Objectives (1) To give a flavour of formal methods by introducing BAN logic To appreciate that BAN logic provides help in finding flaws in authentication protocols, it cannot guarantee they are not flawed – This will help you avoid situations of “the King’s new clothes”
Objectives (2) By way of light relief: – To present the goals an ideal password authentication scheme would achieve
Introduction (1) In distributed computing protocols provide the rules on how to communicate. To protect communications from attackers cryptographic protocols were developed. A cryptographic protocol is a protocol that uses encryption in some way. Unfortunately, many cryptographic protocols have been found to be vulnerable to attacks that do not require that the encryption be broken.
Introduction (2) In such attacks the messages in the protocol are manipulated by the attacker in some way to the benefit of the attacker. oThe consequences can range from confidentiality being compromised to the attacker being able to impersonate a legitimate user. A class of cryptographic protocols that are fundamental to the security of a system are the authentication protocols.
Introduction (3) To be able to design a robust authentication protocol it is necessary to fully understand what it is it achieves. The logic of authentication formally describes the knowledge and the beliefs of the legitimate parties involved in authentication, and while analyzing the protocol step by step, describes how their knowledge and beliefs change at each step. After the analysis, all the final states of the protocol are set out.
BAN Logic (1) The BAN logic appeared in 1989 in a publication by Burrows, Abadi and Needham who invented it and give it its name. – It was the first attempt to formalise the description and analysis of authentication protocols. A protocol in the BAN logic is described by logical formulas with the aim of writing each step of the protocol in such a way that all the essential information gained from the step is shown. – This is an idealisation of the protocol.
BAN Logic (2) The some of most often used formulas of the BAN logic are: P believes X. The principal P may act as if X is true P sees X. P has received X in a message and can read and repeat X (send it on) P once said X. P sent a message at some point including X. It is known that P believed X when the message was sent
BAN Logic (3) P has jurisdiction over X P has delegated authority over statement X The message X is fresh X has not been sent before. This is usually assumed to be that case for nonces
BAN Logic (4) P and Q may used shared key K to Communicate; K is assumed to be secure P and Q share the secret X An important example of X is a password Message X encrypted under key K
Time (1) In the BAN logic, time is divided into the past and the present. The present begins when the protocol starts running. All messages sent before this are in the past and the protocol should reject such messages. The above formulas are manipulated using logical postulates. In the BAN logic means if P is true then Q is true. The logical postulates include message-meaning rules which explain how to derive beliefs about the source of messages.
Time (2) For shared keys, the BAN logic postulates: That is, if A believes that the key K is shared with B and sees a message X encrypted under K, then A believes that B once said X. For this rule to be sound, we must guarantee that A did not send X herself; it is enough to remember that stands for a formula of the form from R for some R and to require that
Time (3) The nonce verification rule expresses the check that a message is recent, and therefore that the sender still believes in it: This says that if A believes that X could have been created only recently and that B once said X, then A believes that B believes X. For the sake of simplicity, X must be plaintext.
Time (4) The jurisdiction rule states that if A believes that B has jurisdiction over X and A believes that B believes X then A believes X. Given the postulates proofs in logic can be constructed.
Protocol Idealization (1) A protocol is presented in steps where each step involves the sending and the receiving of one message. A protocol step is normally written in standard protocol engineering notation, for example, This means that A sends and B receives a message encrypted with K BP (a shared key that can be taken to be Bob’s public key). The message consists of the name of A and a shared key K AB to be used by A and B for secure communication between them.
Protocol Idealization (2) In the BAN logic this protocol step would be written in an idealized way as: This means that A sends and B receives a message encrypted with K BP and that the message includes a shared key K AB to be used by A and B for secure communication between them.
Protocol Idealization (3) The crucial point is that: The purpose of idealization is to omit the parts of the message that do not contribute to the beliefs of the recipient. In this case the name of A is omitted because the protocol engineering notation for the step implicitly assumes that B accepts that the message came from A when he receives it and that possession of the name of A does not change this.
Protocol Analysis using the BAN Logic (1) In the BAN logic the analysis of a protocol is carried out in four stages: 1.Each step of the protocol is written in idealized form 2.Assumptions about the initial state are written 3.Logical formulas are attached to the idealized steps of the protocol, as assertions about the state of the system after each step 4.The BAN logic postulates are applied to the assumptions and the assertions in order to determine the beliefs held by the parties in the protocol.
