BAN: A Logic of Authentication - PowerPoint PPT Presentation

Concordia University
Download
1 / 33

Concordia University . Design and Analysis of Security Protocols (INSE 7100) . BAN: A Logic of Authentication. Mourad Erhioui. Ahmed Gario. Sami Zhioua. October 27, 2003. Content. 1. Introduction. - Syntax. - Logical postulates (rules). 2. Protocol analysis. - Different steps.

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.

Download Presentation

BAN: A Logic of Authentication

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Ban a logic of authentication

Concordia University

Design and Analysis of Security Protocols (INSE 7100)

BAN: A Logic of Authentication

Mourad Erhioui

Ahmed Gario

Sami Zhioua

October 27, 2003


Ban a logic of authentication

Content

1. Introduction

- Syntax

- Logical postulates (rules)

2. Protocol analysis

- Different steps

- Detailed example (Kerberos protocol)

3. Conclusion

- Needham-Shroeder protocol (outline)

- Limitations and advantages

- Conclusion


Ban a logic of authentication

Introduction

  • BAN is the first logic to formally analyze authentication protocols (1990)

  • It is named after its inventors : Mike Burrows, Martin Abadi and Roger Needham

  • BAN is a belief logic: it concentrates on beliefs of principals and the evolution of these beliefs through the execution of the protocol.


Ban a logic of authentication

BAN Objectives

  • Prove whether a protocol does or does not meet its security goals.

  • Make protocols more efficient:

- Does this protocol do anything unnecessary that could be left out without weakening it ?

- Does this protocol encrypt something that could be sent in clear without weakening it ?


Ban a logic of authentication

  • A shared key between Alice and Bob is written as : A  B

  • If Alice believes thatKAB is a good key to communicate with Bob,

  • then we write : A | A B.

KAB

KAB

  • If Alice believes that S can be trusted to create a good key to communicate with Bob, we write:

  • A | S  A B

KAB

and we say that ‘A believes that S has a jurisdiction over good keys for A and B’.

Formalism (1)

  • If Alice believes a proposition P, we writeA | Pand we say: ‘A believes P’


Ban a logic of authentication

  • If Alice sent a message containing the statement P, we write:

  • A |~ P and we say: ‘A once said P’

  • When a statement P is fresh, we write : #(P) and we say:

  • ‘P is fresh’

Formalism (2)

  • When Alice receives a message, we write : A Pand we say: ‘A sees P’


Ban a logic of authentication

Formalism (Summary)

  • P | X : PbelievesX

  • P X : PseesX

  • P |~X : Ponce saidX

  • # (P) : Pis fresh

  • P X : Phas jurisdiction overX

K

  • P  Q : Kis a good key for communication between P and Q

K

  • P : P has Kas a public key


Ban a logic of authentication

BAN Logical postulates

P

Means: if P is true, then Q is true

Q

X

If Alice believes X and

, then Alice believes Y

Y


Ban a logic of authentication

K

P | Q ,

P  {X}K -1

P | Q |~ X

Message significance rule

K

P | P  Q ,

P  {X}K

P | Q |~ X


Ban a logic of authentication

Nonce verification

P | # (X) ,

P | Q |~ X

P | Q | X


Ban a logic of authentication

Jurisdiction rule

P | Q X ,

P | Q | X

P | X


Ban a logic of authentication

More rules

P | X ,

P | Y

1.

P (X,Y)

P | (X,Y)

5.

P  X

P | (X,Y)

2.

K

P | P  Q , P  {X}K

P | X

6.

P X

P | Q | (X,Y)

3.

P | Q |X

P | # (X)

7.

P | # (X,Y)

P | Q |~ (X,Y)

4.

P | Q |~X


Ban a logic of authentication

BAN

  • BAN cannot be used to prove that a protocol is flawed

  • But, when we cannot prove that a protocol is correct, that protocol deserves to be treated with grave suspicion.


Ban a logic of authentication

Content

1. Introduction

- Syntax

- Logical postulates (rules)

2. Protocol analysis

- Different steps

- Detailed example (Kerberos protocol)

3. Conclusion

- Needham-Shroeder protocol (outline)

- Limitations and advantages

- Conclusion


Idealized protocol

Message1: A  B : {A, }

k

k

k

bs

bs

ab

Kab

Kab

A B

A B

Idealized protocol

  • BAN Logic transforms each step in a protocol in a idealized form.

  • Principal A sends the message to principal B

    • It is an informal notation

      • Ambiguous presentation

      • Obscure in meaning,

      • Not appropriate for formal analysis

Message1: A  B : {A, }

B {A, }


Idealized protocol1

Idealized protocol

  • Transform each protocol into an idealized form

    • Omit the parts of the message that do not contribute to the beliefs of the recipient

    • Omit clear text communication because it can be forged

    • The not encrypted messages will be removed during the steps of idealization

    • Only encrypted fields are retained in the idealization


Protocol analysis

Protocol Analysis

  • Derive the idealized protocol from the original one.

  • Write assumptions about the initial state.

  • Add a logical formulas to the statements of the protocol.

  • Use the postulates and rules of the logic to deduce new predicates.


