A logic of authentication
This presentation is the property of its rightful owner.
Sponsored Links
1 / 42

A Logic of Authentication PowerPoint PPT Presentation


  • 123 Views
  • Uploaded on
  • Presentation posted in: General

A Logic of Authentication. BAN Logic. Michael Burrows, Martin Abadi, Roger Needham. Presented by : Wenjin Hu. Using Logic to analyze authentication protocols. describing the beliefs of trustworthy parties involved in authentication protocols presenting

Download Presentation

A Logic of Authentication

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


A logic of authentication

A Logic of Authentication

BAN Logic

Michael Burrows, Martin Abadi, Roger Needham

Presented by : Wenjin Hu


Using logic to analyze authentication protocols

Using Logic to analyze authentication protocols

describing

  • the beliefs of trustworthy parties involved in authentication protocols

    presenting

  • the evolution of these beliefs as a consequence of communication


Purpose

Purpose:

  • Discover subtleties in different authentication protocols

  • Draw attention to errors in them

  • Suggest improvements

Answering:

What does this protocol achieve?

Does this protocol need more assumptions than another one?

Does this protocol do anything unnecessary that could be left out without weakening it?

Does this protocol encrypt something that could be sent in clear without weakening it?


Outline

Outline

  • Introduce BAN logic

  • Demo how BAN logic analyzes protocol

  • BAN logic Defects

  • Discussion on BAN logic


Authentication protocols

Review:

Authentication Protocols:

Guarantee

  • The principals really are who they say they are

  • They will end up in possession of one or more shared secrets or recognize the use of other principals’ secrets


Introduction to ban logic

Objects

Principals,

encryption keys,

formulas

Predicate constructs

Interpret organized objects into logical statements

with truth values

Inference rules (Logic Postulates)

a means to reason abut the above predicate constructs

Mechanically verify the reasoning

Introduction to BAN Logic

A, B, S

K, Kab

X, {X}K, Na


Predicate constructs

K

Predicate Constructs

  • P believes X

  • P sees X

  • P said X

  • P controls X

  • Fresh (X)

  • P Q

  • P

  • {X}k

P has jurisdiction over X

the principal P is an authority on X and should be trusted on this matter.

K

Shared key

Public key

The formula X encrypted under the key K


Logical postulates

Logical Postulates

  • Message-meaning

  • Nonce-verification

  • Jurisdiction

  • Freshness


Logical postulates ii

Logical Postulates II

  • Component


Steps of logic analysis

k

k

k

k

A B

A B

A B

A B

(I)A believes (II)A believes B believes

B believes B believes A believes

Steps of Logic Analysis:

1 Derive idealized protocol from the original one

Transform the protocol into statements (formula)

(3)guidelines of idealization of a protocol (something debating)

2 State assumptions about initial state

skills in giving the assumption

3 Attach logical formula to each statement of the protocol,

as assertions about the state of the system after each statement

4 Apply logical rules to assumptions and assertions, in order to

discover the beliefs held by principals in the protocol

5 Conclude what beliefs are held at the end of the protocol


Logic demo

Logic Demo

  • The Kerberos Protocol

    1 A->S: A,B

    2 S->A: {Ts, L, Kab, B, {Ts, L, Kab, A}Kbs }Kas

    3 A->B: {Ts, L, Kab, A}Kbs, {A, Ta}Kab

    4 B->A: {Ta+1}Kab

Idealized as:

  • S->A: {Ts, A B, {Ts, A B}Kbs}Kas

  • A->B: {Ts, A B}Kbs, {Ta, A B}KabfromA

  • B->A: {Ta, A B}Kabfrom B


Guideline of idealization

Guideline of Idealization

  • A message used as a hint is to be omitted

    Cleartext is omitted simple because it can be forged 

  • A real message m can be interpreted as a formula X if whenever the recipient gets m he may deduce that the sender must have believed X when he sent m

