Download presentation
Presentation is loading. Please wait.
1
Information Security of Embedded Systems 10.2.2010: BAN-Logic Prof. Dr. Holger Schlingloff Institut für Informatik und Fraunhofer FIRST
2
10.2.2010Embedded Security © Prof. Dr. H. Schlingloff 20102 Symmetric keys with authentication server
3
10.2.2010Embedded Security © Prof. Dr. H. Schlingloff 20103 Kerberos key distribution protocol
4
10.2.2010Embedded Security © Prof. Dr. H. Schlingloff 20104 Structure 1. Introductory example 2. Embedded systems engineering 1.definitions and terms 2.design principles 3. Foundations of security 1.threats, attacks, measures 2.construction of safe systems 4. Design of secure systems 1.design challenges 2.safety modelling and assessment 3.cryptographic algorithms 5. Communication of embedded systems 1.remote access 2.sensor networks 6. Algorithms and measures 1.digital signatures 2.key management 3.authentication 4.authorization 7. Formal methods for security 1.protocol verification 2.logics and proof methods
5
10.2.2010Embedded Security © Prof. Dr. H. Schlingloff 20105 BAN Logic M. Burrows, M.Abadi, R. Needham: „A Logic of Authentication", ACM Transactions on Computer Systems, Vol. 8, No. 1, pp. 18-36, February 1990 a formal method for verifying that two principals (people, computer, services) are entitled to believe they are communicating with each other and not the intruders Goal: Formally prove security of authentication protocols make hidden assumptions explicit exhibit design flaws support trust in the correctness
6
10.2.2010Embedded Security © Prof. Dr. H. Schlingloff 20106 Main Purposes of BAN Logic BAN logic helps to prove whether or not a protocol does or does not meet its security goals BAN logic helps make the protocols more efficient by eliminating messages, contents of message, or encryptions of messages Despite eliminating them, the security goals still can be reached BAN logic helps clarify the protocol’s assumptions by formally stating them slides / text from http://www.lix.polytechnique.fr/~catuscia/teaching/cg597/01Fall/lecture_notes/BAN_Logic.ppt#256,1, BAN LOGIC http://www.lix.polytechnique.fr/~catuscia/teaching/cg597/01Fall/lecture_notes/BAN_Logic.ppt#256,1, BAN LOGIC
7
10.2.2010Embedded Security © Prof. Dr. H. Schlingloff 20107 Modal Logic of Belief BAN logic concentrates on the beliefs of trustworthy parties involved in the protocol and the evolution of these beliefs through communication processes The steps of BAN logic to analyze the original protocol are as follows: 1)The protocol is transformed into some “idealized” form 2)Identify the initial assumptions in the language of BAN logic 3)Use the postulates and rules of the logic to deduce new predicates 4)Interpret the statements you’ve proved by the process: Have the original goals been met?
8
10.2.2010Embedded Security © Prof. Dr. H. Schlingloff 20108 Formalism Basic Notation Formalism built on a several sorts of objects: principals, encryption keys, and formulas(statements) A, B, and S denote specific principals K ab, K as, and K bs denoted specific shared keys K b, K a, and K s denote specific public keys K b -1, K a -1, and K s -1 denote corresponding secret keys N a, N b, N c denote specific statements P, Q, and R range over principals X and Y range over statements K ranges over encryption keys
9
10.2.2010Embedded Security © Prof. Dr. H. Schlingloff 20109 Formalism P | X P believes X. P would be entitled to believe X. The principal P may act as though X is true P X P sees X. P can read the contents of X(possibly after decryption, assuming P has the needed keys) and P can include X in messages to other principals P |~ X P once said X: P at some time sent a message including the statement X. It is not known when the message was sent(in the past or in the current run of the protocol) but P believed that X was true when it send the message P | X P controls X. P has jurisdiction over X. P is a trusted authority on the truth of X #(X) X is fresh. X is fresh if it is not contained in any message sent in the past
10
10.2.2010Embedded Security © Prof. Dr. H. Schlingloff 201010 Basic Notation K P Q K is a shared key for P and Q. K is a secure key for communication between P and Q, and it will never be discovered by any principal except for P or Q, or a principal trusted by either P or Q. K | P K is a public key for P. The matching secret key(the inverse of K, denoted by K -1 will never be discovered by any principal except P, or a principals trusted by P. {X} K X encrypted under K. It represents the message X encrypted using the key K.
