Presentation is loading. Please wait.

Presentation is loading. Please wait.

Information Security of Embedded Systems 10.2.2010: BAN-Logic Prof. Dr. Holger Schlingloff Institut für Informatik und Fraunhofer FIRST.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Information Security of Embedded Systems 10.2.2010: BAN-Logic Prof. Dr. Holger Schlingloff Institut für Informatik und Fraunhofer FIRST."— Presentation transcript:

1 Information Security of Embedded Systems 10.2.2010: BAN-Logic Prof. Dr. Holger Schlingloff Institut für Informatik und Fraunhofer FIRST

2 10.2.2010Embedded Security © Prof. Dr. H. Schlingloff 20102 Symmetric keys with authentication server

3 10.2.2010Embedded Security © Prof. Dr. H. Schlingloff 20103 Kerberos key distribution protocol

4 10.2.2010Embedded Security © Prof. Dr. H. Schlingloff 20104 Structure 1. Introductory example 2. Embedded systems engineering 1.definitions and terms 2.design principles 3. Foundations of security 1.threats, attacks, measures 2.construction of safe systems 4. Design of secure systems 1.design challenges 2.safety modelling and assessment 3.cryptographic algorithms 5. Communication of embedded systems 1.remote access 2.sensor networks 6. Algorithms and measures 1.digital signatures 2.key management 3.authentication 4.authorization 7. Formal methods for security 1.protocol verification 2.logics and proof methods

5 10.2.2010Embedded Security © Prof. Dr. H. Schlingloff 20105 BAN Logic M. Burrows, M.Abadi, R. Needham: „A Logic of Authentication", ACM Transactions on Computer Systems, Vol. 8, No. 1, pp. 18-36, February 1990  a formal method for verifying that two principals (people, computer, services) are entitled to believe they are communicating with each other and not the intruders Goal: Formally prove security of authentication protocols  make hidden assumptions explicit  exhibit design flaws  support trust in the correctness

6 10.2.2010Embedded Security © Prof. Dr. H. Schlingloff 20106 Main Purposes of BAN Logic BAN logic helps to prove whether or not a protocol does or does not meet its security goals BAN logic helps make the protocols more efficient by eliminating messages, contents of message, or encryptions of messages Despite eliminating them, the security goals still can be reached BAN logic helps clarify the protocol’s assumptions by formally stating them slides / text from http://www.lix.polytechnique.fr/~catuscia/teaching/cg597/01Fall/lecture_notes/BAN_Logic.ppt#256,1, BAN LOGIC http://www.lix.polytechnique.fr/~catuscia/teaching/cg597/01Fall/lecture_notes/BAN_Logic.ppt#256,1, BAN LOGIC

7 10.2.2010Embedded Security © Prof. Dr. H. Schlingloff 20107 Modal Logic of Belief BAN logic concentrates on the beliefs of trustworthy parties involved in the protocol and the evolution of these beliefs through communication processes The steps of BAN logic to analyze the original protocol are as follows: 1)The protocol is transformed into some “idealized” form 2)Identify the initial assumptions in the language of BAN logic 3)Use the postulates and rules of the logic to deduce new predicates 4)Interpret the statements you’ve proved by the process: Have the original goals been met?

8 10.2.2010Embedded Security © Prof. Dr. H. Schlingloff 20108 Formalism Basic Notation Formalism built on a several sorts of objects: principals, encryption keys, and formulas(statements) A, B, and S denote specific principals K ab, K as, and K bs denoted specific shared keys K b, K a, and K s denote specific public keys K b -1, K a -1, and K s -1 denote corresponding secret keys N a, N b, N c denote specific statements P, Q, and R range over principals X and Y range over statements K ranges over encryption keys

9 10.2.2010Embedded Security © Prof. Dr. H. Schlingloff 20109 Formalism P |  X P believes X. P would be entitled to believe X. The principal P may act as though X is true P  X P sees X. P can read the contents of X(possibly after decryption, assuming P has the needed keys) and P can include X in messages to other principals P |~ X P once said X: P at some time sent a message including the statement X. It is not known when the message was sent(in the past or in the current run of the protocol) but P believed that X was true when it send the message P |  X P controls X. P has jurisdiction over X. P is a trusted authority on the truth of X #(X) X is fresh. X is fresh if it is not contained in any message sent in the past

