BAN: A Logic of Authentication - PowerPoint PPT Presentation

BAN: A Logic of Authentication

1 / 33
BAN: A Logic of Authentication

BAN: A Logic of Authentication

- - - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

1. Concordia University Design and Analysis of Security Protocols (INSE 7100) BAN: A Logic of Authentication Mourad Erhioui Ahmed Gario Sami Zhioua October 27, 2003

2. Content 1. Introduction - Syntax - Logical postulates (rules) 2. Protocol analysis - Different steps - Detailed example (Kerberos protocol) 3. Conclusion - Needham-Shroeder protocol (outline) - Limitations and advantages - Conclusion

3. Introduction • BAN is the first logic to formally analyze authentication protocols (1990) • It is named after its inventors : Mike Burrows, Martin Abadi and Roger Needham • BAN is a belief logic: it concentrates on beliefs of principals and the evolution of these beliefs through the execution of the protocol.

4. BAN Objectives • Prove whether a protocol does or does not meet its security goals. • Make protocols more efficient: - Does this protocol do anything unnecessary that could be left out without weakening it ? - Does this protocol encrypt something that could be sent in clear without weakening it ?

5. A shared key between Alice and Bob is written as : A  B • If Alice believes thatKAB is a good key to communicate with Bob, • then we write : A | A B. KAB KAB • If Alice believes that S can be trusted to create a good key to communicate with Bob, we write: • A | S  A B KAB and we say that ‘A believes that S has a jurisdiction over good keys for A and B’. Formalism (1) • If Alice believes a proposition P, we writeA | Pand we say: ‘A believes P’

6. If Alice sent a message containing the statement P, we write: • A |~ P and we say: ‘A once said P’ • When a statement P is fresh, we write : #(P) and we say: • ‘P is fresh’ Formalism (2) • When Alice receives a message, we write : A Pand we say: ‘A sees P’

7. Formalism (Summary) • P | X : PbelievesX • P X : PseesX • P |~X : Ponce saidX • # (P) : Pis fresh • P X : Phas jurisdiction overX K • P  Q : Kis a good key for communication between P and Q K • P : P has Kas a public key

8. BAN Logical postulates P Means: if P is true, then Q is true Q X If Alice believes X and , then Alice believes Y Y

9. K P | Q , P  {X}K -1 P | Q |~ X Message significance rule K P | P  Q , P  {X}K P | Q |~ X

10. Nonce verification P | # (X) , P | Q |~ X P | Q | X

11. Jurisdiction rule P | Q X , P | Q | X P | X

12. More rules P | X , P | Y 1. P (X,Y) P | (X,Y) 5. P  X P | (X,Y) 2. K P | P  Q , P  {X}K P | X 6. P X P | Q | (X,Y) 3. P | Q |X P | # (X) 7. P | # (X,Y) P | Q |~ (X,Y) 4. P | Q |~X

13. BAN • BAN cannot be used to prove that a protocol is flawed • But, when we cannot prove that a protocol is correct, that protocol deserves to be treated with grave suspicion.

14. Content 1. Introduction - Syntax - Logical postulates (rules) 2. Protocol analysis - Different steps - Detailed example (Kerberos protocol) 3. Conclusion - Needham-Shroeder protocol (outline) - Limitations and advantages - Conclusion

15. Message1: A  B : {A, } k k k bs bs ab Kab Kab A B A B Idealized protocol • BAN Logic transforms each step in a protocol in a idealized form. • Principal A sends the message to principal B • It is an informal notation • Ambiguous presentation • Obscure in meaning, • Not appropriate for formal analysis Message1: A  B : {A, } B {A, }

16. Idealized protocol • Transform each protocol into an idealized form • Omit the parts of the message that do not contribute to the beliefs of the recipient • Omit clear text communication because it can be forged • The not encrypted messages will be removed during the steps of idealization • Only encrypted fields are retained in the idealization

17. Protocol Analysis • Derive the idealized protocol from the original one. • Write assumptions about the initial state. • Add a logical formulas to the statements of the protocol. • Use the postulates and rules of the logic to deduce new predicates.