  • Real nonces are transformed into arbitrary new formulas


Logic demo con t

Logic Demo (Con’t)

  • Idealization

  • S->A: {Ts, A B, {Ts, A B}Kbs}Kas

  • A->B: {Ts, A B}Kbs, {Ta, A B}KabfromA

  • B->A: {Ta, A B}Kabfrom B


Logic demo con t1

A believes A SB believes B S

S believes A SS believes B S

S believes A B

A believes (S controls A B)

B believes (S controls A B)

A believes fresh(Ts)B believes fresh(Ts)

A believes fresh(Ta) B believes fresh(Ta)

Logic Demo (Con’t)

  • Assumption


Logic demo con t2

Assumption

Message-meaning

Belief

Belief

component

Nonce -Verification

Assumption

Jurisdiction

Belief

Assumption

Conclusion 1:

Logic Demo (Con’t)

{Ts, A B, {Ts, A B}Kbs}Kas

A

  • Analysis

Assertion


Logic demo con t3

Component

Assumption

Belief

Message-meaning

Message-meaning

Nonce -Verification

Nonce -Verification

Assumption

Belief

Conclusion 2:

Belief

Assumption

Assumption

Jurisdiction

Conclusion 3:

{Ts, A B}Kbs, {Ta, A B}Kab

Logic Demo (Con’t)

Assertion

B


Logic demo con t4

Message-meaning

Conclusion 1:

Nonce -Freshness

Belief

Assumption

Conclusion 4:

Logic Demo (Con’t)

Conclusion 1:

Conclusion 2:

Conclusion 3:

{Ta, A B}Kab

Assertion

A


Logic demo con t5

Logic Demo (Con’t)

  • Conclusion

    Beliefs we get

    Improvement we can find

In the analysis of the second message, {Ts, A B}Kbs is not needed to be re-encrypted as we look back through the formal analysis


The otway rees protocol

Idealized protocol

The Otway-Rees Protocol

  • Protocol


The otway rees protocol1

The Otway-Rees Protocol

  • Idealization

The fact that the messages are sent at all, because if the common nonces had not matched

nothing would ever have happened.


The otway rees protocol2

k

k

as

bs

A believes A S

B believes B S

k

k

as

bs

S believes A S

S believes B S

k

ab

S believes A B

k

k

ab

ab

A believes S controls A B

B believes S controls A B

A believes S controls

(

B said X

)

B believes S controls

(

A said X

)

S believes Fresh

(

N

)

A believes Fresh

(

N

)

b

a

A believes Fresh

(

N

)

c

The Otway-Rees Protocol

  • Assumption


The otway rees protocol3

The Otway-Rees Protocol

  • Analysis


The otway rees protocol4

The Otway-Rees Protocol

  • Analysis


The otway rees protocol5

The Otway-Rees Protocol

  • Analysis


The otway rees protocol6

The Otway-Rees Protocol

  • Beliefs

The author has partly used the belief we reached in the middle into the idealized protocol

Both A and B gets the new key Kab

A is in a better position than B

A knows B exists but does not know if B gets the key Kab


The otway rees protocol7

  • Modification

The Otway-Rees Protocol

  • Conclusion

    Na can be eliminated

    Na could just be as well have been done using Nc

    Nb need not be encrypted in the second message


Ban logic defects

BAN Logic Defects


Ban logic exclusion

BAN Logic Exclusion

BAN Logic Declaration:

  • Allow for the possible of hostile principal

  • Neither deal with the authentication of an untrustworthy principal

  • Nor detect weakness of encryption schemes or unauthorized release of secrets


The otway rees protocol8

The Otway-Rees Protocol

  • Modified protocol


The otway rees protocol9

M’s freshness is provided by Na

we have to doubt it as a nounce.

Principal A should be honest!!!

