Presentation is loading. Please wait.

Presentation is loading. Please wait.

A Logic of Authentication Michael Burrows, Martin Abadi, Roger Needham BAN Logic Presented by : Wenjin Hu.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "A Logic of Authentication Michael Burrows, Martin Abadi, Roger Needham BAN Logic Presented by : Wenjin Hu."— Presentation transcript:

1 A Logic of Authentication Michael Burrows, Martin Abadi, Roger Needham BAN Logic Presented by : Wenjin Hu

2 Using Logic to analyze authentication protocols describing the beliefs of trustworthy parties involved in authentication protocols presenting the evolution of these beliefs as a consequence of communication

3 Purpose: Discover subtleties in different authentication protocols Draw attention to errors in them Suggest improvements Answering: What does this protocol achieve? Does this protocol need more assumptions than another one? Does this protocol do anything unnecessary that could be left out without weakening it? Does this protocol encrypt something that could be sent in clear without weakening it?

4 Outline Introduce BAN logic Demo how BAN logic analyzes protocol BAN logic Defects Discussion on BAN logic

5 Authentication Protocols: Guarantee The principals really are who they say they are They will end up in possession of one or more shared secrets or recognize the use of other principals’ secrets Review:

6 Introduction to BAN Logic Mechanically verify the reasoning Objects Principals, encryption keys, formulas Predicate constructs Interpret organized objects into logical statements with truth values Inference rules (Logic Postulates) a means to reason abut the above predicate constructs A, B, S K, Kab X, {X} K, Na

7 Predicate Constructs P believes X P sees X P said X P controls X Fresh (X) P Q P {X} k  K  K P has jurisdiction over X the principal P is an authority on X and should be trusted on this matter. Shared key Public key The formula X encrypted under the key K

8 Logical Postulates Message-meaning Nonce-verification Jurisdiction Freshness

9 Logical Postulates II Component

10 Steps of Logic Analysis: 1 Derive idealized protocol from the original one Transform the protocol into statements (formula) (3)guidelines of idealization of a protocol (something debating) 2 State assumptions about initial state skills in giving the assumption 3 Attach logical formula to each statement of the protocol, as assertions about the state of the system after each statement 4 Apply logical rules to assumptions and assertions, in order to discover the beliefs held by principals in the protocol 5 Conclude what beliefs are held at the end of the protocol (I)A believes (II)A believes B believes B believes B believes A believes A  B k k k k

11 Logic Demo The Kerberos Protocol 1 A->S: A,B 2 S->A: {Ts, L, K ab, B, {Ts, L, K ab, A} K bs } K as 3 A->B: {Ts, L, K ab, A} K bs, {A, T a } K ab 4 B->A: {T a +1} K ab 2S->A: {Ts, A B, {Ts, A B} K bs } K as 3A->B: {Ts, A B} K bs, {Ta, A B} K ab fromA 4B->A: {Ta, A B} K ab from B Idealized as:

12 Guideline of Idealization A message used as a hint is to be omitted Cleartext is omitted simple because it can be forged  A real message m can be interpreted as a formula X if whenever the recipient gets m he may deduce that the sender must have believed X when he sent m Real nonces are transformed into arbitrary new formulas

13 Logic Demo (Con’t) Idealization 2S->A: {Ts, A B, {Ts, A B} K bs } K as 3A->B: {Ts, A B} K bs, {Ta, A B} K ab fromA 4B->A: {Ta, A B} K ab from B

14 Logic Demo (Con’t) Assumption A believes A SB believes B S S believes A SS believes B S S believes A B A believes (S controls A B) B believes (S controls A B) A believes fresh(Ts)B believes fresh(Ts) A believes fresh(Ta) B believes fresh(Ta)

15 Logic Demo (Con’t) Analysis {Ts, A B, {Ts, A B} K bs } K as Assumption Message-meaning Assertion component Assumption A BeliefJurisdiction Conclusion 1: Nonce -Verification Assumption Belief

16 Logic Demo (Con’t) {Ts, A B} K bs, {Ta, A B} K ab Message-meaning Assertion B Component Assumption Nonce -Verification Assumption Belief Assumption Jurisdiction Conclusion 2: Message-meaning Nonce -Verification Conclusion 3: Belief Assumption

17 Logic Demo (Con’t) {Ta, A B} K ab Message-meaning Assertion A Nonce -Freshness Conclusion 1: Conclusion 2: Conclusion 3: Conclusion 1: Conclusion 4: Belief Assumption

18 Logic Demo (Con’t) Conclusion Beliefs we get Improvement we can find In the analysis of the second message, {Ts, A B}K bs is not needed to be re-encrypted as we look back through the formal analysis

19 The Otway-Rees Protocol Protocol Idealized protocol

20 The Otway-Rees Protocol Idealization The fact that the messages are sent at all, because if the common nonces had not matched nothing would ever have happened.