10 10.2.2010Embedded Security © Prof. Dr. H. Schlingloff 201010 Basic Notation K P  Q K is a shared key for P and Q. K is a secure key for communication between P and Q, and it will never be discovered by any principal except for P or Q, or a principal trusted by either P or Q. K |  P K is a public key for P. The matching secret key(the inverse of K, denoted by K -1 will never be discovered by any principal except P, or a principals trusted by P. {X} K X encrypted under K. It represents the message X encrypted using the key K.

11 10.2.2010Embedded Security © Prof. Dr. H. Schlingloff 201011 Formalism (Hilbert style) derivation system consists of axioms and inference rules “All human are mortal”, “Sokrates is human” |- “Sokrates is mortal” Statement Z follows from a conjunction of statements X and Y (X, Y) _________ Z

12 10.2.2010Embedded Security © Prof. Dr. H. Schlingloff 201012 Inference rules (1) Message meaning rule (MMR): Rule concerns the interpretation of messages. This rule helps to explain the origin of the messages. K P |  Q  P, P  {X} K ____________________________ P |  Q |~ X Nonce-verification rule (NVR): This rule checks that a message is recent, and also checks if the sender still believes in it. P |  #(X), P |  Q |~ X __________________________________ P |  Q |  X

13 10.2.2010Embedded Security © Prof. Dr. H. Schlingloff 201013 Inference rules (2) Jurisdiction rule (JUR): This rule states what it means for a principal to be the trusted authority on the truth of X. P |  Q  X, P |  Q |  X ________________________________ P |  X Belief Rules (BEL): The rules state that a principal believes a collection of statements if and only if it believes each of the statements individually. A) P |  X, P |  Y B) P |  (X, Y) ___________________ ___________________ P |  (X, Y) P |  X C) P |  Q |  (X, Y) etc. ____________________ P |  Q |  X

14 10.2.2010Embedded Security © Prof. Dr. H. Schlingloff 201014 Inference rules (3) Saying rules (SAY): These rules say that a principal sees all the components of every message it sees, provided that the principal knows the necessary key K A) P  (X, Y) B) P |  Q  P, P  {X} K ____________________ ______________________________ P  X P  X Freshness Rule (FRS): This rule states that any message with a fresh component is also fresh. P |  #(X) ____________________ P |  #(X, Y)

15 10.2.2010Embedded Security © Prof. Dr. H. Schlingloff 201015 Idealized Protocols Typical protocol step: P  Q : message Example: A  B : {A, K ab }K bs Transform each protocol into an idealized form 1.Omit the parts of the message that do not contribute to the beliefs of the recipient 2.Omit clear text communication because it can be forged Idealized version: Kab A  B : {A  B}K bs When message is sent to B it can be deduced that: Kab B  {A  B}k bs The receiving principle becomes aware of the message (sees the message) and can act upon it

16 10.2.2010Embedded Security © Prof. Dr. H. Schlingloff 201016 Goals of Authentication Authentication rests on communication protected by shared session key, so the goals of authentication may be reached between A and B if there is a K such that: K K A |  A  B B |  A  B However, often we want to achieve more: K A |  B|  A  B B |  A |  A  B principals are mutually convinced of authentity

17 10.2.2010Embedded Security © Prof. Dr. H. Schlingloff 201017 Steps in Protocol Analysis Derive the idealized protocol from the original one Write assumptions about the initial state Use the postulates and rules of the logic to deduce new predicates This is repeated through all the protocol messages Determine if goals of authentication have been met

18 10.2.2010Embedded Security © Prof. Dr. H. Schlingloff 201018 Analysis of Needham-Schröder Original version without idealization Message 1 A  S:(A, B, N A ) Message 2 S  A:{N A, B, K AB, {K AB, A}K BS } K AS Message 3 A  B:{K AB, A}K BS Message 4 B  A:{N B }K AB Message 5 A  B:{N B – 1}K AB Idealized version Kab Kab Kab (Msg2) S  A: A  {N A, (A  B), # (A  B), {A  B}K bs } K as Kab (Msg3) A  B: B  {A  B}K bs Kab (Msg4) B  A: A  {N B, (A  B)}K ab from B Kab (Msg5) A  B: B  {N B, (A  B)}K ab from A

