APPLICATIONS OF BAN-LOGIC JAN WESSELS CMG FINANCE B.V.

Transcription

1 APPLITIONS OF AN-LOGIC JAN WESSELS CMG FINANCE.V. APRIL 19, 2001

2 Chapter 1 Introduction This document is meant to give an overview of the AN-logic. The AN-logic is one of the methods for the analysis of cryptographic protocols. One of the goals is to show how the AN-logic is applied best. Allthough the AN-logic can be easily applied and gives a quick insight in the working of a protocol, attention has to be paid that the analysis is made thoroughly. It should be avoided, that s are made quickly without writing them down. The document first gives an overview of the AN-logic, after which the Station - to - Station protocol is used as an example. The protocol is analysed in a number of ways. 1

3 Chapter 2 AN Overview urrows, Abadi and Needham [AN89] developed a logic for analysing authentication protocols. The logic is called AN-logic. With the logic all public - and shared key primitives are formalised and also the notion of a fresh message. This makes it possible to formalise a challenge response protocol. AN-logic can be used for answering the following questions: To what conclusions does this protocol come? What s are needed for this protocol? Does the protocol uses unnecessary actions, which can be left out? Does the protocol encrypt anything which could be sent in plain, without weakening the security? The AN logic makes it possible to reason in a simple way over cryptographic protocols in a formal way. The basis for the logic is the belief of a party in the truth of a formula. A formula does not necessarily be true in the general sense of truth. It should be kept in mind that the AN logic is meant for reasoning over cryptographic protocols. A verification with AN logic does not necessarily imply that no attacks on the protocol are possible. A proof with the AN logic is a good proof of correctness, based on the s. However, questions may arise over the semantics of the logic and the logic does exclude possible attacks. AN logic has its purpose, because it can be used in the design of a cryptographic protocol. The use of a formal language in the design process can exclude faults. 2

4 Chapter 3 Notation This chapter describes the syntax of the AN logic. Not all symbols are given here, only the symbols used for the analysis. See for the other syntactical rules the article of urrows, Abadi and Needham [AN89]. P believes that X holds: P X. It means that P believes that in the current run of the protocol that the formula X is true. This does not mean that X is a general truth, it just shows what P believes. P sees the formula X: P X. It can be said as: P holds X. P X. The entity P has complete controll over the formula X. This can be used when reasoning over Certificate Authorities. P has once said the formula X: P X. The past holds all earlier runs of the protocol and earlier messages of the current run of the protocol. X is fresh: (X) The formula X is recent. The formula has not been used before; X is a nonce. P and Q share a secret key: P K Q. The secret key K is only usable in the communication between P and Q, and is only known to P and Q. It is implicit, that K is a secret between both parties. P has a public key K is denoted by: K P. The secret key is denoted with K Encryption of X with key K is denoted in the standard way: {X K In order to use the logic, there is a need for introduction - and eliminationrules. 3

5 Chapter 4 Overview of Introduction and eliminationrules In this chapter a short overview is given of the introduction, usage and elimination rules. The overview is not complete, but is sufficient for the analysis in this document. The rules are also the most used rules. The rule for k -introduction is: A (k), A X A A k with X meaning the necessary ingredients for a key. The rule should be applied carefully, as it may cause confusion. Informally, the rule states that in order to believe a new session key, A has to be believe the key is a new key and that A has to believe that also believes in the parts of the key, so that is also able to make the key. Formally it is required that A believes that also takes part in the protocol, but this hard to formalise. A predicate P () is necessary, which states that takes part in the protocol. This is hard to prove, so we accept the that when believes parts of the key, also is able to create the key. When an entity creates a random value, it believes that this value has not been used before: The ()-introduction rule is: A creates random x A (x) Sending a message is formalised in the logic with: -introduction : Message n : A : X X For shared keys there is a -introduction rule: P Q K P, P {X K P Q X When P sees a message which is encrypted with the shared key of P and Q, than P believes that Q has sent the message. As the secret key only is known to P and Q, only P or Q are able to produce the message and P knows what it has said. 4