Protocol Analysis using the BAN Logic (2) This procedure may be repeated as new assumptions are found to be necessary and as the idealized protocol is refined. It is very important to realize that the idealized form of each message cannot be determined by looking merely at a single protocol step by itself. Only knowledge of the entire protocol can determine the essential logical contents of the message. Typically, the assumptions include the statements about key possession and sharing, nonce generation and trust between the principals.
Protocol Analysis using the BAN Logic (3) Specifically, idealized protocols are annotated with formulas which are then manipulated with the postulates. A protocol is a sequence of “send" statements of the form with. An annotation for a protocol consists of a sequence of assertions inserted before the first statement and after each statement; the assertions used are conjunctions of formulas of the BAN logic. The first assertion contains the assumptions, while the last assertion contains the conclusions.
Representing the Needham-Schroeder Protocol using the BAN Logic (1) First note that an idealized protocol in the BAN logic omits plain text messages because they can be forged, and so do not contribute anything useful to the authentication protocol. So step 1 of the Needham-Schroeder protocol is omitted. Recall that the subsequent steps are: Message 2: Message 3: Message 4: Message 5:
Representing the Needham-Schroeder Protocol using the BAN Logic (2) After receiving Message 3 B decrypts and then carries out a nonce handshake with A to check that A is ready to receive a message from him since Message 3 might have been a replay. The use of in the last message is conventional. Almost any function of would do, as long as B can distinguish his message from A's thus, subtraction is used to indicate that the message is from A, rather than from B.
Representing the Needham-Schroeder Protocol using the BAN Logic (3) The above steps in idealized form are: Message 2: Message 3: Message 4: from B Message 5: from A
Representing the Needham-Schroeder Protocol using the BAN Logic (4) The # statement about K AB in Message 2 is present because A believes that K AB is fresh. The statements about K AB in Messages 4, and 5 are present because the messages were sent assure B that the key is fresh and to assure each principal that the other believes the key is good. The from statements are included to distinguish Messages 4 and 5.
Analyzing the Protocol (1) To fully understand the protocol the all the initial assumptions made must be understood, BAN logic helps achieve this. After a little thought the following initial assumptions should be obvious:
Analyzing the Protocol (2) After a little thought the following initial assumptions should be obvious:
Analyzing the Protocol (3) A logical proof of the protocol will now be attempted. First A sends a plaintext message including a nonce. In Message 2 Trent repeats the nonce in a reply which also contains K AB. A can decrypt Message 2 so: Since A knows N A is fresh the nonce verification postulate can be applied to give:
Analyzing the Protocol (4) The jurisdiction postulate gives: Also:
Analyzing the Protocol (5) So A can send this to B. At this point, B decrypts the message and the appropriate message-meaning postulate gives: However, it is impossible to proceed unless the assumption is made that: This highlights the weakness of the protocol because B has nothing to tell him the message is fresh. In effect this is an initial assumption of the protocol that was overlooked by its creators.
Limitations of Formal Verification (1) Formal methods can be useful in finding flaws in protocols. However, the idealization of protocol messages in BAN logic is not straightforward and can be a source of disagreement. – This is serious issue, since analysis using BAN logic is only as good as the informal protocol idealization upon which it rests. The 3GPP (Third Generation Partnership Project) used BAN logic to verify 3GPP AKA (Authentication and Key Agreement) and it is vulnerable to a base station in the middle attack.
Limitations of Formal Verification (2) Using BAN logic requires practice and Burrows et al. (1989) provide lots of examples to explore. BAN logic is not the only formal system for reasoning about security and authentication. Lampson et al. (1992) developed a theory of authentication and trust based on the concept of a minimal trusted computing base (TCB), in which the trustworthiness of each resource that is not included in the TCB can be derived formally. A formal system called Security Logic (SL) was developed by Glasgow et al. (1992) for reasoning about security policies.
Limitations of Formal Verification (3) In this context, security policies concern secrecy and integrity in a distributed system. – Secrecy is formally translated into propositions about principals and what they have permission to know – Integrity is translated into propositions about what these principals are required to know.
Passwords: The bigger picture (1) When you logon the University network you enter a password in a box labelled password. – PIN numbers are also passwords whether used in connection with your bank card or mobile phone. When ringing up a building society about a mortgage application you will be asked several security questions including typically your mother’s maiden name or postcode. – The ease with which such information can be found has resulted in a significant problem with identity theft, combating this is a major driving force behind the use of identity cards.
Passwords: The bigger picture (2) Passwords are a huge issue for security engineering as they are the basis on which most network security resides. For example, when rarely visited web sites request a password, users commonly reuse a password they use regularly typically in connection with their work to be sure they can remember the password when they need to. – This means not only can outsiders attack corporate networks but insiders of other systems.
