a logic of authentication michael burrows, martin abadi, roger needham ban logic presented by :...

A Logic of Authentication

Michael Burrows, Martin Abadi, Roger Needham

BAN Logic

Presented by : Wenjin Hu

Using Logic to analyze authentication protocols

describing

• the beliefs of trustworthy parties involved in authentication protocols

presenting

• the evolution of these beliefs as a consequence of communication

Purpose:

• Discover subtleties in different authentication protocols

• Draw attention to errors in them• Suggest improvements

Answering:What does this protocol achieve?

Does this protocol need more assumptions than another one?

Does this protocol do anything unnecessary that could be left out without weakening it?

Does this protocol encrypt something that could be sent in clear without weakening it?

Outline

• Introduce BAN logic

• Demo how BAN logic analyzes protocol

• BAN logic Defects

• Discussion on BAN logic

Authentication Protocols:Guarantee

• The principals really are who they say they are

• They will end up in possession of one or more shared secrets or recognize the use of other principals’ secrets

Review:

Introduction to BAN Logic

Mechanically verify the reasoning

Objects Principals, encryption keys, formulas

Predicate constructs Interpret organized objects into logical statements with truth values

Inference rules (Logic Postulates) a means to reason abut the above predicate constructs

A, B, SK, Kab

X, {X}K, Na

Predicate Constructs

• P believes X• P sees X• P said X• P controls X• Fresh (X)• P Q• P• {X}k

K

K

P has jurisdiction over X

the principal P is an authority on X and should be trusted on this matter.

Shared key

Public key

The formula X encrypted under the key K

Logical Postulates

• Message-meaning

• Nonce-verification

• Jurisdiction

• Freshness

P believes , P sees {X}kQ Pk

P believes Q said X

P believes Q controls X, P believes Q believes X

P believes X

P believes fresh(X)

P believes fresh(X,Y)

P believes fresh(X), P believes Q said X

P believes Q believes X

P believes , P sees {X}k-1k

P sees X

| Q

Logical Postulates II

• ComponentP sees (X, Y)

P sees X

P believes , P sees {X}k-1 Qk

P sees X


P sees X

P believes Q believes (X, Y)


P believes (X, Y)

P believes X

P believes Q said (X, Y)

P believes Q said X

P believes X, P believes Y

P believes (X, Y)

Steps of Logic Analysis:

1 Derive idealized protocol from the original one Transform the protocol into statements (formula)

(3)guidelines of idealization of a protocol (something debating)

2 State assumptions about initial state skills in giving the assumption

3 Attach logical formula to each statement of the protocol, as assertions about the state of the system after each statement

4 Apply logical rules to assumptions and assertions, in order to discover the beliefs held by principals in the protocol

5 Conclude what beliefs are held at the end of the protocol

(I)A believes (II)A believes B believes

B believes B believes A believes

A Bk

A BkA Bk

A Bk

Logic Demo

• The Kerberos Protocol

1 A->S: A,B

2 S->A: {Ts, L, Kab, B, {Ts, L, Kab, A}Kbs }Kas

3 A->B: {Ts, L, Kab, A}Kbs, {A, Ta}Kab

4 B->A: {Ta+1}Kab

2 S->A: {Ts, A B, {Ts, A B}Kbs}Kas

3 A->B: {Ts, A B}Kbs, {Ta, A B}KabfromA

4 B->A: {Ta, A B}Kabfrom B

Idealized as:

kab

kab

kab

kab

kab

Guideline of Idealization

• A message used as a hint is to be omitted Cleartext is omitted simple because it can be forged

• A real message m can be interpreted as a formula X if whenever the recipient gets m he may deduce that the sender must have believed X when he sent m

• Real nonces are transformed into arbitrary new formulas

A B: {A, Kab}Kbs A B: {A B}Kbskab

{Ts, L }Kbs {Ts}Kbs

Logic Demo (Con’t)