6 For public keys there is a -introduction rule for public keys: P K Q, P {X K P Q X The rule is almost the same as the previous rule.. K is the secret part of the public key of Q. When P sees a message which is encrypted with the secret key of Q, than it can only be sent by Q. -elimination rule: P (X), P Q X P Q X When P believes that X is a recent (fresh) message, and P believes that it was said by Q, than P believes that Q still believes the message X. It is mainly used with requests for keys from a Certificate authority, where not only the authority of the server is important but also the validity of the key. The server () has to believe the validity of the key. Jurisdiction or control: -elimination : P Q X, P Q X P X P believes that the principal Q jurisdiction has over the formula X. This means that Q is trusted to make statements over X. Introduction of multipart messages, -introduction : P X, P Y P (X, Y ) A composite message can be made when a principal believes in both parts. This can be generalised to more than two parts. Elimination of multipart messages or, -elimination : Usage P Q (X, Y ) P Q X P (X, Y ) P X P Q (X, Y ) P Q X P (X, Y ) P X P K P, P {X K P X P Q K P, P {X K P X These rules shows how principals handle encrypted messages. Freshness promotion of multipart messages or Promotion () P K Q, P {X K P X P (X) P ((X, Y )) P (X) P (α X ) When a value is found to be recent by an entity, than the entity also believes that the message, in which the value is used, is also recent. 5

7 A key is used both used in a communication between two entities: P R K R P R K R P Q R K R P Q R K R Introduction of sessionkeys: A (k), A X A A k in which with X the necessary elements for a key is meant. The introduction rule for random values: The rule for sees: -introduction : A chooses random x A (x) Message n : A : X X 6

8 Chapter 5 Station-to-Station protocol In this chapter the Station-to-Station protocol is presented and analysed with the AN-logic. First the protocl is presented, after which is modelled in the message-format used in the AN-logic. The analysis is started with an overview of the goals of the protocol together with the s. The analysis of the protocol is then given. 5.1 Protocol overview The Station-to-Station protocol [MvOV97, p. 532] is a variation on the Diffie- Hellman protocol for key exchange. First, the following variant will be used: Let ρ be a prime, α a generator Z ρ, the tuple (ρ,α) publicly known, Sig A (M) is the signature of station A on message M. The protocol is: 1. A sends A to. 2. chooses a random y, calculates Y = α y mod ρ, sends Y. 3. A chooses a random x, calculates X = α x mod ρ, calculates S A = Sig A (X, Y ), sends A, X, S A. 4. calculates S = Sig (Y ), sends, Y, S. A calculates k = Y x mod ρ calculates k = X y mod ρ It holds that k = X y = (α x ) y mod ρ = (α y ) x mod ρ = Y x = k. In the standard notation the protocol can presented as: Message 1 A : A Message 2 A: Y Message 3 A : A, X, Sig A (X, Y ) Message 4 A:, Y, Sig (Y ) 5.2 Goals The goal of the Station-to-Station protocol is to come to the exchange of a shared secret key between two entities with twoway explicit authentication. The means 7

9 that a k is agreed upon between the entities A and, both believe in k. Next to this, both entities have to believe that the other entity also believes in the key. In the AN-logic the goals can be presented as: 1. A A k 2. A k 3. A A k 4. A A k A These goals can be divided in two groups. First (subgoals 1 and 2) both parties believe thenselves that the key k is a good key for communication between A and. Secondly, (subgoals 3 and 4) both entities also believe that other entity believes in the key Subgoals Normally the goals will deduced from the. In this case, first a number of subgoals is presented. With these subgoals the goals can be reached: 1. A N A 2. A α N A 3. A α N 4. A N 5. N 6. A α N 7. α N A 8. A N A Subgoals 1 and 3 lead to goal 1 1. In the same way, from the subgoals 2 and 4 lead to goal 4. For, the goal 2 can be deduced from subgoals 5 and 7. Goal 3 can be based on subgoals 6 and Assumptions In the protocol a part of the message is signed with the private key of the send. In order to read the message, it is necessary to verify it with the public key. It is assumed that all entities (allready) hold the key material. When of the entities does not have the public key of the other entity, it should be retrieved from the. 1. A K A A 2. A K 3. K A A 4. K 5. A α N 6. A α N A These are the necessary s. 1. It holds: A (α N ) N A A k. 2. The presenation here is somewhat simplified. There are no rules for dealing with fresh compositions that lead to a sessionkey. A key K should only be known to A and and not outsiders. In the end (see chapter 8 it is shown that outsiders only arrive at α N A and α N. 8