11
10.2.2010Embedded Security © Prof. Dr. H. Schlingloff 201011 Formalism (Hilbert style) derivation system consists of axioms and inference rules “All human are mortal”, “Sokrates is human” |- “Sokrates is mortal” Statement Z follows from a conjunction of statements X and Y (X, Y) _________ Z
12
10.2.2010Embedded Security © Prof. Dr. H. Schlingloff 201012 Inference rules (1) Message meaning rule (MMR): Rule concerns the interpretation of messages. This rule helps to explain the origin of the messages. K P | Q P, P {X} K ____________________________ P | Q |~ X Nonce-verification rule (NVR): This rule checks that a message is recent, and also checks if the sender still believes in it. P | #(X), P | Q |~ X __________________________________ P | Q | X
13
10.2.2010Embedded Security © Prof. Dr. H. Schlingloff 201013 Inference rules (2) Jurisdiction rule (JUR): This rule states what it means for a principal to be the trusted authority on the truth of X. P | Q X, P | Q | X ________________________________ P | X Belief Rules (BEL): The rules state that a principal believes a collection of statements if and only if it believes each of the statements individually. A) P | X, P | Y B) P | (X, Y) ___________________ ___________________ P | (X, Y) P | X C) P | Q | (X, Y) etc. ____________________ P | Q | X
14
10.2.2010Embedded Security © Prof. Dr. H. Schlingloff 201014 Inference rules (3) Saying rules (SAY): These rules say that a principal sees all the components of every message it sees, provided that the principal knows the necessary key K A) P (X, Y) B) P | Q P, P {X} K ____________________ ______________________________ P X P X Freshness Rule (FRS): This rule states that any message with a fresh component is also fresh. P | #(X) ____________________ P | #(X, Y)
15
10.2.2010Embedded Security © Prof. Dr. H. Schlingloff 201015 Idealized Protocols Typical protocol step: P Q : message Example: A B : {A, K ab }K bs Transform each protocol into an idealized form 1.Omit the parts of the message that do not contribute to the beliefs of the recipient 2.Omit clear text communication because it can be forged Idealized version: Kab A B : {A B}K bs When message is sent to B it can be deduced that: Kab B {A B}k bs The receiving principle becomes aware of the message (sees the message) and can act upon it
16
10.2.2010Embedded Security © Prof. Dr. H. Schlingloff 201016 Goals of Authentication Authentication rests on communication protected by shared session key, so the goals of authentication may be reached between A and B if there is a K such that: K K A | A B B | A B However, often we want to achieve more: K A | B| A B B | A | A B principals are mutually convinced of authentity
17
10.2.2010Embedded Security © Prof. Dr. H. Schlingloff 201017 Steps in Protocol Analysis Derive the idealized protocol from the original one Write assumptions about the initial state Use the postulates and rules of the logic to deduce new predicates This is repeated through all the protocol messages Determine if goals of authentication have been met
18
10.2.2010Embedded Security © Prof. Dr. H. Schlingloff 201018 Analysis of Needham-Schröder Original version without idealization Message 1 A S:(A, B, N A ) Message 2 S A:{N A, B, K AB, {K AB, A}K BS } K AS Message 3 A B:{K AB, A}K BS Message 4 B A:{N B }K AB Message 5 A B:{N B – 1}K AB Idealized version Kab Kab Kab (Msg2) S A: A {N A, (A B), # (A B), {A B}K bs } K as Kab (Msg3) A B: B {A B}K bs Kab (Msg4) B A: A {N B, (A B)}K ab from B Kab (Msg5) A B: B {N B, (A B)}K ab from A
19
10.2.2010Embedded Security © Prof. Dr. H. Schlingloff 201019 Initial assumptions Kas Kbs (ass1) A | A S (ass2) B | B S KasKbsKab (ass3) S | A S(ass4) S | B S (ass5) S | A B Kab Kab (ass6) A | (S | A B) (ass7) B | (S | A B) Kab (ass8) A | (S | #(A B)) (ass9) A | #(N a )(ass10) B | #(N b ) Kab Kab (ass11) S | #(A B)(ass12) B | #(A B)
20
10.2.2010Embedded Security © Prof. Dr. H. Schlingloff 201020 Analysis (1) Kab Kab Kab (Msg2) A {N a, (A B), #(A B), {A B}K bs }K as Kas (ass1) A | A S K Rule (MMR): P | Q P, P {X} K ____________________________ P | Q |~ X With (ass1), (MMR) and (Msg2) : Kab Kab Kab (1) A | S |~ (N a, (A B), #(A B), {A B}K bs )
21
10.2.2010Embedded Security © Prof. Dr. H. Schlingloff 201021 Analysis (2) (ass9) A | #(N a ) Rule (FRS): P | #(X) _________ P | #(X, Y) Hence: Kab Kab Kab (2) A | #(N a, (A B), #(A B), {A B}K bs )
22