19 10.2.2010Embedded Security © Prof. Dr. H. Schlingloff 201019 Initial assumptions Kas Kbs (ass1) A |  A  S (ass2) B |  B  S KasKbsKab (ass3) S |  A  S(ass4) S |  B  S (ass5) S |  A  B Kab Kab (ass6) A |  (S |  A  B) (ass7) B |  (S |  A  B) Kab (ass8) A |  (S |  #(A  B)) (ass9) A |  #(N a )(ass10) B |  #(N b ) Kab Kab (ass11) S |  #(A  B)(ass12) B |  #(A  B)

20 10.2.2010Embedded Security © Prof. Dr. H. Schlingloff 201020 Analysis (1) Kab Kab Kab (Msg2) A  {N a, (A  B), #(A  B), {A  B}K bs }K as Kas (ass1) A |  A  S K Rule (MMR): P |  Q  P, P  {X} K ____________________________ P |  Q |~ X With (ass1), (MMR) and (Msg2) : Kab Kab Kab (1) A |  S |~ (N a, (A  B), #(A  B), {A  B}K bs )

21 10.2.2010Embedded Security © Prof. Dr. H. Schlingloff 201021 Analysis (2) (ass9) A |  #(N a ) Rule (FRS): P |  #(X) _________ P |  #(X, Y) Hence: Kab Kab Kab (2) A |  #(N a, (A  B), #(A  B), {A  B}K bs )

22 10.2.2010Embedded Security © Prof. Dr. H. Schlingloff 201022 Analysis (3) Kab Kab Kab (1) A |  S |~ (N a, (A  B), #(A  B), {A  B}K bs ) Kab Kab Kab (2) A |  #(N a, (A  B), #(A  B), {A  B}K bs ) Rule (NVR): P |  #(X), P |  Q |~ X __________________________________ P |  Q |  X Kab Kab Kab (3) A |  S |  (N a, (A  B), #(A  B), {A  B}K bs )

23 10.2.2010Embedded Security © Prof. Dr. H. Schlingloff 201023 Analysis (4) Kab Kab Kab (3) A |  S |  (N a, (A  B), #(A  B), {A  B}K bs ) Rule (BEL): P |  Q |  (X,Y) __________________________ P |  Q |  X K ab (4) A |  S |  (A  B) and: K ab (5) A |  S |  #(A  B)

24 10.2.2010Embedded Security © Prof. Dr. H. Schlingloff 201024 Analysis (5) Kab Kab (4) A |  S |  (A  B) (5) A |  S |  #(A  B) Kab Kab (ass6) A |  (S |  A  B) (ass8) A |  (S |  #(A  B) Rule (JUR): P |  Q |  X,P |  Q |  X __________________________________ P |  X Kab Kab (6) A |  (A  B)and (7) A |  #(A  B)

25 10.2.2010Embedded Security © Prof. Dr. H. Schlingloff 201025 Analysis (6) Kab (Msg3) B  {A  B}K bs Kbs (ass2) B |  S  B (MMR) K P |  Q  P, P  {X} k ___________________________ P |  Q |~ X Kab (8) B |  S |~ {A  B}K bs

26 10.2.2010Embedded Security © Prof. Dr. H. Schlingloff 201026 Analysis (7) Kab (ass12) B |  #(A  B) Kab (8) B |  S |~ {A  B}K bs We can apply (NVR): P |  #(X), P |  Q |~ X ______________________________________ P |  Q |  X And derive: Kab (9) B |  S |  {A  B}

27 10.2.2010Embedded Security © Prof. Dr. H. Schlingloff 201027 Analysis (8) Recall the Assumption: Kab B |  (S |  A  B) Also recall the derived formula above stating: Kab B |  S |  {A  B} We can apply the jurisdiction rule which is: P |  Q |  X,P |  Q |  X ____________________________________ P |  X And we can derive: Kab (10) B |  {A  B}