10 5.4 Verificatie The rules 1 to 6 are the s. When the are correct, then also the conclusions are correct. 1. A K A A 2. K 3. A K 4. K A A 5. A α N A 6. A α N Message 1: A : A chooses random N (7. N subdoel 5; implicit) 8. (N ) random introduction Message 2: A: α N 9. A α N intro A chooses random N A (10. A N A subgoal 1; implicit) 11. A (N A ) random introduction Message 3: A : A, α N A, {α N A k A 12. A, α N A, {α N A K intro A 13. A (α N A ) 12, 4, intro 14. (α N A ) 8, ()-promotion 15. A (α N A ) 14, 13, -elimination 16. A α N A 15, decomposition 17. A N A 16 (subgoal 8; see remark) 18. α N A 5, 16, jurisdiction (subgoal 7) 19. A α N 15, (subgoal 6) Message 4: A:, {α N A K 20. A, {α N A K intro 21. A α N A 20, 3, intro 22. A (α N A ) 11, ()-promotion 23. A α N A 22, 21, -elimination (subgoal 2) A calculates sessionkey k = (α N ) N A 9

11 24. A (k) 9, 11, ()-promotion, arithmetic (25. A N 9 (subgoal 4)) 26. A A k 24, 25, k -intro 27. A A k subgoals 2 and 4 calculates sessiekey k = (α N A ) N 28. (k) 12, 8, ()-promotion, arithmetic 29. A k 28, 16, k -intro (subgoals 5 and 7 ) 30. A A k subgoals 6 and 8 Remark: it is questionable that from line 16, line 17 can be deduced. It can be stated that (as does not know the value of N A ): XɛZ : ( X α X mod ρ = α N A mod ρ) To see where what has been derived, first an overview of the subgoals is given: 1 A N A line 10 2 A α N A line 23 3 A α N 4 A N (line 25) 5 N line 7 6 A α N line 19 7 α N A line 18 8 A N A line 17 When the deduction is controlled, it can be seen that six of the eight subgoals can be derived. At this moment goal 1 cannot be derived, because the protocol is asymetric. The value αn is sent only once and then also plain. On our meta-level, we know that N can be sent plain without difficulties. There is, however, another problem in the protocol, what is not shown in the analysis: who is the real sender. It is not sure that the messages from A and really come from A and. In the next chapter an adapted version will be analysed. 10

12 Chapter 6 Adapted version In the previous chapter has become clear, that because of ommisions the protocol may become flawed. The development of beliefs in the analysis stops and with it the analysis. In this chapter an adapted version of the Station-to-Station protocol is analysed. In the messages three and four certificates are used and these certificates are explicitly bound to the sender and this run of the protocol by the use of the parameters α N A and α N. The chapter first describes the adapted protocol, after which the goals are given and the s analysed. The chapter ends with the analysis of the protocol. 6.1 Description of the protocol The Station-to-Station protocol [MvOV97, p. 532] is a variatoin on the Diffie- Hellman protocol for key exchange. The adapted version is: Let ρ be a prime, α a generator Z ρ, the tuple (ρ,α) publicly known, Cert(A) the certificate for station A, Sig A (X) the signature of station A on message X. The protocol runs as: 1. A sends A to (as an invitation for key exchange). 2. chooses a random y, calculates Y = α y mod ρ, sends Y. 3. A chooses a random x, calculates X = α x mod ρ and S A = Sig A (Cert(A), X, Y ), sends Sig A Cert(A), X, S A. 4. calculates S = Sig (Cert(), Y ), sends Cert(), Y, S. A calculates k = Y x mod ρ calculates k = X y mod ρ It holds k = X y = (α x ) y mod ρ = (α y ) x mod ρ = Y x = k. In the standard notation the protcol is denoted as: Message 1 A : A Message 2 A: Y Message 3 A : Cert(A), X, Sig A (Cert(A), X, Y ) Message 4 A: Cert(), Y, Sig (Cert(), Y ) 11