• Idealization

2 S->A: {Ts, A B, {Ts, A B}Kbs}Kas

3 A->B: {Ts, A B}Kbs, {Ta, A B}KabfromA

4 B->A: {Ta, A B}Kabfrom B

kab

kab

kab

kab

kab


• Assumption

kab

A believes A S B believes B S

S believes A S S believes B S

S believes A B

A believes (S controls A B)

B believes (S controls A B)

A believes fresh(Ts) B believes fresh(Ts)

A believes fresh(Ta) B believes fresh(Ta)

k

kbskas

kas kbs

k

Logic Demo (Con’t)• Analysis

kab{Ts, A B, {Ts, A B}Kbs}Kaskab

A sees {Ts, A B, {Ts, A B}Kbs}Kaskab kab

AssumptionA believes A S

kas


P believes Q said X

Message-meaningAssertion

P believes Q said (X, Y)

P believes Q said X

component

AssumptionA believes Fresh(Ts)

A

Belief

A believes S believes A Bkab

JurisdictionP believes Q controls X, P believes Q believes X

P believes X

A believes A Bkab

Conclusion 1:

Nonce -Verification



AssumptionA believes S controls A B

kab

Belief

A believes S said (Ts, A B, {Ts, A B}Kbs)kabkab

BeliefA believes S said (Ts, A B)

kab


B sees {Ta, A B)}Kabkab

kab{Ts, A B}Kbs, {Ta, A B}Kab

kab


P believes Q said X

Message-meaning

Assertion

BComponent

P sees (X, Y)

P sees XB sees {Ts, A B)}Kbs

kab

AssumptionB believes B S

kbs

Nonce -Verification



AssumptionB believes Fresh(Ts)

BeliefB believes S believes A B

kab

B believes S controls A BkabAssumption

JurisdictionP believes Q controls X, P believes Q believes X

P believes X

Conclusion 2: B believes A Bkab


P believes Q said X

Message-meaning

Nonce -Verification



Conclusion 3: B believes A believes A Bkab

BeliefB believes S said {Ts, A B}Kbs

kab

B sees {Ta, A B)}Kabkab

BeliefB believes A said(Ta, A B)

kab

AssumptionB believes Fresh(Ta)

B sees {Ts, A B}Kbs, {Ta, A B}Kabkab kab


B believes A believes A Bkab

kab{Ta, A B}Kab


P believes Q said X

Message-meaning

Assertion

A

Nonce -Freshness



A believes A Bkab

Conclusion 1:

Conclusion 2: B believes A Bkab

Conclusion 3:

A believes A Bkab

Conclusion 1:

Conclusion 4: A believes B believes A Bkab

A sees {Ta, A B)}Kabkab

Belief

A believes B said(Ta, A B)kab

AssumptionA believes Fresh(Ta)


A believes B believes A Bkab

B believes A believes A BkabA believes A B

kab

B believes A Bkab

• Conclusion Beliefs we get

Improvement we can find

In the analysis of the second message, {Ts, A B}Kbs is not needed to be re-encrypted as we look back through the formal analysis

kab

The Otway-Rees Protocol

• Protocol

A B: M, A, B, {Na, M, A, B}Kas

B S: M, A, B, {Na, M, A, B}Kas

{Nb, M, A, B}Kbs

S B: M, {Na, Kab}Kas, {Nb, Kab}Kbs

B A: M, {Na, Kab}Kas

M = Nc

Idealized protocol

A B: {Na,Nc}Kas

B S: {Na,Nc}Kas, {Nb,Nc}Kbs

S B: {Na, (A B), (B said Nc)}Kas,kab

kab{Nb, (A B), (A said Nc)}Kbs

B A: {Na, (A B), (B said Nc)}Kaskab


• Idealization

The fact that the messages are sent at all, because if the common nonces had not matched nothing would ever have happened.

A B: {Na,Nc}Kas





The Otway-Rees Protocol• Assumption

A believes A Skas

B believes B Skbs

S believes A Skas

S believes B Skbs

S believes A Bkab

A believes S controls A Bkab

B believes S controls A Bkab

A believes S controls (B said X ) B believes S controls (A said X )

A believes Fresh(Na) S believes Fresh(Nb )

A believes Fresh(Nc )


• Analysis

A B: {Na,Nc}Kas

B sees {Na,Nc}Kas but does not understand it and pass it to S



P believes Q said X

S believes A Skas

S sees {Na,Nc}Kas

S believes A said (Na,Nc)

S believes B said (Nb,Nc)

S believes B Skbs

S sees {Nb,Nc}Kbs




• Analysis

kabS sees {Nb, (A B), (A said Nc)}Kbs

S believes B Skbs


P believes Q said X

B believes S said (Nb, (A B), (A said Nc))kab

B believes S believes A Bkab B believes S believes (A said Nc)

B believes S controls (A said X) B believes S controls A Bkab


P believes X

B believes A Bkab

B believes (A said Nc)



B believes Fresh(Nb)

B believes Fresh(Nb, (A B), (A said Nc))

P believes fresh(X)

P believes fresh(X,Y)kab

B believes S believes (Nb, (A B), (A said Nc))kab


P believes X

The Otway-Rees Protocol• Analysis

A believes Fresh(Nc)


P believes X

A believes B believes Nc)

kabA sees {Na, (A B), (B said Nc)}Kas P believes , P sees {X}kQ Pk

P believes Q said X

A believes S said (Na, (A B), (B said Nc))kab

S believes A Skas


A believes S believes A Bkab

A believes S believes (B said Nc)

A believes S controls (B said X) A believes S controls A Bkab


P believes X

A believes A Bkab A believes (B said Nc)

P believes (X, Y)

P believes X

A believes Fresh(Na, (A B), (B said Nc))

P believes fresh(X)

P believes fresh(X,Y)kab

A believes S believes (Na, (A B), (B said Nc))kab


P believes X

A believes Fresh(Na)


• Beliefs

The author has partly used the belief we reached in the middle into the idealized protocol

A believes A B A believes B believes Nckab

B believes A Bkab

B believes (A said Nc)



Both A and B gets the new key Kab

A is in a better position than B

A knows B exists but does not know if B gets the key Kab


• Conclusion

Na can be eliminated Na could just be as well have been done using Nc

Nb need not be encrypted in the second message

A B: M, A, B, {M, A, B}Kas

B S: M, A, B, {M, A, B}Kas

Nb, {M, A, B}Kbs

S B: M, {M, Kab}Kas, {Nb, Kab}Kbs

B A: M, {M, Kab}Kas

• Modification

BAN Logic Defects

BAN Logic Exclusion

BAN Logic Declaration:

• Allow for the possible of hostile principal

• Neither deal with the authentication of an untrustworthy principal

• Nor detect weakness of encryption schemes or unauthorized release of secrets


• Modified protocol

A B: M, A, B, {Na, M, A, B}Kas

B S: M, A, B, {Na, M, A, B}Kas

Nb, {M, A, B}Kbs

S B: M, {Na, Kab}Kas, {Nb, Kab}Kbs

B A: M, {Na, Kab}Kas

The Otway-Rees Protocol• One Possible Attack

server ignores the replay of M’{Nb, Kib}Kbs A B

kab≠

M’s freshness is provided by Na we have to doubt it as a nounce.Principal A should be honest!!!