21 The Otway-Rees Protocol Assumption A believes A S k as B believes B S k bs S believes A S k as S believes B S k bs S believes A B k ab A believes S controls A B k ab B believes S controls A B k ab A believes S controls(B said X)B believes S controls(A said X) A believes Fresh(N a ) S believes Fresh(N b ) A believes Fresh(N c )

22 The Otway-Rees Protocol Analysis

23 The Otway-Rees Protocol Analysis

24 The Otway-Rees Protocol Analysis

25 The Otway-Rees Protocol Beliefs The author has partly used the belief we reached in the middle into the idealized protocol Both A and B gets the new key Kab A is in a better position than B A knows B exists but does not know if B gets the key K ab

26 The Otway-Rees Protocol Conclusion N a can be eliminated Na could just be as well have been done using Nc N b need not be encrypted in the second message Modification

27 BAN Logic Defects

28 BAN Logic Exclusion BAN Logic Declaration: Allow for the possible of hostile principal Neither deal with the authentication of an untrustworthy principal Nor detect weakness of encryption schemes or unauthorized release of secrets

29 The Otway-Rees Protocol Modified protocol

30 The Otway-Rees Protocol One Possible Attack server ignores the replay of M’ M’s freshness is provided by Na we have to doubt it as a nounce. Principal A should be honest!!! I(A)B:M,A,B, {M’,Ni,I,B} Kis I(B)S:M’,A,B, {M’,Ni,I,B} Kis Nb, {M’,A,B} Kbs I(S)B:M, {Ni,K ib } Kis, {Nb,K ib } Kbs B A:M, {Ni,K ib } Kis B S:M,A,B, {M’,Ni,I,B} Kis, Nb, {M,A,B} Kbs

31 Another flaw in BAN Logic The Nessett protocol Idealization Assumptions B believes|A k A A believesA B k ab B believes Fresh(Na) B believes A controls(A B) k ab A believes Fresh(Na)

32 Nessett Protocol Analysis Message-meaning Nonce-verification Jurisdication Message-meaning Nonce-verification

33 Explanation of the Flaw Establishing the property distributing information to a subset of the principals so that some predicated defined over this population obtained Failing to provide the second property distributing information in such a way that another subset of the population is denied accessed to it

34 Argument of the Flaw Assumption that A believes that Kab is a good shared key for A and B. This is clearly inconsistent with the message exchange, where A publishes Kab The inconsistency is not manifested by formalism but is manifested by the wit of man to notice The author admits that it is hard to provide a logic for finding all security problems

35 Flaws in BAN Logic On Protocol Idealization No well-understood semantic rule to govern this job makes this job a very expert one. On Belief In nonce-verification, a principal positively establishes a belief due to the statement made by another principal disregarding the fact that the latter may be cheating. E.g. : P believes that Q said X, where X is a statement “I am not Q”; Q may still be identified (authenticated) as Q even if he said this, just as he may turn out to be someone else even if X is “I am Q” On Protocol Assumption There is no way of knowing in the BAN approach if slightly different assumptions would change an unsatisfactory protocol into a good one. It also cannot be shown that the assumption used for a good protocol are necessary, or are the weakest possible. On Confidentiality The goodness of a session key rests on a statement issued by a trustworthy principal. BAN logic can not tell whether a session key under distribution is exclusively delivered to an expected set of principals.

36 Possible Improvements Challenge & Response Deny Postulates Weakest pre-condition Bottom-up method

37 Critiques on BAN Logic 1 Failure to discover flaws which violate security in a basic sense 2 When the logic finds a bug in a protocol, everyone believes that it is a bug; when the logic finds a proof of correctness, people seem to have trouble believing that it is a proof 3 informality in the logic’s operational semantics

38 Summary Anyway BAN logic is an initial approach towards Formal Analysis of cryptograph protocols The work is pioneering and classic It has provided us a good framework of applying Logic to protocol analysis. Researches have been carried out to adapt it into a logical reasoning computation suitable for computer- aided analysis

39 Reference: [1] M. Burrows, M. Adadi, and R. Needham. “A logic of authentication” [2] D. Nessett. “A Critique of the Burrows, Abadi and Needham Logic” [3] W. Mao and C. Boyd. “Towards Formal Analysis of Security Protocols”

40 Questions and Comments Welcome any discussions on this topic

41 Thank U :P

42 Outtake: If you believe that only you and Bob know X, then you ought to believe that any encrypted message you receive containng X comes originally from Bob. On Secret especially useful to password X combined wit the formula Y; it is intended that Y be a secret, and that its presence prove the identity of whoever utters

Download ppt "A Logic of Authentication Michael Burrows, Martin Abadi, Roger Needham BAN Logic Presented by : Wenjin Hu."