13 6.2 Goals It is the goal of the Station-to-Station protocol to come to the exchage of a shared secret key between two parties with mutual explicit authentication. This means in short that a key k is agreed upon and in which both entities A and believe. The goals are: 1. A A k 2. A k 3. A A k 4. A k A The goals are the same as in the previous chapter. The subgoals, which we want to derive, are the same. See for an overview section on page Assumptions In the protocol a number of times a certificate is sent. In order to verify these certificates of A and, the other entity needs to have the public key. Next to this must the messages, enciphered with the private key, also be deciphered. In a practical situation these s are reasonble. If one of the parties does not possess the certificates, than a mechanism should be available for retrieval of the certificate. 1. A K A A 2. A K 3. K A A 4. K 5. A α N A 6. α N 6.4 Verification The key K is the key of the Certification Authority, who in this analysis (implicit)guarantees the correctness of the certificates. 1. A K A A 2. K 3. A K 4. K A A 5. A α N A 6. A α N Message 1: A : A chooses random N (7. N subgoal 5, implicit) 12

14 8. (N ) random introduction Message 2: A: α N 9. A α N intro A chooses random N A (10. A N A subgoal 1, implicit) 11. A (N A ) random introduction Message 3: A : {{(A, K A ) K K A 12. {{(A, K A ) K K intro A 13. A ({(A, K A ) K ) 12, 4, -intro 14. ({(A, K A K )) 8, ()-promotion 15. A ({(A, K A ) K ) 14, 13, -elimination 16. A α N A 15, decomposition 17. A N A 16 (see remark blz 5.4; subgoal 8) 18. α N A 5, 16, jurisdiction (subgoal 7) 19. A α N 15, (subgoal 6) Message 4: A: {{(, K ) K K 20. A {{(, K ) K K intro 21. A ({(, K ) K ) 20, 3, intro 22. A ({(, K ) K ) 11, ()-promotion 23. A ({(, K ) K ) 22, 21, -elimination 24. A α N A 23,, -usage (subgoal 2 ) A calculates sessionkey k = (α N ) N A 25. A (k) 9, 11, ()-promotion (26. A N 9 (subgoal 4) ) 27. A A k 25, 26, k -intro 28. A A k subgoals 2 and 4 calculates sessionkey k = (α N A ) N 29. (k) 12, 8, ()-promotion 30. A k 29, 15, k -intro (subgoals 5 and 7) 31. A A k subgoals 6 and 8 Just as in the previous analysis the subgoals are presented here: 13

15 1 A N A line 10 2 A α N A line 24 3 A α N 4 A N (line 26) 5 N line 7 6 A α N line 19 7 α N A line 18 8 A N A line 17 The broad outline of the analysis is the same as in section 5.4 (page 9). Also, subgoal 3 could not be proved. Goals 2, 3 and 4 can be proved, but for goal 1 the difficulties remain. For the AN analysis the protocol could be repaired in the second message with the sending of {{, K K results in an unnecessary addition of the protocol. K instead of α N. This Also another problem appears: we have added certificates and the use of certificates to the messages, but it has no real effect on the analysis. Outside the analysis, on the meta-level we know that this works. In order to use certificates in the AN logic, the logic has to be extended. 14

16 Chapter 7 Extension of the AN logic In chapte 6 the Station-to-Station protocol is repaired by the use of certificates. Alas, this is not shown by the analysis. In its standard form, the AN logic is not able to handle certificates. However, the logic can be extended. This is done in this chapter, based on the article of Gaarder and Snekkes [GS91]. They have analysed with these extensions the X.509 standard. The structure of this chapter is somewhat different than the previous two. The protocol is not shown here just as the goals. The chapter starts with the extentions of the protocol, after which the s are given. The chapter ends (again) with the analysis. 7.1 Extension of the AN logic Gaarder and Snekkenes define in their article [GS91] two extensions. Firstly, the AN logic is extended with axioms and rules for Public Key Cryptographic Systems (PKCS). With these extensions, derivations can be made directly. Secondly, the notion of time is extended in the logic. Certificates only have a limited life span, which has to be expressed in the analysis. In the current analysis only the extensions for Public Key Crypto Systems are used, so only these extensions are given here. PK(K, U) The entity U has the good key K associated. A unique key exits, which corresponds with K. Π(U) The entity U has a good private key. The value of this key is only known to U. σ(x, U) The formula X is signed with the private that belongs to U. Two extra inference rules are defined: U i PK(p j, U j ), U i Π(U), u j σ(x, X J ) U i U j X U i σ(x, U j ) U i X once-said for PKCS reading of signed messages 7.2 Assumptions In the protocol a number of times a certificate is sent. In order to verify these certificates of A and, the other entity needs to have the public key. Next to this 15