10.2.2010Embedded Security © Prof. Dr. H. Schlingloff 201022 Analysis (3) Kab Kab Kab (1) A | S |~ (N a, (A B), #(A B), {A B}K bs ) Kab Kab Kab (2) A | #(N a, (A B), #(A B), {A B}K bs ) Rule (NVR): P | #(X), P | Q |~ X __________________________________ P | Q | X Kab Kab Kab (3) A | S | (N a, (A B), #(A B), {A B}K bs )
23
10.2.2010Embedded Security © Prof. Dr. H. Schlingloff 201023 Analysis (4) Kab Kab Kab (3) A | S | (N a, (A B), #(A B), {A B}K bs ) Rule (BEL): P | Q | (X,Y) __________________________ P | Q | X K ab (4) A | S | (A B) and: K ab (5) A | S | #(A B)
24
10.2.2010Embedded Security © Prof. Dr. H. Schlingloff 201024 Analysis (5) Kab Kab (4) A | S | (A B) (5) A | S | #(A B) Kab Kab (ass6) A | (S | A B) (ass8) A | (S | #(A B) Rule (JUR): P | Q | X,P | Q | X __________________________________ P | X Kab Kab (6) A | (A B)and (7) A | #(A B)
25
10.2.2010Embedded Security © Prof. Dr. H. Schlingloff 201025 Analysis (6) Kab (Msg3) B {A B}K bs Kbs (ass2) B | S B (MMR) K P | Q P, P {X} k ___________________________ P | Q |~ X Kab (8) B | S |~ {A B}K bs
26
10.2.2010Embedded Security © Prof. Dr. H. Schlingloff 201026 Analysis (7) Kab (ass12) B | #(A B) Kab (8) B | S |~ {A B}K bs We can apply (NVR): P | #(X), P | Q |~ X ______________________________________ P | Q | X And derive: Kab (9) B | S | {A B}
27
10.2.2010Embedded Security © Prof. Dr. H. Schlingloff 201027 Analysis (8) Recall the Assumption: Kab B | (S | A B) Also recall the derived formula above stating: Kab B | S | {A B} We can apply the jurisdiction rule which is: P | Q | X,P | Q | X ____________________________________ P | X And we can derive: Kab (10) B | {A B}
28
10.2.2010Embedded Security © Prof. Dr. H. Schlingloff 201028 Analysis (9) Now we can apply the logical postulate rules to the next message with assumptions Kab (Msg4) B A: {N b, (A B)} K ab We can then say that: Kab A {N b, (A B)} K ab We can use (SAY): P (X,Y) _________________ P X We can then derive that: Kab A {(A B)} K ab
29
10.2.2010Embedded Security © Prof. Dr. H. Schlingloff 201029 Analysis (10) previously we obtained: Kab A | (B A) Also recall the result that we just obtained the previous step: Kab A {(A B)}K ab We can apply the message meaning rule: K P | Q P, P {X} k ___________________________ P | Q |~ X Finally, we can deduce that: Kab A | B |~ (A B)
30
10.2.2010Embedded Security © Prof. Dr. H. Schlingloff 201030 Analysis (11) Recall a previous result we obtained: Kab A | #(A B) Also recall the result that we just obtained the previous step: Kab A | B |~ (A B) We can apply the nonce-verification rule: P | #(X), P | Q |~ X _______________________________________ P | Q | X We then obtain: Kab A | B| (A B) In similar manner, we can also derive that: Kab B | A| (A B)
31
10.2.2010Embedded Security © Prof. Dr. H. Schlingloff 201031 Conclusions of Analysis The goals of the Needham-Schroeder protocol are that A and B each believe that they share a secret key Kab and that moreover they each believe that the other believes it K K B | A B (msg 3) A | A B (msg 2) We also achieve this final goal: K K A | B | A B (msg 4) B | A | A B (msg 4) Our analysis achieves these results, since we have derived these goals. This authentication protocol has an extra assumption, which is that B assumes the key B receives from A is fresh. So Needham-Schroeder protocol had this flaw in it.
32
10.2.2010Embedded Security © Prof. Dr. H. Schlingloff 201032 Advantages of BAN Logic One of earliest successful attempts at formally reasoning about authentication protocols. Huge success for formal methods in cryptography, useful tool Uncovered implicit assumptions and weaknesses in a number of protocols Involves idealizing a protocol, identifying initial assumptions, using logical postulates to deduce new predicates and determining if the goals of authentication have been met. Strengths in its simplicity of its logic and its ease of use
33
10.2.2010Embedded Security © Prof. Dr. H. Schlingloff 201033 Deficits of BAN Logic Belief logic is much different from a knowledge logic. Knowledge logics have an axiom of the following form “If x knows p, then p is true.” However, belief systems do not have this axiom, since a belief in p says nothing about the truth or falsity of p. Assumption that all principals taking part in a protocol are honest, in the sense that each principal believes in the truth of each message it sends. However, honesty is not a logical assumption to make Vehicle for extensive research in the areas for basis and development of other logic systems
Similar presentations
© 2024 SlidePlayer.com. Inc.
All rights reserved.