28 10.2.2010Embedded Security © Prof. Dr. H. Schlingloff 201028 Analysis (9) Now we can apply the logical postulate rules to the next message with assumptions Kab (Msg4) B  A: {N b, (A  B)} K ab We can then say that: Kab A  {N b, (A  B)} K ab We can use (SAY): P  (X,Y) _________________ P  X We can then derive that: Kab A  {(A  B)} K ab

29 10.2.2010Embedded Security © Prof. Dr. H. Schlingloff 201029 Analysis (10) previously we obtained: Kab A |  (B  A) Also recall the result that we just obtained the previous step: Kab A  {(A  B)}K ab We can apply the message meaning rule: K P |  Q  P, P  {X} k ___________________________ P |  Q |~ X Finally, we can deduce that: Kab A |  B |~ (A  B)

30 10.2.2010Embedded Security © Prof. Dr. H. Schlingloff 201030 Analysis (11) Recall a previous result we obtained: Kab A |  #(A  B) Also recall the result that we just obtained the previous step: Kab A |  B |~ (A  B) We can apply the nonce-verification rule: P |  #(X), P |  Q |~ X _______________________________________ P |  Q |  X We then obtain: Kab A |  B|  (A  B) In similar manner, we can also derive that: Kab B |  A|  (A  B)

31 10.2.2010Embedded Security © Prof. Dr. H. Schlingloff 201031 Conclusions of Analysis The goals of the Needham-Schroeder protocol are that A and B each believe that they share a secret key Kab and that moreover they each believe that the other believes it K K B |  A  B (msg 3) A |  A  B (msg 2) We also achieve this final goal: K K A |  B |  A  B (msg 4) B |  A |  A  B (msg 4) Our analysis achieves these results, since we have derived these goals. This authentication protocol has an extra assumption, which is that B assumes the key B receives from A is fresh. So Needham-Schroeder protocol had this flaw in it.

32 10.2.2010Embedded Security © Prof. Dr. H. Schlingloff 201032 Advantages of BAN Logic One of earliest successful attempts at formally reasoning about authentication protocols. Huge success for formal methods in cryptography, useful tool Uncovered implicit assumptions and weaknesses in a number of protocols Involves idealizing a protocol, identifying initial assumptions, using logical postulates to deduce new predicates and determining if the goals of authentication have been met. Strengths in its simplicity of its logic and its ease of use

33 10.2.2010Embedded Security © Prof. Dr. H. Schlingloff 201033 Deficits of BAN Logic Belief logic is much different from a knowledge logic. Knowledge logics have an axiom of the following form “If x knows p, then p is true.” However, belief systems do not have this axiom, since a belief in p says nothing about the truth or falsity of p. Assumption that all principals taking part in a protocol are honest, in the sense that each principal believes in the truth of each message it sends. However, honesty is not a logical assumption to make Vehicle for extensive research in the areas for basis and development of other logic systems

Download ppt "Information Security of Embedded Systems 10.2.2010: BAN-Logic Prof. Dr. Holger Schlingloff Institut für Informatik und Fraunhofer FIRST."

Similar presentations

Information Security of Embedded Systems 9.1.2010: Design of Secure Systems Prof. Dr. Holger Schlingloff Institut für Informatik und Fraunhofer FIRST.

Information Security of Embedded Systems : Design of Secure Systems Prof. Dr. Holger Schlingloff Institut für Informatik und Fraunhofer FIRST.
Information Security of Embedded Systems 4.11.2009: Embedded Systems Design Prof. Dr. Holger Schlingloff Institut für Informatik und Fraunhofer FIRST.

Information Security of Embedded Systems : Embedded Systems Design Prof. Dr. Holger Schlingloff Institut für Informatik und Fraunhofer FIRST.
1 Key Exchange Solutions Diffie-Hellman Protocol Needham Schroeder Protocol X.509 Certification.

1 Key Exchange Solutions Diffie-Hellman Protocol Needham Schroeder Protocol X.509 Certification.
Security attacks. - confidentiality: only authorized parties have read access to information - integrity: only authorized parties have write access to.