17 must the messages, enciphered with the private key, also be deciphered. In a practical situation these s are reasonble. If one of the parties does not possess the certificates, than a mechanism should be available for retrieval of the certificate. 1. A PK(K, ) 2. PK(K A, A) 3. Π(A) 4. A Π() 5. A α N A 6. α N 7.3 Verification 1. PK(K, ) 2. A PK(K, ) 3. Π(A) 4. Π() 5. A α N A 6. A α N Message 1: A : A chooses random N (7. N subgoal 5, implicit) 8. (N ) random introduction Message 2: A: {{(, K ) K K 9. A σ({{(, K ) K K intro 10. A α N,) 9, 2, intro for PKCS A chooses random N A (11. A N A subgoal 1, implicit) 12. A (N A ) random introduction Message 3: A : {{(A, K A ) K K A 13. σ({{(a, K A ) K 14. A ({(A, K A ) K, α N A K, A) intro A, α N A ) 13, 3, intro (PKCS) 15. ({(A, K A ) K ) 8, ()-promotion 16. A ({(A, K A ) K ) 15, 14, -elimination 17. A α N A A N A 17 (see remark on 10; subgoal α N A 5, 17, jurisdiction (subgoal 7) 20. A α N A 16, (subgoal 6) 16

18 Message 4: A: {{(, K ) K K 21. A σ({{(, K ) K K, ) intro 22. A ({(, K ) K ) 21, 2, 3, intro 23. A ({(, K ) K ) 12, ()-promotion 24. A ({(, K ) K ) 23, 22, -elimination 25. A α N A 24,, -gebruik (subgoal 2 ) A calculates sessionkey k = (α N ) N A 26. A (k) 9, 12, ()-promotion 27. A N 9 (subgoal 4) 28. A A k 26, 27, k -intro 29. A A k subgoals 2 and 4 calculates sessionkey k = (α N A ) N 30. (k) 13, 8, ()-promotion 31. A N A 14 (subgoal 8) 32. A k 30, 17, k -intro (subgoals 5 and A A k subgoals 6 and 8 First we show the subgoals and results of the analysis for these subgoals: 1 A N A line 11 2 A α N A line 25 3 A α N 4 A N line 27 5 N line 7 6 A α N line 20 7 α N A line 19 8 A N A line 18 The analysis has more results than in chapters 5.4 and 6.4, but is still impossible to derive the proof of all goals. Again subgoal 3 cannot be proved, this time because the freshness of α N is not sure. It is also shown in the s; not all s are used in the analysis. The analysis could be completed by sending α N again in message 4. With the use of the freshness of α N A the freshness of α N could be derived (analogous to the analysis of message 3). This analysis is not meant to come to a complete proof of the Station-to-Station protocol, but to show what is and what is not possible with the AN logic. Next to the analysis of the beliefs of the participants of the protocol, it can be abused for the analysis of the outsiders of the protocol. This is shown in the next chapter. 17

19 Chapter 8 Analysis by Outsiders In the other chapter the knowledge and beliefs of the participants of the protocol are analysed. Next to the participants, it can be very interesting what outsiders are able to learn from a run of the protocol. The AN-logic will be used for this, although the AN-logic has not been meant for this. 8.1 Assumptions For the analysis we do not start with goals, but we only want to see what can be learned from the analysis. The following s are used (with I standing for intruder): 1. I PK(K A, A) 2. I PK(K, ) 3. I Π(A) 4. I Π() 5. A α N A 6. α N These are the same s as in the previous chapters. It may assumed that the entity I has access to the certificates of A and. 8.2 Analysis 1. I PK(K A, A) 2. I PK(K, ) 3. I Π(A) 4. I Π() 5. I A α N A 6. I α N Message 1: A : A chooses random N (7. N subgoal 5, implicit) 8. (N ) random introduction 18