The kerberos protocol

The Kerberos Protocol

S

2: {Ts, L, Kab,B, {Ts, L, Kab,A} Kbs} Kbs

1: A, B

3: {Ts, L, Kab, A} Kbs ,{A, Ta} Kab

A

B

4: { Ta+1} Kab

Message1: A  S : A, B

Message2: S  A : {Ts, L, Kab, B, {Ts, L, Kab, A} Kbs}Kas

Message3: A  B : {Ts, L, Kab, A} Kbs, {A, Ta}Kab

Message4: B  A : { Ta+1} Kab


Idealized protocol2

Kab

Kab

Kab

Kab

Kab

A B

A B

A B

A B

A B

Confusion

Idealized protocol

Message1: A  S : A, B

Message2: S  A : {Ts, L, Kab, B, {Ts, L, Kab, A} Kbs}Kbs

Message3: A  B : {Ts, L, Kab, A} Kbs, {A, Ta}Kab

Message4: B  A : { Ta+1} Kab

Message2: S  A : {Ts, , {Ts, } Kbs }Kas

Message3: A  B : {Ts, } Kbs, {Ta, }Kabfrom A

Message4: B  A : { Ta, } Kabfrom B


Protocol analysis1

Kas

Kas

Kas

Kas

Kas

A |

B |

B S

B S

A B

A S

A S

S |

S |

K

K

S |

A B

A B

B | (S | )

A | (S | )

Protocol Analysis

  • Initial assumptions :

A |#(Ta)

B |#(Ts)

B |#(Ta)


Goals of authentication

Goals of Authentication

  • Authentication rests on communication protected by shared session key, so the goals of authentication may be reached between A and B if there is a K such that:

  • Authentication between A and B is compete once there is a K such :

    K K

    A |AB B |AB

  • Some authentication protocols achieve this final goal:

    K K

    A |B |AB B |A |AB


Goal of authentication

Kab

A |

A B

Goal of authentication

  • Prove from the postulats of BAN and assumptions, the goal of the protocol


Verification

A  { }Kas

A |

Kas

S A

A | S A, A  {X}k

A | S |~ X

A |#( )

Kab

Kab

Kab

Kab

Kab

Kab

A |#(X), A | S |~ X

__________________________

A | S | X

A B

A B

A B

A B

A B

A B

B | (S | )

A | S | , A | S |

A |

Verification


Ban a logic of authentication

Content

1. Introduction

- Syntax

- Logical postulates (rules)

2. Protocol analysis

- Different steps

- Detailed example (Kerberos protocol)

3. Conclusion

- Needham-Shroeder protocol (outline)

- Limitations and advantages

- Conclusion


Needham schroeder analysis

Needham-Schroeder Analysis

  • Original version without idealization

S

Message 1 A  S: A, B, NA

Message 2 S  A:{NA, B, KAB, {KAB, A}KBS} KAS

1

2

Message 3 A  B: {KAB, A}KBS

Message 4 B  A:{NB}KAB

3

B

A

4

Message 5 A  B:{NB – 1}KAB

5

  • Corresponding idealized protocol

Kab Kab KabMessage 2 S  A:{NA, (AB), # (AB), {AB}Kbs} Kas

Kab Message 3 A  B:{AB}Kbs

Kab Message 4 B  A:{NB, (AB)}Kab from B

KabMessage 5 A  B:{NB, (AB)}Kab from A


Needham schroeder analysis con

Needham-Schroeder Analysis (Con.)

  • The original Needham-Schroeder is worth idealization because so much work has been based on it, since too many authentication protocols have been derived from it.

  • The goal of this idealization is to see if both principals A & B can be convinced of each other’s presence.

    KK

    A | A  B B | A  B and

    KK

    A | B | A  B B | A | A  B


Ban a logic of authentication

Needham-Schroeder Analysis (Con.)

Initial assumptions:

What client trust the server to do

Kab

A | (S | AB)

Kab

B | (S | AB)

Kab

A | (S | #(AB))

Keys already known to the principals

Kas

A |AS

Kbs

B |BS

Kas

S |AS

Kbs

S |BS

Kab

S |AB

A | #(Na) Ka

B | #(Nb)

Kab

S | #(AB)

Kab

B | #(AB)


Ban a logic of authentication

Needham-Schroeder Analysis (Con.)

  • Now we can apply the logical postulate rules to each message with assumptions to see if we can achieve our goal.

  • There are too many steps to achieve the goal, unfortunately, there is no enough time to state them.


Ban a logic of authentication

Conclusions of Analysis

Finally, this has been achieved: The goals of the Needham-Schroeder protocol are that A and B each believe that they share a secret key Kab and they each believe that the other believes it.

K KB | A  B A | A  B

the final goal has also been achieved:

KK

A | B | A  B B | A | A  B

BAN finds that this authentication protocol has an extra assumption, which is that B assumes the key it receives from A is fresh


Ban a logic of authentication

BAN limitations

  • Conversion to idealized form

  • Lack of ability to state something a principle does not know

  • BAN does not catch all protocol flaws.

  • - False-positives can result.

  • A principal’s beliefs cannot be changed at later stages of the protocol

  • - No division of time in protocol run.

  • Provides a proof of trust on part of principles, but not a proof of security

  • -Final beliefs can be believed only if all original assumptions hold true.

  • BAN does not account for improper encryption.


Ban a logic of authentication

Advantages of BAN Logic

  • Huge success for formal methods in cryptography, useful tool.

  • BAN Logic successful in uncovering implicit assumptions and weaknesses in a number of protocols

  • Vehicle for extensive research in the areas for basis and development of other logic systems.

  • BAN’s strengths lie in its simplicity of its logic and its ease of use


Ban a logic of authentication

Conclusion

  • BAN Logic isone of earliest successful attempts at formally reasoning about authentication protocols.

  • BAN logic involves idealizing a protocol, identifying initial assumptions, using logical postulates to deduce new predicates and determining if the goals of authentication have been met.

  • BAN logic can be used to analyze existing protocols and bring out their flaws.

  • As we saw in the Needham Schroeder protocol, BAN logic helped to uncover an extra assumption that the authors themselves did not realize.

  • BAN logic has its flaws, but overall it is a welcome success for formal methods in cryptography.


Ban a logic of authentication

Thank you


  • Login