Similar presentations

Security attacks. - confidentiality: only authorized parties have read access to information - integrity: only authorized parties have write access to.

Security attacks. - confidentiality: only authorized parties have read access to information - integrity: only authorized parties have write access to.
Modelling and Analysing Security Protocol: Lecture 4 Attacks and Principles Tom Chothia CWI.

Modelling and Analysing Security Protocol: Lecture 4 Attacks and Principles Tom Chothia CWI.
AUTHENTICATION AND KEY DISTRIBUTION

AUTHENTICATION AND KEY DISTRIBUTION
Key Management. Shared Key Exchange Problem How do Alice and Bob exchange a shared secret? Offline – Doesnt scale Using public key cryptography (possible)

Key Management. Shared Key Exchange Problem How do Alice and Bob exchange a shared secret? Offline – Doesnt scale Using public key cryptography (possible)
Akshat Sharma Samarth Shah

Akshat Sharma Samarth Shah
Last Class: The Problem BobAlice Eve Private Message Eavesdropping.

Last Class: The Problem BobAlice Eve Private Message Eavesdropping.
CIS 725 Key Exchange Protocols. Alice ( PB Bob (M, PR Alice (hash(M))) PB Alice Confidentiality, Integrity and Authenication PR Bob M, hash(M) M, PR Alice.

CIS 725 Key Exchange Protocols. Alice ( PB Bob (M, PR Alice (hash(M))) PB Alice Confidentiality, Integrity and Authenication PR Bob M, hash(M) M, PR Alice.
Hoare’s Correctness Triplets Dijkstra’s Predicate Transformers

Hoare’s Correctness Triplets Dijkstra’s Predicate Transformers
Non-monotonic Properties for Proving Correctness in a Framework of Compositional Logic Koji Hasebe Mitsuhiro Okada (Dept. of Philosophy, Keio University)

Non-monotonic Properties for Proving Correctness in a Framework of Compositional Logic Koji Hasebe Mitsuhiro Okada (Dept. of Philosophy, Keio University)
1 Distributed Computer Security: Authentication and Key Distribution Vijay Jain CSc 8320, Spring 2007.

1 Distributed Computer Security: Authentication and Key Distribution Vijay Jain CSc 8320, Spring 2007.
Deeper Security Analysis of Web-based Identity Federation Apurva Kumar IBM Research – India.

Deeper Security Analysis of Web-based Identity Federation Apurva Kumar IBM Research – India.
BAN Logic A Logic of Authentication Presentation by Heather Goldsby Michelle Pirtle (Mike Burrows, Marin Abadi, Roger Needham) Published 1989, SRC Research.

BAN Logic A Logic of Authentication Presentation by Heather Goldsby Michelle Pirtle (Mike Burrows, Marin Abadi, Roger Needham) Published 1989, SRC Research.
1 Digital Signatures & Authentication Protocols. 2 Digital Signatures have looked at message authentication –but does not address issues of lack of trust.

1 Digital Signatures & Authentication Protocols. 2 Digital Signatures have looked at message authentication –but does not address issues of lack of trust.
 Public key (asymmetric) cryptography o Modular exponentiation for encryption/decryption  Efficient algorithms for this o Attacker needs to factor large.

 Public key (asymmetric) cryptography o Modular exponentiation for encryption/decryption  Efficient algorithms for this o Attacker needs to factor large.
Modelling and Analysing of Security Protocol: Lecture 3 Protocol Goals Tom Chothia CWI.

Modelling and Analysing of Security Protocol: Lecture 3 Protocol Goals Tom Chothia CWI.
EEC 693/793 Special Topics in Electrical Engineering Secure and Dependable Computing Lecture 7 Wenbing Zhao Department of Electrical and Computer Engineering.

EEC 693/793 Special Topics in Electrical Engineering Secure and Dependable Computing Lecture 7 Wenbing Zhao Department of Electrical and Computer Engineering.
Modelling and Analysing of Security Protocol: Lecture 1 Introductions to Modelling Protocols Tom Chothia CWI.

Modelling and Analysing of Security Protocol: Lecture 1 Introductions to Modelling Protocols Tom Chothia CWI.
1 Protocols are programs too The meta-heuristic search for security protocols By John A. Clark.

1 Protocols are programs too The meta-heuristic search for security protocols By John A. Clark.
EEC 688/788 Secure and Dependable Computing Lecture 7 Wenbing Zhao Department of Electrical and Computer Engineering Cleveland State University

EEC 688/788 Secure and Dependable Computing Lecture 7 Wenbing Zhao Department of Electrical and Computer Engineering Cleveland State University
Chapter 2 Protocols Controlling communications of principals in systems.

Chapter 2 Protocols Controlling communications of principals in systems.

Similar presentations

Ads by Google