Presentation is loading. Please wait.

Presentation is loading. Please wait.

Modelling and Analysing of Security Protocol: Lecture 5 BAN logic Tom Chothia CWI.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Modelling and Analysing of Security Protocol: Lecture 5 BAN logic Tom Chothia CWI."— Presentation transcript:

1 Modelling and Analysing of Security Protocol: Lecture 5 BAN logic Tom Chothia CWI

2 Introduction So far you have learn: – the “vocabulary” of protocols and – to “look hard at it to see if its right”. This is a lot more than most people know! But how can we be sure that a protocol is correct? This lecture: BAN logic - A formal logic of security protocols.

3 SecureComm Lots of state-of-the-art protocol research including: –“VANET”: Vehicular Ah-hoc NETworks –“Rural area networks”: Put the routers on bus - hours of delays between messages. –Government Emergency Telecommunications Service (GETS): Updating priority telephone systems for VoIP protocols.

4 A BitTorrent DoS attack Target

5 A BitTorrent DoS attack Tracker

6 A BitTorrent DoS attack Tracker Target

7 OpenFire Open up the network: –so that people attack decoy machines, –not the real machines.

8 Kerberos A protocol for key establishment and authentication used in Windows, MacOS, Apache, OpenSSH,... 1.A  S : A,B,N A 2.S  A : {K AB,B,L,N A,..} K AS,{K AB,A,L,..} K BS 3.A  B : {A,T A } K AB,{K AB,A,L,..} K BS 4.B  A : {T A +1} K AB

9 Kerberos Assumption A and S share the key K AS B and S share the key K AS A trusts S to generate a new key B trusts S to generate a new key N is a nonce, T is a timestamp and L is an expiration time.

10 What Do We Mean By Correct? “Good Key” and “Key Confirmation”: –A believes that K AB is a good key to communicate with B –B believes that K AB is a good key to communicate with A –A believes that B believes that K AB is a good key to communicate with A

11 Why “A” Believes in the Key? A’s belief in the key comes from the message: 2. {K AB,B,L,N A,..} K AS,{K AB,A,L,..} K BS This line and the assumptions are all “A” needs.

12 Why “A” Believes in the Key? Step 1: A sees the message part {K AB,B,L,N A,..} K AS As the key K AS is only shared with A and S the part of the message (K AB,B,L,N A ) must have come from S. Rule: If A and S share a key K and A sees a message { M } K (not from A) then A can conclude that S said “M” at some point.

13 Why “A” Believes in the Key? Step 1: A believes that S said (K AB,B,L,N A ) at some point N A is A’s nonce therefore this cannot be an old message therefore A can conclude that S said (K AB,B,L,N A ) as part of the current run of the protocol. Rule: If A believe that S once said M and M includes a nonce then A can conclude that S currently believes M

14 Why “A” Believes in the Key? Step 1: A believes that S currently believes (K AB,B,L,N A ) and in particular K AB as a key for A and B. A trusts S to makes keys for A and B, therefore A can accept K AB as a key with B. Rule: If A trusts S to produce keys and A believes that S believes in a key then A believe in the key.

15 Verify this Argument There are 4 parts to this argument: –The assumptions. –The protocol messages. –The rules. –The application of the rules. If the check each of these parts you can be sure the whole proof is correct.

16 Logic A “logic” is a formal system of reasoning. They specify rules for knowledge, e.g. Rule: If you know that “A implies B” and you know “A” then you may conclude “B” General Idea: the logic fixes the rules and you or a computer applies them. If the rules lead your goal then you know it’s true.

17 and rules like: A /\ B A A => B A B   x. A(x) A(y) Logic Classic Logic uses: A /\ B and A \/ B or ~ A not A => B implies  x.A(x) For all  x.A(x) Exist

18 Proof Trees All men are mortal, Plato is a man, therefore Plato is mortal.  x. Man(x)  Mortal(x) Man(Plato)  Mortal(Plato) Man(Plato) Mortal(Plato)

19 Logics A logic is “sound” if everything you can deduce from the rules is true. And “complete” if everything that is true can be deduced. There is no sound and complete logic for mathematics... if there was all mathematicians would be out of a job!

20 BAN logic See paper and JAPE demo

21 Wide Mouth Frog Protocol A light weight key establishment protocol: 1. A  S : A, {Ta, B, K ab } Kas 2. S  B : {Ts, A, K ab } Kbs What are the assumption?

22 Conclusion BAN logic give us a formal way to reason about protocols. It’s not “sound” or “complete” but it is very effective. If you have time to a BAN proof of your protocol. If you don’t think about the rules.