Security attacks. - confidentiality: only authorized parties have read access to information - integrity: only authorized parties have write access to.
Modelling and Analysing Security Protocol: Lecture 4 Attacks and Principles Tom Chothia CWI.

Modelling and Analysing Security Protocol: Lecture 4 Attacks and Principles Tom Chothia CWI.
AUTHENTICATION AND KEY DISTRIBUTION

AUTHENTICATION AND KEY DISTRIBUTION
Supervisor :Dr. Lo'ai Ali Tawalbeh Done by: Wa’el Musa Hadi

Supervisor :Dr. Lo'ai Ali Tawalbeh Done by: Wa’el Musa Hadi
Key distribution and certification In the case of public key encryption model the authenticity of the public key of each partner in the communication must.

Key distribution and certification In the case of public key encryption model the authenticity of the public key of each partner in the communication must.
CIS 725 Key Exchange Protocols. Alice ( PB Bob (M, PR Alice (hash(M))) PB Alice Confidentiality, Integrity and Authenication PR Bob M, hash(M) M, PR Alice.

CIS 725 Key Exchange Protocols. Alice ( PB Bob (M, PR Alice (hash(M))) PB Alice Confidentiality, Integrity and Authenication PR Bob M, hash(M) M, PR Alice.
CS470, A.SelcukCryptographic Authentication1 Cryptographic Authentication Protocols CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.

CS470, A.SelcukCryptographic Authentication1 Cryptographic Authentication Protocols CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.
Non-monotonic Properties for Proving Correctness in a Framework of Compositional Logic Koji Hasebe Mitsuhiro Okada (Dept. of Philosophy, Keio University)

Non-monotonic Properties for Proving Correctness in a Framework of Compositional Logic Koji Hasebe Mitsuhiro Okada (Dept. of Philosophy, Keio University)
CSE331: Introduction to Networks and Security Lecture 22 Fall 2002.

CSE331: Introduction to Networks and Security Lecture 22 Fall 2002.
Sri Lanka Institute of Information Technology

Sri Lanka Institute of Information Technology
Deeper Security Analysis of Web-based Identity Federation Apurva Kumar IBM Research – India.

Deeper Security Analysis of Web-based Identity Federation Apurva Kumar IBM Research – India.
BAN Logic A Logic of Authentication Presentation by Heather Goldsby Michelle Pirtle (Mike Burrows, Marin Abadi, Roger Needham) Published 1989, SRC Research.

BAN Logic A Logic of Authentication Presentation by Heather Goldsby Michelle Pirtle (Mike Burrows, Marin Abadi, Roger Needham) Published 1989, SRC Research.
1 Digital Signatures & Authentication Protocols. 2 Digital Signatures have looked at message authentication –but does not address issues of lack of trust.

1 Digital Signatures & Authentication Protocols. 2 Digital Signatures have looked at message authentication –but does not address issues of lack of trust.
SMUCSE 5349/73491 Authentication Protocols. SMUCSE 5349/73492 The Premise How do we use perfect cryptographic mechanisms (signatures, public-key and symmetric.

SMUCSE 5349/73491 Authentication Protocols. SMUCSE 5349/73492 The Premise How do we use perfect cryptographic mechanisms (signatures, public-key and symmetric.
Modelling and Analysing of Security Protocol: Lecture 3 Protocol Goals Tom Chothia CWI.

Modelling and Analysing of Security Protocol: Lecture 3 Protocol Goals Tom Chothia CWI.
Information Security of Embedded Systems 9.1.2010: Public Key Cryptosystems, Communication Prof. Dr. Holger Schlingloff Institut für Informatik und Fraunhofer.

Information Security of Embedded Systems : Public Key Cryptosystems, Communication Prof. Dr. Holger Schlingloff Institut für Informatik und Fraunhofer.
Mar 4, 2003Mårten Trolin1 This lecture Diffie-Hellman key agreement Authentication Certificates Certificate Authorities.

Mar 4, 2003Mårten Trolin1 This lecture Diffie-Hellman key agreement Authentication Certificates Certificate Authorities.

Similar presentations

Ads by Google