A Logic of Authentication

Similar documents
A Logic of Authentication. Borrows, Abadi and Needham TOCS 1990, DEC-SRC 1989

BAN Logic A Logic of Authentication

Notes on BAN Logic CSG 399. March 7, 2006

APPLICATIONS OF BAN-LOGIC JAN WESSELS CMG FINANCE B.V.

Proving Security Protocols Correct. Lawrence C. Paulson Computer Laboratory

A Formal Analysis for Capturing Replay Attacks in Cryptographic Protocols

A Semantics for a Logic of Authentication. Cambridge, MA : A; B

Proving Properties of Security Protocols by Induction

Time-Bounding Needham-Schroeder Public Key Exchange Protocol

Models and analysis of security protocols 1st Semester Security Protocols Lecture 6

Encoding security protocols in the cryptographic λ-calculus. Eijiro Sumii Joint work with Benjamin Pierce University of Pennsylvania

Verification of Security Protocols in presence of Equational Theories with Homomorphism

On the Verification of Cryptographic Protocols

Control Flow Analysis of Security Protocols (I)

Introduction to Cryptography. Lecture 8

Cryptography CS 555. Topic 25: Quantum Crpytography. CS555 Topic 25 1

Verification of the TLS Handshake protocol

Lecture Notes, Week 10

ASYMMETRIC ENCRYPTION

Typed MSR: Syntax and Examples

Models for an Adversary-Centric Protocol Logic

CPSA and Formal Security Goals

MSR by Examples. Iliano Cervesato. ITT Industries, NRL Washington DC.

L7. Diffie-Hellman (Key Exchange) Protocol. Rocky K. C. Chang, 5 March 2015

Exam Security January 19, :30 11:30

Model Checking Security Protocols Using a Logic of Belief

CPSC 467b: Cryptography and Computer Security

MSR by Examples. Iliano Cervesato. ITT Industries, NRL Washington DC.

CIS 6930/4930 Computer and Network Security. Topic 5.2 Public Key Cryptography

Term Rewriting applied to Cryptographic Protocol Analysis: the Maude-NPA tool

MSR 3.0: The Logical Meeting Point of Multiset Rewriting and Process Algebra. Iliano Cervesato. ITT Industries, NRL Washington, DC

COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017

Lecture 19: Public-key Cryptography (Diffie-Hellman Key Exchange & ElGamal Encryption) Public-key Cryptography

KEY DISTRIBUTION 1 /74

Abstract Specification of Crypto- Protocols and their Attack Models in MSR

Practice Assignment 2 Discussion 24/02/ /02/2018

Lecture 28: Public-key Cryptography. Public-key Cryptography

Automatic Verification of Complex Security Protocols With an Unbounded Number of Sessions

Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur

CS 395T. Probabilistic Polynomial-Time Calculus

Notes for Lecture 17

CPSC 467: Cryptography and Computer Security

CPSC 467: Cryptography and Computer Security

Network Security Technology Spring, 2018 Tutorial 3, Week 4 (March 23) Due Date: March 30

Lecture 7: Specification Languages

CPSC 467: Cryptography and Computer Security

Lecture 1: Introduction to Public key cryptography

A Calculus for Control Flow Analysis of Security Protocols

NSL Verification and Attacks Agents Playing Both Roles

Lecture 38: Secure Multi-party Computation MPC

A derivation system and compositional logic for security protocols

Definition: For a positive integer n, if 0<a<n and gcd(a,n)=1, a is relatively prime to n. Ahmet Burak Can Hacettepe University

Lecture 11: Key Agreement

The Sizes of Skeletons: Security Goals are Decidable

Winter 2011 Josh Benaloh Brian LaMacchia

2. Cryptography 2.5. ElGamal cryptosystems and Discrete logarithms

Public Key Cryptography. All secret key algorithms & hash algorithms do the same thing but public key algorithms look very different from each other.

One Year Later. Iliano Cervesato. ITT Industries, NRL Washington, DC. MSR 3.0:

Protocol Insecurity with a Finite Number of Sessions and Composed Keys is NP-complete

CPSC 467b: Cryptography and Computer Security

Universal Blind Quantum Computing

A New Wireless Quantum Key Distribution Protocol based on Authentication And Bases Center (AABC)

Shift Cipher. For 0 i 25, the ith plaintext character is. E.g. k = 3

Cryptography and Security Final Exam

Chapter 2. A Look Back. 2.1 Substitution ciphers

Encryption: The RSA Public Key Cipher

Introduction. What is RSA. A Guide To RSA by Robert Yates. Topics

2 Message authentication codes (MACs)

Quantum Entanglement and Cryptography. Deepthi Gopal, Caltech

Strand Spaces Proving Protocols Corr. Jonathan Herzog 6 April 2001

Introduction to Modern Cryptography Lecture 11

Probabilistic Polynomial-Time Process Calculus for Security Protocol Analysis. Standard analysis methods. Compositionality

10. Physics from Quantum Information. I. The Clifton-Bub-Halvorson (CBH) Theorem.

A Resolution Strategy for Verifying Cryptographic Protocols with CBC Encryption and Blind Signatures

Quantum Wireless Sensor Networks

Is It As Easy To Discover As To Verify?

