two coordinated logics  Logic of authentication  Relies on secrecy assumptions  Logic of secrecy  Relies on authentication assumptions  Benefits  Much simpler proofs  Modularity  Deeper understanding of  mechanisms  properties

7 I.Cervesato: Encapsulated Authentication Logic6/27 Describing Protocol Runs  Principal actions  B> A – Send  (X: Y -> Z) A – Receive  (m/p(x)) A – match  ( n) A, (  t) A – new nonce, timestamp  Runs  Partial order of actions  Every receive has a send  Every match has succeeded  Observations  Protocols  Set of parametric roles  Akin to observations

8 I.Cervesato: Encapsulated Authentication Logic7/27 Authentication Logic  First-Order logic with 3 predicates  a A – action a A has occurred  a A < b B – a A has occurred before b B  a A = b B – a A and b B are the same action Nothing else!  Usage  Given A’s observations, extend them with other principal’s actions  Derive compatible runs A: Obs A   A:  & Obs A    Iterated application of axioms

9 I.Cervesato: Encapsulated Authentication Logic8/27 Logical Assumptions  Honesty  Principal does not deviate from role honest S  Secrecy  Key uncompromised for given principals secret(k, G) =  k m  X<  X  G & (x/k y) X  X  G k m A Z? secret(k,[A,S]) S

10 I.Cervesato: Encapsulated Authentication Logic9/27 Axioms  Basic truths about domain  Receive axiom Y: ((m)) A   m  X< < ((m)) A  Challenge-response axiom A: secret(K, [A,B]) & ( n) A <  n  A< < ((K n)) A  ( n) A <  n  A< < ((n)) B <  K n  B< < ((K n)) A  Timestamp axiom A: honest B &  t  B< < ((t)) A  (  t) A < (  t) B <  t  B< < ((t)) A < (  t) A  Allow inferring new actions/ordering m AX A n K n n A B t B secret(K, [A,B]) t Honest B

11 I.Cervesato: Encapsulated Authentication Logic10/27 Abstract Key Distribution  S spontaneously  Generates k  Sends it to A, B  A, B hardwired  Encrypted with K AS, K BS  A observes only (K AS k) secret(K AS, [A,S]) & honest S & A: (K AS k) A < (K AS k) A   K AS k  S<  K BS k  S< ( k) S < secret(K AS, [A,S]) A K AS k S B K BS k honest S k ? secret(K AS, [A,S]) & A:(K AS k) A < (K AS k) A  <  K AS k  S< secret(K AS, [A,S]) A K AS k S A:(K AS k) A <  K AS k  X< < (K AS k) A  A K AS k X A:(K AS k) A A K AS k A S B K BS k k  A reconstructs run  Must assume  honest S  secret(K AS, [A,S])  Not secret(K BS, [B,S])  B’s reception unknown  Dual for B KD 0

12 I.Cervesato: Encapsulated Authentication Logic11/27 Derivational Approach  Use rules, not just axioms  Operate on protocol and properties  Refinements  Transformations  Advantages  Abstract general constructions  Reuse protocol fragments  Structured understanding of  Mechanism  Properties  Relations between protocols  Open-ended taxonomies

13 I.Cervesato: Encapsulated Authentication Logic12/27 Key Request  A issues request A K AS k S B K BS k k A,B  A may not be talking to B  Even if S honest  Same holds for B secret(K BS, [B,S]) X K XS k S B K BS k honest S k ? X,B B secret(K AS, [A,S]) A K AS k S X K XS k honest S k ? A,B  A,B  A secret(K AS, [A,S]) & honest S & A: < (K AS k) A   K AS k  S<  K XS k  S< (A,X) S < ( k) S <  A,B  A < (K AS k) A A K AS k A,B A:  A,B  A < (K AS k) AB KD 1