20 Message 2: A: {{(, K ) K K 9. I σ({{(, K ) K K, ) intro 10. I α N 9, 2, intro for PKCS A chooses random N A (11. A N A subgoal 1, implicit) 12. A (N A ) random introduction Message 3: A : {{(A, K A ) K K A 13. I σ({{(a, K A ) K 14. I A ({(A, K A ) K, α N A K, A) intro A, α N A ) 13, 3, intro (PKCS) 15. I (({(A, K A ) K )) 8, ()-promotion 16. I A ({(A, K A ) K ) 15, 14, -elimination 17. I A α N A I A N A 17 (see remark page 10; subgoal I α N A 5, 17, jurisdiction (subgoal 7) 20. I A α N A 16, (subgoal 6) Message 4: A: {{(, K ) K K 21. I σ({{(, K ) K K, ) intro 22. I ({(, K ) K ) 21, 2, 3, intro 23. I (({(, K ) K )) 12, ()-promotion 24. I ({(, K ) K ) 23, 22, -elimination 25. I α N A 24,, -usage (subgoal 2 ) and α N. With this, it should be impos- Conclusion: I only has knowledge of α N A sible for I to calculate N A and N. 19

21 Chapter 9 Method This chapter shortly describes, in my opinion, how the AN logic is applied best. The method is a natural one, but it has to applied with discipline. The method is: 1. Determine the goals of the protocol, for what the different parties want to achieve with the protocol. In general this could be something like (without explicit key confirmation): A A k A k However, it could that the goals reach further (with explicit key confirmation): A A k A k A A k A A k 2. Determine the s, as far these can be destilled from the description. Mostly the s deal with the necessary beliefs in the keys of the communicating parties in order to communicate with each other. 3. Start the analysis with the s and see how the beliefs develop on the basis of the exchange of the messages. This should be done in a bookkeeping way, in which is written down for every step which beliefs and rules are used. This should be done untill the analysis stops or untill the goals are reached. When the analysis stops, it should be examined on what message the analysis stops. Also, it should be examined what possibilities this gives for an attack on the protocol. 4. In a second analysis-round the analysis can be reversed: we start at the end and then is tried to work back to the start. This round is used for verifying that the steps taken are correct, it should be avoided that quantum leaps are made. 5. Write down explicitly what rules are applied. 6. Verify the validity of the s. It could be possible, that during the analysis extra s are necessary. Extra s as such is no problem, but they undermine the strength of the protocol. 20

22 Chapter 10 Conclusions In this document the Station-to-Station protocol is analysed four times. It shows what can be done with the AN logic, but it also shows the imperfections of the AN logic: The AN logic cannot handle multi-role attacks. The AN logic cannot handle explicit arithmetic in protocols. It has been shown to be virtually impossible to derive anything from message 2, in which α N is sent. On a meta level can be seen that can be done without harm. This is not a specific problem of the AN logic, but a more general problem. A third problem is the concept of identity: extensions are necessary for dealing with identity (see chapter 7). This is not always useful and it disturbs the simplicity of the AN logic. A last point is the deceitful simplicity of AN. This is not as much an imperfection, but more something which should be kept in mind. The different analyses also another danger: in order to prove the protocol, it might be very tempting to repair the protocol. In this case, this is the message 2. However, this is not necessary. It shows the limitations (and dangers) of the application of formal methods. 21

23 ibliography [AN89] M. urrows, M. Abadi, and R. Needham. A logic of authentication. ACM Operating Systems Review, 23(5):1 13, december A fuller version was published as DEC System Research Center Report number 39, Palo Alto, California, February, [GS91] Klaus Gaarder and Einar Snekkenes. Applying a formal analysis tecnique to the ccitt x.509 strong two-way authentication protocol. Journal of Cryptology, 3(2):81 98, [MvOV97] A.J. Menezes, P. van Oorschot, and S. Vanstone. Handbook of Applied Cryptography. CRC-Press, oca Raton, Florida,