Question: Total Points: Score:

Computing on Encrypted Data

CPSC 467b: Cryptography and Computer Security

Overview. Background / Context. CSC 580 Cryptography and Computer Security. March 21, 2017

Analysing the Security of a Non-repudiation Communication Protocol with Mandatory Proof of Receipt

Elliptic Curves. Giulia Mauri. Politecnico di Milano website:

Lecture Notes, Week 6

Simple Math: Cryptography

CS-E4320 Cryptography and Data Security Lecture 11: Key Management, Secret Sharing

A decidable subclass of unbounded security protocols

Carmen s Core Concepts (Math 135)

CPSC 467: Cryptography and Computer Security

Crypto math II. Alin Tomescu May 27, Abstract A quick overview on group theory from Ron Rivest s course in Spring 2015.

Intro to Public Key Cryptography Diffie & Hellman Key Exchange

CPSC 467b: Cryptography and Computer Security

Evidence that the Diffie-Hellman Problem is as Hard as Computing Discrete Logs

Foundations of Network and Computer Security

From NewHope to Kyber. Peter Schwabe April 7, 2017

Public-Key Cryptography. Lecture 9 Public-Key Encryption Diffie-Hellman Key-Exchange

Probabilistic Model Checking of Security Protocols without Perfect Cryptography Assumption

A compositional logic for proving security properties of protocols

Cryptography IV: Asymmetric Ciphers

Extending Dolev-Yao with Assertions

A FRAMEWORK FOR UNCONDITIONALLY SECURE PUBLIC-KEY ENCRYPTION (WITH POSSIBLE DECRYPTION ERRORS)

Transcription:

A Logic of Authentication by Burrows, Abadi, and Needham Presented by Adam Schuchart, Kathryn Watkins, Michael Brotzman, Steve Bono, and Sam Small Agenda The problem Some formalism The goals of authentication, formalized The Needham-Schroeder Protocol with shared keys with asymmetric keys

Introduction Hi, I am Adam Hi, I am Dr. Masson Let s speak privately, use key K { Whud up f00?} K Pairs of principals seek mutual authentication Pairs of principals want to share a secret Specifically, principals want assurance of their beliefs A variety of authentication protocols have been proposed

How can we be sure these protocols are secure? The Plan We will define a logic of authentication in order to explain protocols step-by-step Initial assumptions will be made explicit The protocol goal will be clearly defined

In their own words... Our goal is not to provide a logic that would explain every authentication method, but rather a logic that would explain most of the central concepts of authentication. BAN Logic Attempts to validate solutions under the following framework using formal logic: There exists a goal (e.g. authentication) that we want to achieve by using a certain message protocol We are aware of the properties we want and need our protocol to exhibit

We want to be satisfied that our protocol meets our goals We do not want to depend on trial by fire for this satisfaction The BAN logic uses formal methods to answer the following: What does our protocol really achieve? What assumptions does our protocol make? Does the protocol use any redundant or unnecessary information? Does our protocol needlessly encrypt information?

The BAN logic does not attempt to answer: Are our assumptions reasonable? Do problems exist in particular implementations of the protocol? Do we use an inappropriate crypto-system? BAN Logic Formalism Typically, we present protocols by symbolically denoting which principal sends what to whom E.g., A B : (msg) KAB { you got served } K

This style is inconvenient for manipulation in logic We must transform our traditional protocol syntax into a logic syntax The transformations are will not be perfect, they produce messages of an idealized form This is OK if we annotate these new messages with assertions The Heist

K

{X} K K F X

G X (X) Avi Avi Jr. Adam #1?

OK, enough handholding Basic Notation A, B, and S denote specific principals (think, Alice, Bob, Server) K AB, K AS, K BS denote specific shared keys K A, K B, K S denote specific public keys K A -1, KB -1, KS -1 denote specific private keys

More Basic Notation N A, N B, N C denote specific statements P, Q, R refer to a generic instance of a principal X, Y refer to a generic instance of a statement K is generic and ranges over encryption keys Constructs P X principal P believes statement X P X principal P sees statement X P X principal P said statement X P X principal P controls statement X (X) fresh( statement X )