14 I.Cervesato: Encapsulated Authentication Logic13/27 Binding  S includes names A K AS (B,k) S B K BS (A,k) k A,B secret(K AS, [A,S]) A K AS (B,k) S B K BS (A,k) honest S k ? A,B A K AS (B,k) A,B Similar for B  Not how typical KD protocols are set up  S sends to 1 party only  A (B) authenticated to B (A) KD 2

15 I.Cervesato: Encapsulated Authentication Logic14/27 Concatenated Relay  S sends all to A  A forwards to B  Seedling of Kerberos 5 A K AS (B,k), K BS (A,k) S B k A,B K BS (A,k)  A knows S sent K AS (B,k), K BS (A,k)  A received K AS (B,k), M  A doesn’t know if M = K BS (A,k)  Documented anomaly of Kerberos 5 secret(K AS, [A,S]) AS B K AS (B,k), K BS (A,k) honest S k ? A,B A K AS (B,k), M M A A,B A K AS (B,k), M M KD 3

16 I.Cervesato: Encapsulated Authentication Logic15/27 Embedded Relay  Encrypted “ticket”  Basis of  NSSK  Denning Sacco  Kerberos 4 A K AS (B,k,K BS (A,k)) S B k A,B K BS (A,k) secret(K AS, [A,S]) AS B honest S k ? A,B A K AS (B,k, K BS (A,k)) K BS (A,k) A A,B A K AS (B,k, M) M KD 4

17 I.Cervesato: Encapsulated Authentication Logic16/27 B’s Point of View  With only  secret(K BS, [B,S]) knows S generated k  With also  secret(K AS, [A,S]) knows A knows k  A may not be honest KD 4 A K AS (B,k,K BS (A,k)) S B k A,B K BS (A,k) secret(K BS, [B,S]) S B honest S k A,B A K AS (B,k, K BS (A,k)) K BS (A,k) secret(K AS, [A,S]) secret(K BS, [B,S]) S honest S k A,B A K AS (B,k, K BS (A,k)) B K BS (A,k) ? X B

18 I.Cervesato: Encapsulated Authentication Logic17/27 Additional Properties  Recency  ( k ) S bracketed by events controlled by A/B  Otherwise, intruder can infer k and attack protocol  Even if S is honest  Not satisfied so far  Key confirmation  A/B knows that B/A has k  Essential for using k  Only B in KD 4 (under assumption)  A,B  A secret(K AS, [A,S]) & honest S & A: < (K AS k) A   K AS k  S<  K XS k  S< (A,X) S < ( k) S <  A,B  A < (K AS k) A secret(K AS, [A,S]) A K AS k S X K XS k honest S k ? A,B

19 I.Cervesato: Encapsulated Authentication Logic18/27 Recency with Nonces  Use challenge-response as bracket A n K AS n n S S B k A,B A K AS (B,k, K BS (A,k)) K BS (A,k) k A,B,n K AS (n,B,k, K BS (A,k)) K BS (A,k) n

20 I.Cervesato: Encapsulated Authentication Logic19/27 Core NSSK  ( k) S bounded by ( n) A  Ensures recency of k to A  A can reconstruct run up to B’s action A K AS (n,B,k,K BS (A,k)) S B k n,A,B K BS (A,k) n secret(K AS, [A,S]) & honest S & A:  ( n) A <  A,B,n  A < (A,B,n) S < ( k) S <  K AS (n,B,k, K BS (A,k))  S< < (K AS (n,B,k, K AS (A,k))) A < (K AS (A,k)) A ( n) A <  A,B,n  A < (K AS (n,B,k, M) ) A < (M) A  No such guarantees for B  Denning-Sacco attack NSSK 0

21 I.Cervesato: Encapsulated Authentication Logic20/27 Core NSSK-fix  Same device for B  Complications  Keeping A as initiator  Sending n’ to A  Achieves recency for B too  Complicated A K AS (n,B,k,K BS (A,k,n’)) S B k n,A,B, K BS (A,n’) K BS (A,k,n’) n K BS (A,n’) A n’ NSSKfix 0

22 I.Cervesato: Encapsulated Authentication Logic21/27 Key Confirmation  B knows A has k  B tells A he has k by sending agreed message A K AS (n,B,k,K BS (A,k)) S B k n,A,B K BS (A,k) n k m A A,B,n K AS (n,B,k, M) M k m n secret(K AS, [A,S]) AS B honest S k A,B,n K AS (n,B,k, K BS (A,k)) K BS (A,k) k m n secret(k, [A,B,S]) Extends to NSSK-fix NSSK 1

23 I.Cervesato: Encapsulated Authentication Logic22/27 NSSK does more!  B concludes with CR  k not confirmed to A  Unless tagging  B already knows A has k  Exchange typical of repeated authentication  B repeatedly request service from A  … but A is initiator!  Similarly for NSSK-fix A K AS (n,B,k,K BS (A,k)) S B k n,A,B K BS (A,k) n k n’ k (n’+1) n’ NSSK

24 I.Cervesato: Encapsulated Authentication Logic23/27 Recency with Timestamps  Timestamp as bracketing device  Requires loosely synchronized clocks A K AS m S  t K AS (m,t) A S K AS m secret(K AS, [A,S]) A S K AS (m,t) t Honest S secret(K AS, [A,S])

25 I.Cervesato: Encapsulated Authentication Logic24/27 Denning-Sacco  Use timestamp for recency  Guarantee recency to both A and B  Same assurance as core NSSK-fix  Only 3 messages A K AS (B,k,t,K BS (A,k,t)) S B k  t A,B K BS (A,k,t) DS

26 I.Cervesato: Encapsulated Authentication Logic25/27 Core Kerberos 4  = NSSK + key confirmation + repeated authentication  Timestamp ensures recency of each new request  A is client and initiator  Kerberos 4  2 rounds of core Kerberos  Many more fields, options, … A K AS (B,k,t,K BS (A,k,t)) S B k  t A,B K BS (A,k,t), k(A,t’)  t’ k m[t’] K4core

27 I.Cervesato: Encapsulated Authentication Logic26/27 Kerberos 5  Same development but…  Start from concatenated variant of Denning Sacco A K AS (B,k,t), K BS (A,k,t) S B k  t A,B K BS (A,k,t), k(A,t’)  t’ k m[t’] K5core

28 I.Cervesato: Encapsulated Authentication Logic27/27 Future Work Define Secrecy Logic  Authentication as assumptions  Modular model of secrecy  Dolev-Yao  Information-theoretic  Computational  Apply to examples  Diffie-Hellman hierarchy  Full Kerberos 5  PKINIT  Implement within Kestrel’s PDA Current Future

Download ppt "An Encapsulated Authentication Logic for Reasoning about Key Distribution Protocols Iliano Cervesato Tulane University Protocol eXchangeJune 10, 2005 Catherine."

Similar presentations

Security attacks. - confidentiality: only authorized parties have read access to information - integrity: only authorized parties have write access to.

Security attacks. - confidentiality: only authorized parties have read access to information - integrity: only authorized parties have write access to.
Modelling and Analysing Security Protocol: Lecture 4 Attacks and Principles Tom Chothia CWI.

Modelling and Analysing Security Protocol: Lecture 4 Attacks and Principles Tom Chothia CWI.
AUTHENTICATION AND KEY DISTRIBUTION

AUTHENTICATION AND KEY DISTRIBUTION
NETWORK SECURITY.

NETWORK SECURITY.
Akshat Sharma Samarth Shah

Akshat Sharma Samarth Shah
CIS 725 Key Exchange Protocols. Alice ( PB Bob (M, PR Alice (hash(M))) PB Alice Confidentiality, Integrity and Authenication PR Bob M, hash(M) M, PR Alice.