18. The Kerberos Protocol S 2: {Ts, L, Kab,B, {Ts, L, Kab,A} Kbs} Kbs 1: A, B 3: {Ts, L, Kab, A} Kbs ,{A, Ta} Kab A B 4: { Ta+1} Kab Message1: A  S : A, B Message2: S  A : {Ts, L, Kab, B, {Ts, L, Kab, A} Kbs}Kas Message3: A  B : {Ts, L, Kab, A} Kbs, {A, Ta}Kab Message4: B  A : { Ta+1} Kab

19. Kab Kab Kab Kab Kab A B A B A B A B A B Confusion Idealized protocol Message1: A  S : A, B Message2: S  A : {Ts, L, Kab, B, {Ts, L, Kab, A} Kbs}Kbs Message3: A  B : {Ts, L, Kab, A} Kbs, {A, Ta}Kab Message4: B  A : { Ta+1} Kab Message2: S  A : {Ts, , {Ts, } Kbs }Kas Message3: A  B : {Ts, } Kbs, {Ta, }Kabfrom A Message4: B  A : { Ta, } Kabfrom B

20. Kas Kas Kas Kas Kas A | B | B S B S A B A S A S S | S | K K S | A B A B B | (S | ) A | (S | ) Protocol Analysis • Initial assumptions : A |#(Ta) B |#(Ts) B |#(Ta)

21. Goals of Authentication • Authentication rests on communication protected by shared session key, so the goals of authentication may be reached between A and B if there is a K such that: • Authentication between A and B is compete once there is a K such : K K A |AB B |AB • Some authentication protocols achieve this final goal: K K A |B |AB B |A |AB

22. Kab A | A B Goal of authentication • Prove from the postulats of BAN and assumptions, the goal of the protocol

23. A  { }Kas A | Kas S A A | S A, A  {X}k A | S |~ X A |#( ) Kab Kab Kab Kab Kab Kab A |#(X), A | S |~ X __________________________ A | S | X A B A B A B A B A B A B B | (S | ) A | S | , A | S | A | Verification

24. Content 1. Introduction - Syntax - Logical postulates (rules) 2. Protocol analysis - Different steps - Detailed example (Kerberos protocol) 3. Conclusion - Needham-Shroeder protocol (outline) - Limitations and advantages - Conclusion

25. Needham-Schroeder Analysis • Original version without idealization S Message 1 A  S: A, B, NA Message 2 S  A:{NA, B, KAB, {KAB, A}KBS} KAS 1 2 Message 3 A  B: {KAB, A}KBS Message 4 B  A:{NB}KAB 3 B A 4 Message 5 A  B:{NB – 1}KAB 5 • Corresponding idealized protocol Kab Kab KabMessage 2 S  A: {NA, (AB), # (AB), {AB}Kbs} Kas Kab Message 3 A  B: {AB}Kbs Kab Message 4 B  A: {NB, (AB)}Kab from B KabMessage 5 A  B: {NB, (AB)}Kab from A

26. Needham-Schroeder Analysis (Con.) • The original Needham-Schroeder is worth idealization because so much work has been based on it, since too many authentication protocols have been derived from it. • The goal of this idealization is to see if both principals A & B can be convinced of each other’s presence. KK A | A  B B | A  B and KK A | B | A  B B | A | A  B

27. Needham-Schroeder Analysis (Con.) Initial assumptions: What client trust the server to do Kab A | (S | AB) Kab B | (S | AB) Kab A | (S | #(AB)) Keys already known to the principals Kas A |AS Kbs B |BS Kas S |AS Kbs S |BS Kab S |AB A | #(Na) Ka B | #(Nb) Kab S | #(AB) Kab B | #(AB)

28. Needham-Schroeder Analysis (Con.) • Now we can apply the logical postulate rules to each message with assumptions to see if we can achieve our goal. • There are too many steps to achieve the goal, unfortunately, there is no enough time to state them.

29. Conclusions of Analysis Finally, this has been achieved: The goals of the Needham-Schroeder protocol are that A and B each believe that they share a secret key Kab and they each believe that the other believes it. K K B | A  B A | A  B the final goal has also been achieved: KK A | B | A  B B | A | A  B BAN finds that this authentication protocol has an extra assumption, which is that B assumes the key it receives from A is fresh

30. BAN limitations • Conversion to idealized form • Lack of ability to state something a principle does not know • BAN does not catch all protocol flaws. • - False-positives can result. • A principal’s beliefs cannot be changed at later stages of the protocol • - No division of time in protocol run. • Provides a proof of trust on part of principles, but not a proof of security • -Final beliefs can be believed only if all original assumptions hold true. • BAN does not account for improper encryption.

31. Advantages of BAN Logic • Huge success for formal methods in cryptography, useful tool. • BAN Logic successful in uncovering implicit assumptions and weaknesses in a number of protocols • Vehicle for extensive research in the areas for basis and development of other logic systems. • BAN’s strengths lie in its simplicity of its logic and its ease of use

32. Conclusion • BAN Logic isone of earliest successful attempts at formally reasoning about authentication protocols. • BAN logic involves idealizing a protocol, identifying initial assumptions, using logical postulates to deduce new predicates and determining if the goals of authentication have been met. • BAN logic can be used to analyze existing protocols and bring out their flaws. • As we saw in the Needham Schroeder protocol, BAN logic helped to uncover an extra assumption that the authors themselves did not realize. • BAN logic has its flaws, but overall it is a welcome success for formal methods in cryptography.

33. Thank you