I(A) B: M, A, B, {M’, Ni, I, B}Kis

I(B) S: M’, A, B, {M’, Ni, I, B}Kis

Nb, {M’, A, B}Kbs

I(S) B: M, {Ni, Kib}Kis, {Nb, Kib}Kbs

B A: M, {Ni, Kib}Kis

B S: M, A, B, {M’, Ni, I, B}Kis,

Nb, {M, A, B}Kbs

S B: M’, {Ni, Kib}Kis, {Nb, Kib}Kbs

Another flaw in BAN Logic

• The Nessett protocol

A B: {Na, Kab}K-1

B A: {Na}Kab

Idealization

A B: {Na, A B}K-1

B A: {Na, A B}Kab

kab

kab

Assumptions

B believes | AkA

A believes A Bkab

B believes Fresh (Na)

B believes A controls (A B )kab

A believes Fresh (Na)

Nessett Protocol

• Analysis

Message-meaning

Nonce-verification

Jurisdication

A sees { Na,A B}Kab

A believes B said (Na, A B)

A believes B believes A B

kab

kab

kab

A believes A Bkab

A believes fresh(A B)kab

A believes fresh(Na)

B sees {Na, A B}K-1

B believes | AkA

B believes A said (Na, A B)

B believes Fresh(Na)

B believes A believes A B

kab

kab

kab

B believes A controls (A B)kab

B believes A Bkab

Message-meaning

Nonce-verification

Explanation of the Flaw

• Establishing the property distributing information to a subset of the principals so that

some predicated defined over this population obtained

• Failing to provide the second property distributing information in such a way that another subset of

the population is denied accessed to it

Argument of the Flaw

• Assumption that A believes that Kab is a good shared key for A and B. This is clearly inconsistent with the message exchange, where A publishes Kab

• The inconsistency is not manifested by formalism but is manifested by the wit of man to notice

• The author admits that it is hard to provide a logic for finding all security problems

Flaws in BAN Logic• On Protocol Idealization No well-understood semantic rule to govern this job makes this job a

very expert one.

• On Belief In nonce-verification, a principal positively establishes a belief due to the

statement made by another principal disregarding the fact that the latter may be cheating.

E.g. : P believes that Q said X, where X is a statement “I am not Q”; Q may still be identified (authenticated) as Q even if he said this, just as he may turn out to be someone else even if X is “I am Q”

• On Protocol Assumption There is no way of knowing in the BAN approach if slightly different

assumptions would change an unsatisfactory protocol into a good one. It also cannot be shown that the assumption used for a good protocol are necessary, or are the weakest possible.

• On Confidentiality The goodness of a session key rests on a statement issued by a

trustworthy principal. BAN logic can not tell whether a session key under distribution is exclusively delivered to an expected set of principals.

Possible Improvements

• Challenge & Response

• Deny Postulates

• Weakest pre-condition Bottom-up method

Critiques on BAN Logic

• 1 Failure to discover flaws which violate security in a basic sense

• 2 When the logic finds a bug in a protocol, everyone believes that it is a bug; when the logic finds a proof of correctness, people seem to have trouble believing that it is a proof

• 3 informality in the logic’s operational semantics

Summary

Anyway

• BAN logic is an initial approach towards Formal Analysis of cryptograph protocols

• The work is pioneering and classic

• It has provided us a good framework of applying Logic to protocol analysis. Researches have been carried out to adapt it into a logical reasoning computation suitable for computer-aided analysis

Reference:

• [1] M. Burrows, M. Adadi, and R. Needham. “A logic of authentication”

• [2] D. Nessett. “A Critique of the Burrows, Abadi and Needham Logic”

• [3] W. Mao and C. Boyd. “Towards Formal Analysis of Security Protocols”

Questions and Comments

Welcome any discussions on this topic

Thank U

:P

Outtake:

• If you believe that only you and Bob know X, then you ought to believe that any encrypted message you receive containng X comes originally from Bob.

P QX

On Secret{X}Y

especially useful to password

• X combined wit the formula Y; it is intended that Y be a secret, and that its presence prove the identity of whoever utters 〈X〉 Y

P sees

P sees X

〈X〉 YP believes , P seesQ PY

P believes Q said X

〈X〉 Y

a logic of authentication michael burrows, martin abadi, roger needham ban logic presented by :...

Documents