CIS 725 Key Exchange Protocols. Alice ( PB Bob (M, PR Alice (hash(M))) PB Alice Confidentiality, Integrity and Authenication PR Bob M, hash(M) M, PR Alice.
Non-monotonic Properties for Proving Correctness in a Framework of Compositional Logic Koji Hasebe Mitsuhiro Okada (Dept. of Philosophy, Keio University)

Non-monotonic Properties for Proving Correctness in a Framework of Compositional Logic Koji Hasebe Mitsuhiro Okada (Dept. of Philosophy, Keio University)
CSE331: Introduction to Networks and Security Lecture 22 Fall 2002.

CSE331: Introduction to Networks and Security Lecture 22 Fall 2002.
1 Distributed Computer Security: Authentication and Key Distribution Vijay Jain CSc 8320, Spring 2007.

1 Distributed Computer Security: Authentication and Key Distribution Vijay Jain CSc 8320, Spring 2007.
Deeper Security Analysis of Web-based Identity Federation Apurva Kumar IBM Research – India.

Deeper Security Analysis of Web-based Identity Federation Apurva Kumar IBM Research – India.
Specifying Kerberos 5 Cross-Realm Authentication Iliano Cervesato, Aaron D. Jaggard, Andre Scedrov, and Chris Walstad Supported by ONR, NSF, NRL.

Specifying Kerberos 5 Cross-Realm Authentication Iliano Cervesato, Aaron D. Jaggard, Andre Scedrov, and Chris Walstad Supported by ONR, NSF, NRL.
Authentication & Kerberos

Authentication & Kerberos
Formal Derivation of Security Protocols Anupam DattaAnte Derek John C. Mitchell Dusko Pavlovic Stanford University Kestrel Institute HCSS April 15, 2004.

Formal Derivation of Security Protocols Anupam DattaAnte Derek John C. Mitchell Dusko Pavlovic Stanford University Kestrel Institute HCSS April 15, 2004.
CSCI283 Fall 2005 GWU All slides from Bishop’s slide set Public Key Infrastructure (PKI)

CSCI283 Fall 2005 GWU All slides from Bishop’s slide set Public Key Infrastructure (PKI)
 Public key (asymmetric) cryptography o Modular exponentiation for encryption/decryption  Efficient algorithms for this o Attacker needs to factor large.

 Public key (asymmetric) cryptography o Modular exponentiation for encryption/decryption  Efficient algorithms for this o Attacker needs to factor large.
CS555Spring 2012/Topic 161 Cryptography CS 555 Topic 16: Key Management and The Need for Public Key Cryptography.

CS555Spring 2012/Topic 161 Cryptography CS 555 Topic 16: Key Management and The Need for Public Key Cryptography.
Homework #4 Solutions Brian A. LaMacchia Portions © 2002-2006, Brian A. LaMacchia. This material is provided without.

Homework #4 Solutions Brian A. LaMacchia Portions © , Brian A. LaMacchia. This material is provided without.
1 Authenticated key agreement without using one-way hash functions Harn, L.; Lin, H.-Y. Electronics Letters, Volume: 37 Issue: 10, 10 May 2001 Presented.

1 Authenticated key agreement without using one-way hash functions Harn, L.; Lin, H.-Y. Electronics Letters, Volume: 37 Issue: 10, 10 May 2001 Presented.
Formally (?) Deriving Security Protocols Anupam Datta WIP with Ante Derek, John Mitchell, Dusko Pavlovic October 23, 2002.

Formally (?) Deriving Security Protocols Anupam Datta WIP with Ante Derek, John Mitchell, Dusko Pavlovic October 23, 2002.
Abstraction and Refinement in Protocol Derivation Anupam DattaAnte Derek John C. Mitchell Dusko Pavlovic Stanford University Kestrel Institute CSFW June.

Abstraction and Refinement in Protocol Derivation Anupam DattaAnte Derek John C. Mitchell Dusko Pavlovic Stanford University Kestrel Institute CSFW June.

Similar presentations

Ads by Google