The Otway-Rees Protocol

I

(

A

)

B

:

M

,

A

,

B

, {

M’

,

Ni

,

I

,

B

}

Kis

B S

:

M

,

A

,

B

, {

M’

,

Ni

,

I

,

B

}

,

Kis

  • One Possible Attack

Nb

, {

M

,

A

,

B

}

Kbs

I

(

B

)

S

:

M’

,

A

,

B

, {

M’

,

Ni

,

I

,

B

}

Kis

Nb

, {

M’

,

A

,

B

}

Kbs

I

(

S

)

B

:

M

, {

Ni

,

K

}

, {

Nb

,

K

}

ib

Kis

ib

Kbs

B A

:

M

, {

Ni

,

K

}

ib

Kis

server ignores the replay of M’


Another flaw in ban logic

Idealization

Another flaw in BAN Logic

  • The Nessett protocol

Assumptions

k

A

B believes

|

A

k

ab

A believes

A B

A believes Fresh

(

Na

)

B believes Fresh

(

Na

)

kab

B believes A controls

(

A B

)


Nessett protocol

Nessett Protocol

  • Analysis

Message-meaning

Message-meaning

Nonce-verification

Nonce-verification

Jurisdication


Explanation of the flaw

Explanation of the Flaw

  • Establishing the property

    distributing information to a subset of the principals so that some predicated defined over this population obtained

  • Failing to provide the second property

    distributing information in such a way that another subset of the population is denied accessed to it


Argument of the flaw

Argument of the Flaw

  • Assumption that A believes that Kab is a good shared key for A and B. This is clearly inconsistent with the message exchange, where A publishes Kab

  • The inconsistency is not manifested by formalism but is manifested by the wit of man to notice

  • The author admits that it is hard to provide a logic for finding all security problems


Flaws in ban logic

Flaws in BAN Logic

  • On Protocol Idealization

    No well-understood semantic rule to govern this job makes this job a very expert one.

  • On Belief

    In nonce-verification, a principal positively establishes a belief due to the statement made by another principal disregarding the fact that the latter may be cheating.

    E.g. : P believes that Q said X, where X is a statement “I am not Q”; Q may still be identified (authenticated) as Q even if he said this, just as he may turn out to be someone else even if X is “I am Q”

  • On Protocol Assumption

    There is no way of knowing in the BAN approach if slightly different assumptions would change an unsatisfactory protocol into a good one. It also cannot be shown that the assumption used for a good protocol are necessary, or are the weakest possible.

  • On Confidentiality

    The goodness of a session key rests on a statement issued by a trustworthy principal. BAN logic can not tell whether a session key under distribution is exclusively delivered to an expected set of principals.


Possible improvements

Possible Improvements

  • Challenge & Response

  • Deny Postulates

  • Weakest pre-condition

    Bottom-up method


Critiques on ban logic

Critiques on BAN Logic

  • 1 Failure to discover flaws which violate security in a basic sense

  • 2 When the logic finds a bug in a protocol, everyone believes that it is a bug; when the logic finds a proof of correctness, people seem to have trouble believing that it is a proof

  • 3 informality in the logic’s operational semantics


Summary

Summary

Anyway

  • BAN logic is an initial approach towards Formal Analysis of cryptograph protocols

  • The work is pioneering and classic

  • It has provided us a good framework of applying Logic to protocol analysis. Researches have been carried out to adapt it into a logical reasoning computation suitable for computer-aided analysis


Reference

Reference:

  • [1] M. Burrows, M. Adadi, and R. Needham. “A logic of authentication”

  • [2] D. Nessett. “A Critique of the Burrows, Abadi and Needham Logic”

  • [3] W. Mao and C. Boyd. “Towards Formal Analysis of Security Protocols”


Questions and comments

Questions and Comments

Welcome any discussions on this topic


Thank u

Thank U

:P


Outtake

Outtake:

On Secret

  • If you believe that only you and Bob know X, then you ought to believe that any encrypted message you receive containng X comes originally from Bob.

  • X combined wit the formula Y; it is intended that Y be a secret, and that its presence prove the identity of whoever utters

especially useful to password


  • Login