Passwords: The bigger picture (3) According to: H. J. Kim, “Biometrics, is it a viable proposition for identity authentication and access control,” Computers & Security, vol. 14, pp. 205–214, 1995 Passwords are only one way of authentication people to processors. In general, there are three types of identity authentication tasks: Identity authentication for something known, such as a password; Identity authentication for something possessed, such as a smart card; Identity authentication for some personal characteristics, such as fingerprints.
Applied Psychology Issues (1) There are broadly three concerns with passwords: – Will the user disclose the password to another person intentionally, accidentally, or because they were deceived? – Will the user be able to regularly enter the password correctly? – Will users be able to remember their passwords or will they have to record them somewhere or choose easily guessed passwords?
Applied Psychology Issues (2) When an attacker obtains a password directly from its user by deceit the attack is known as social engineering. If a password is too random its user will not easily remember it and if it is too long it can be too time consuming to enter, in some stressful situations this can be a safety critical issue. Note: Firing codes for US nuclear weapons are no longer than 12 digits.
Design Errors (1) Designing systems so passwords are memorable is dangerous. Asking for mother’s maiden name is a classic example of what not to do. – This information is easily obtained from public records. Also this makes a cultural assumption and such assumptions should be avoided whenever possible.
Design Errors (2) Do not use your bank PIN for anything else. – If you do and your card is stolen and the thief manages to access your account you will probably not be able to recover any of the stolen money from the bank. Where a bank allows its customers to choose their own PIN it is believed about one third of customers use a birth date.
Operational Issues A classic mistake for system administrators to make is not resetting default passwords supplied with some systems.
System Issues (1) To understand what is required of a password system it is necessary to understand how it can be attacked. Attacks on passwords can be broadly classified as: – A targeted attack on one account: The attacker tries to obtain a particular user’s password. – Attempt to penetrate any account on a system: The attacker tries to steal any password for the system. For example, by a dictionary attack. – Attempt to penetrate any account on any system: This is when an attacker is seeking access to any system within a given domain. – Service denial attack: An attacker may want to prevent a specific user from using the system.
System Issues (2) Additional factors have to be considered when designing countermeasures against attacks on passwords. Attacks will be looked at in more detail later on.
Who are the Potential Attackers? Does the system need to protect its users from each other? Multilateral security is a major topic in this module. It includes ensuring possession of one password will not allow other passwords to be stolen. In some cases a user who chooses an easily guessed password has harmed only them self, in others where multilateral security has not been applied this is not the case.
Intrusion Detection An important consideration is how a password system interacts with an intrusion detection system. If you enter three bad PIN numbers into a cash machine your card is frozen or not returned. However, in some cases such an approach leaves a system open to denial of service attacks.
Training Users Users can be trained and to some extent controlled. – They can be required to choose a good password and disciplined if they do not. – However, this is not appropriate where the system is offering a service to the public. It is good practice for a system administrator to periodically run a password cracking program to identify weak passwords so they can be changed or removed.
Technical Protection of Passwords Password entry needs to be protected. Other people should not be able to see the password entered, e.g. when Chip and PIN is used. The machine you logon to may be malicious. Windows NT uses to the secure attention sequence ctrl-alt-del to ensure the user sees a genuine password prompt. – A facility that assures the user they are talking to the genuine system is called a trusted path.
Attacks on Password Storage (1) If a system logs failed password attempts the log may contain a large number of genuine passwords because of users getting the username and password sequence wrong. A plain text file of passwords must not be kept on the system. – Normally, when a password is entered it is passed through a one-way function and the result checked to see if it matches a stored value. The one-way function may be a hash algorithm or an encryption algorithm.
Attacks on Password Storage (2) Some systems that use an encrypted password file make it widely readable. – Unix used to make the encrypted password file world readable. – An attacker could steal this file and perform a dictionary attack by passing each entry in the dictionary through the appropriate one way function and seeing if they obtain a match.
Absolute Limits There are often absolute limits imposed on passwords by the underlying operating system. Unix systems used to limit the length of a password to eight characters. This gives 96 8 possible passwords which is about 252 and the average effort for a search is about half that. A well organised group of attackers can break any encrypted password in a standard Unix password file.
State-of-the-Art (1) Chwei-Shyong Tsai, Cheng-Chi Lee, and Min-Shiang Hwang, “Password Authentication Schemes: Current “Status and Key Issues”, International Journal of Network Security, Vol.3, No.2, PP.101–115, Sept. 2006 (http://ijns.nchu.edu.tw/) Surveys current password-authentication-related schemes and classifies them in terms of several crucial criteria. They conclude that: “Most of the existing schemes are vulnerable to various attacks and fail to serve all the purposes an ideal password authentication scheme should.”
State-of-the-Art (2) An ideal password authentication scheme has to withstand the following attacks: SR1. Denial of Service Attacks An attacker can update false verification information of a legal user for the next login phase. Afterwards, the legal user will not be able to login successfully anymore. SR2. Forgery Attacks (Impersonation Attacks) An attacker attempts to modify intercepted communications to masquerade the legal user and login to the system.
State-of-the-Art (3) SR3. Forward Secrecy It ensures that the previously generated passwords in the system are secure even if the system’s secret key has been revealed in public by accident or is stolen. SR4. Mutual Authentication The user and the server can authenticate each other. Not only can the server verify the legal users, but the users can also verify the legal server. – Mutual authentication can help withstand the server spoofing attack where an attacker pretends to be the server to manipulate sensitive data of the legal users.
State-of-the-Art (4) SR5. Parallel Session Attacks Without knowing a user’s password, an attacker can masquerade as the legal user by creating a valid login message out of some eavesdropped communication between the user and the server. SR6. Password Guessing Attacks Most passwords have such low entropy that they are vulnerable to password guessing attacks, where an attacker intercepts authentication messages and stores them locally and then uses a guessed password and seeks verify the correctness of their guess using these authentication messages.
State-of-the-Art (5) SR7. Replay Attacks Having intercepted previous communications, an attacker can replay the intercepted messages to impersonate the legal user to login to the system. SR8. Smart Card Loss Attacks When the smart card is lost or stolen, unauthorized
State-of-the-Art (6) An ideal password authentication scheme should with-stand all of the above attacks, and achieve the following goals: 1.The passwords or verification tables are not stored in the system. 2.The passwords can be chosen and changed freely by the users. 3.The passwords cannot be revealed by the administrator of the server.
State-of-the-Art (7) An ideal password authentication scheme should with-stand all of the above attacks, and achieve the following goals: 4The passwords are not transmitted in plain text over the network. 5The length of a password must be appropriate for memorization. 6The scheme must be efficient and practical.
State-of-the-Art (8) An ideal password authentication scheme should with-stand all of the above attacks, and achieve the following goals: 7Any unauthorized login can be quickly detected when a user inputs a wrong password. 8A session key is established during the password authentication process to provide confidentiality of communication.
State-of-the-Art (9) An ideal password authentication scheme should with-stand all of the above attacks, and achieve the following goals: 9The ID should be dynamically changed for each login session to avoid partial information leakage about the user’s login message. 10The proposed scheme is still secure even if the secret key of the server is leaked out or stolen. Many existing password-authentication schemes use a password with something possessed like a smart card to identify a user.
Future Directions (1) To achieve an ideal password authentication scheme it is anticipated that in addition to something possessed a biometric such as an iris pattern will be used. Significantly, most current password authentication schemes are designed for a single-server environment. Some recent schemes work with multi-server architectures, where users can register at the register centre only once and access resources from different servers efficiently. Kerberos is such a scheme but all the servers have to be on the same network.
Future Directions (2) It is anticipated that significant effort will go into enhancing such schemes in the coming years. Note: For the purposes of authenticating the identity of one computing device to another, cryptographic protocols are more difficult to circumvent than passwords.
References Burrows, M., Abadi, M. and Needham, R. (1989) “A Logic of Authentication”, Tech. Report 39, Palo Alto CA: Digital Equipment Corporation Systems Research Center. Coulouris, G,. Dollimore, J. and Kindberg, T. (1994) Archive material from Edition 2 of Distributed Systems: Concepts and Design, http://www.cdk3.net/security/Ed2/BANLogic.pdf http://www.cdk3.net/security/Ed2/BANLogic.pdf Glasgow, J., MacEwan, G. and Pananageden, P. (1992) “A Logic for Reasoning about Security”, ACM Trans. Computer Systems, vol.10, no. 3. pp. 265-310. Lampson, B.W., Abadi, M., Burrows, M. and Wobber, E. (1992) “Authentication in Distributed Systems: Theory and Practice”, ACM Trans. on Computer Systems, vol. 10, no. 4, pp. 265–310. http://www.acsac.org/2005/papers/Bell.pdf
home work Burrows et al. (1989) - lots of examples to explore. Third Generation Partnership Project) used BAN logic to verify 3GPP AKA (Authentication and Key Agreement) – how? TCB SL