Download ppt "Modelling and Analysing of Security Protocol: Lecture 5 BAN logic Tom Chothia CWI."

Similar presentations

Modelling and Analysing Security Protocol: Lecture 4 Attacks and Principles Tom Chothia CWI.

Modelling and Analysing Security Protocol: Lecture 4 Attacks and Principles Tom Chothia CWI.
CMSC 414 Computer (and Network) Security Lecture 22 Jonathan Katz.

CMSC 414 Computer (and Network) Security Lecture 22 Jonathan Katz.
Overview Network security involves protecting a host (or a group of hosts) connected to a network Many of the same problems as with stand-alone computer.

Overview Network security involves protecting a host (or a group of hosts) connected to a network Many of the same problems as with stand-alone computer.
KERBEROS A NETWORK AUTHENTICATION PROTOCOL Nick Parker CS372 Computer Networks.

KERBEROS A NETWORK AUTHENTICATION PROTOCOL Nick Parker CS372 Computer Networks.
Key distribution and certification In the case of public key encryption model the authenticity of the public key of each partner in the communication must.

Key distribution and certification In the case of public key encryption model the authenticity of the public key of each partner in the communication must.
Modelling and Analysing of Security Protocol: Lecture 8 Automatically Checking Protocols II Tom Chothia CWI.

Modelling and Analysing of Security Protocol: Lecture 8 Automatically Checking Protocols II Tom Chothia CWI.
Modelling and Analysing of Security Protocol: Lecture 14 Some Real Life Protocols Tom Chothia CWI.

Modelling and Analysing of Security Protocol: Lecture 14 Some Real Life Protocols Tom Chothia CWI.
Modelling and Analysing of Security Protocol: Lecture 7 Automatically Checking Protocols Tom Chothia CWI.

Modelling and Analysing of Security Protocol: Lecture 7 Automatically Checking Protocols Tom Chothia CWI.
Modelling and Analysing of Security Protocol: Lecture 11 Modelling Checking Tom Chothia CWI.

Modelling and Analysing of Security Protocol: Lecture 11 Modelling Checking Tom Chothia CWI.
1 Security Handshake Pitfalls. 2 Authentication Handshakes Secure communication almost always includes an initial authentication handshake: –Authenticate.

1 Security Handshake Pitfalls. 2 Authentication Handshakes Secure communication almost always includes an initial authentication handshake: –Authenticate.
Deeper Security Analysis of Web-based Identity Federation Apurva Kumar IBM Research – India.

Deeper Security Analysis of Web-based Identity Federation Apurva Kumar IBM Research – India.
Debate. Inductive Reasoning When you start with a probable truth, and seek evidence to support it. Most scientific theories are inductive. Evidence is.

Debate. Inductive Reasoning When you start with a probable truth, and seek evidence to support it. Most scientific theories are inductive. Evidence is.
BAN Logic A Logic of Authentication Presentation by Heather Goldsby Michelle Pirtle (Mike Burrows, Marin Abadi, Roger Needham) Published 1989, SRC Research.

BAN Logic A Logic of Authentication Presentation by Heather Goldsby Michelle Pirtle (Mike Burrows, Marin Abadi, Roger Needham) Published 1989, SRC Research.
Knowledge Representation Methods

Knowledge Representation Methods
1 Introduction to Computability Theory Lecture15: Reductions Prof. Amos Israeli.

1 Introduction to Computability Theory Lecture15: Reductions Prof. Amos Israeli.
1 Introduction to Computability Theory Lecture12: Reductions Prof. Amos Israeli.

1 Introduction to Computability Theory Lecture12: Reductions Prof. Amos Israeli.
SMUCSE 5349/73491 Authentication Protocols. SMUCSE 5349/73492 The Premise How do we use perfect cryptographic mechanisms (signatures, public-key and symmetric.

SMUCSE 5349/73491 Authentication Protocols. SMUCSE 5349/73492 The Premise How do we use perfect cryptographic mechanisms (signatures, public-key and symmetric.
Modelling and Analysing of Security Protocol: Lecture 3 Protocol Goals Tom Chothia CWI.

Modelling and Analysing of Security Protocol: Lecture 3 Protocol Goals Tom Chothia CWI.
CMSC 414 Computer and Network Security Lecture 19 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 19 Jonathan Katz.
TR1413: Discrete Mathematics For Computer Science Lecture 3: Formal approach to propositional logic.

TR1413: Discrete Mathematics For Computer Science Lecture 3: Formal approach to propositional logic.

Similar presentations

Ads by Google