More Constructs P K Q K P {X} K P and Q use the shared key K to communicate P has K as a public key Statement X encrypted under key K If two separate encrypted sections are included in one message, treat them as if they arrived in separate messages A message cannot be understood by a principal who does not know the key The key cannot be deduced from an encrypted message Principals can tell whether or not they have used the correct key after decryption Principals can detect (and ignore) their own messages

Rules of Inference Message meaning rules concern the interpretation of messages When using shared keys, we assert: P believes Q K P, P sees {X} K P believes Q said X?!? Something of the form: X Y simply means: if X is true, then Y is true

P believes Q K P, P sees {X} K P believes Q said X P believes Q K P, P sees {X} K P believes Q said X If P believes that the key K is shared with Q and itself

P believes Q K P, P sees {X} K P believes Q said X If P believes that the key K is shared with Q and itself and P sees X encrypted under K, P believes Q K P, P sees {X} K P believes Q said X If P believes that the key K is shared with Q and itself and P sees X encrypted under K, then P believes that Q once said X

P believes Q K P, P sees {X} K P believes Q said X If P believes that the key K is shared with Q and itself and P sees X encrypted under K, then P believes that Q once said X For public keys: P believes K Q, P sees {X} K 1 P believes Q said X If P believes that K is Q s public key, and P receives a message encoded with Q s secret key, then P believes Q once said X

Rules of Inference The nonce-verification rule shows us how to assert that a message is fresh, and that the sender believes it is fresh P believes fresh (X), P believes Q said X P believes Q believes X If P believes that X could have been uttered only recently and that Q once said X, then P believes that Q believes X Rules of Inference The jurisdiction rule states that a principal P will trust the beliefs that Q has jurisdiction (or control) over P believes Q controls X, P believes Q believes X P believes X

Rules of Inference If a principal sees a formula, the he also sees it components, given he knows the necessary keys P sees (X, Y ) P sees X, P believes Q K P, P sees {X} K, P sees X P believes K P, P sees {X} K P sees X, P believes K Q, P sees {X} K 1. P sees X Note that if P sees X and P sees Y, it does NOT follow that P sees (X,Y) since X and Y were not uttered at the same time Rules of Inference If one part of the formula is fresh, then the entire formula must be fresh: P believes fresh(x) P believes fresh((x, Y )).

Given the previous inference rules, we can construct proofs in the logic Protocol Analysis in the BAN Logic Create an idealized form of the protocol Assumptions about the initial state are written Logical formulas are attached to the statements of the protocol Logical postulates (inference rules) are applied to the assumptions and assertions

The Goals of Authentication, Formalized A believes A K B believes A K

A believes B believes A K B believes A believes A K A believes B believes X or A believes K B

Needham-Schroeder Protocol (w/ shared keys) Goals A believes A K ab B believes A K ab A believes fresh(a K ab ) B believes fresh(a K ab ) A believes B believes A K ab B believes A believes A K ab,, A S B A, B, N a {N a, B, K ab, {K ab, A} Kbs } Kas time {K ab, A} Kbs {N b } Kab {N b 1} Kab

Weeks Later, Mallory has discovered key K AB. Mallory can then impersonate Alice to Bob. M B {K ab, A} Kbs time {N b } Kab {N b 1} Kab Assumptions A believes A K as S B believes B K bs S S believes A K as S S believes B K bs S S believes A K ab

A believes S controls A K ab B believes S controls A K ab A believes S controls fresh(a K ab ) A believes fresh(n a ) B believes fresh(n b ) S believes fresh(a K ab ) B believes fresh(a K ab )

A S B {N a, A K ab, fresh(a K ab ), {A K ab } Kbs } Kas time {A K ab } Kbs {N b, A K ab } Kab {N b, A K ab } Kab Message 2 A sees {N a, A K ab, fresh(a K ab ), {A K ab } Kbs } Kas A believes fresh(n a ) A believes fresh(n a, A K ab, fresh(a K ab )) By the nonce-verification rule: A believes fresh(a K ab ), By the jurisdiction rule: A believes S said A K ab A believes S believes A K ab A believes S controls A K ab, A believes A K ab A believes S believes A K ab

Message 3 B sees {A K ab } Kbs By decrypting the message: B believes S once said A K ab But is A K ab fresh? Let s just ASSUME B believes fresh(a K ab ) (so says the paper) B believes fresh(a K ab ), B believes S controls A K ab, B believes S said A K ab B believes S believes A K ab B believes A K ab B believes S believes A K ab Message 4 A sees {N b, A K ab } Kab A believes fresh(a K ab ), Message 5 A believes B said A K ab A believes B believes A K ab B sees {N b, A K ab } Kab B believes fresh(n b ), B believes A said (N b, A K ab ) B believes A believes A K ab

Finally A believes A K ab B believes A K ab A believes fresh(a K ab ) B believes fresh(a K ab ) A believes B believes A K ab B believes A believes, A K ab, Next Week...

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback