1 / 33

BAN: A Logic of Authentication

Concordia University . Design and Analysis of Security Protocols (INSE 7100) . BAN: A Logic of Authentication. Mourad Erhioui. Ahmed Gario. Sami Zhioua. October 27, 2003. Content. 1. Introduction. - Syntax. - Logical postulates (rules). 2. Protocol analysis. - Different steps.

Gabriel
Download Presentation

BAN: A Logic of Authentication

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Concordia University Design and Analysis of Security Protocols (INSE 7100) BAN: A Logic of Authentication Mourad Erhioui Ahmed Gario Sami Zhioua October 27, 2003

  2. Content 1. Introduction - Syntax - Logical postulates (rules) 2. Protocol analysis - Different steps - Detailed example (Kerberos protocol) 3. Conclusion - Needham-Shroeder protocol (outline) - Limitations and advantages - Conclusion

  3. Introduction • BAN is the first logic to formally analyze authentication protocols (1990) • It is named after its inventors : Mike Burrows, Martin Abadi and Roger Needham • BAN is a belief logic: it concentrates on beliefs of principals and the evolution of these beliefs through the execution of the protocol.

  4. BAN Objectives • Prove whether a protocol does or does not meet its security goals. • Make protocols more efficient: - Does this protocol do anything unnecessary that could be left out without weakening it ? - Does this protocol encrypt something that could be sent in clear without weakening it ?

  5. A shared key between Alice and Bob is written as : A  B • If Alice believes thatKAB is a good key to communicate with Bob, • then we write : A | A B. KAB KAB • If Alice believes that S can be trusted to create a good key to communicate with Bob, we write: • A | S  A B KAB and we say that ‘A believes that S has a jurisdiction over good keys for A and B’. Formalism (1) • If Alice believes a proposition P, we writeA | Pand we say: ‘A believes P’

  6. If Alice sent a message containing the statement P, we write: • A |~ P and we say: ‘A once said P’ • When a statement P is fresh, we write : #(P) and we say: • ‘P is fresh’ Formalism (2) • When Alice receives a message, we write : A Pand we say: ‘A sees P’

  7. Formalism (Summary) • P | X : PbelievesX • P X : PseesX • P |~X : Ponce saidX • # (P) : Pis fresh • P X : Phas jurisdiction overX K • P  Q : Kis a good key for communication between P and Q K • P : P has Kas a public key

  8. BAN Logical postulates P Means: if P is true, then Q is true Q X If Alice believes X and , then Alice believes Y Y

  9. K P | Q , P  {X}K -1 P | Q |~ X Message significance rule K P | P  Q , P  {X}K P | Q |~ X

  10. Nonce verification P | # (X) , P | Q |~ X P | Q | X

  11. Jurisdiction rule P | Q X , P | Q | X P | X

  12. More rules P | X , P | Y 1. P (X,Y) P | (X,Y) 5. P  X P | (X,Y) 2. K P | P  Q , P  {X}K P | X 6. P X P | Q | (X,Y) 3. P | Q |X P | # (X) 7. P | # (X,Y) P | Q |~ (X,Y) 4. P | Q |~X

  13. BAN • BAN cannot be used to prove that a protocol is flawed • But, when we cannot prove that a protocol is correct, that protocol deserves to be treated with grave suspicion.

  14. Content 1. Introduction - Syntax - Logical postulates (rules) 2. Protocol analysis - Different steps - Detailed example (Kerberos protocol) 3. Conclusion - Needham-Shroeder protocol (outline) - Limitations and advantages - Conclusion

  15. Message1: A  B : {A, } k k k bs bs ab Kab Kab A B A B Idealized protocol • BAN Logic transforms each step in a protocol in a idealized form. • Principal A sends the message to principal B • It is an informal notation • Ambiguous presentation • Obscure in meaning, • Not appropriate for formal analysis Message1: A  B : {A, } B {A, }

  16. Idealized protocol • Transform each protocol into an idealized form • Omit the parts of the message that do not contribute to the beliefs of the recipient • Omit clear text communication because it can be forged • The not encrypted messages will be removed during the steps of idealization • Only encrypted fields are retained in the idealization

  17. Protocol Analysis • Derive the idealized protocol from the original one. • Write assumptions about the initial state. • Add a logical formulas to the statements of the protocol. • Use the postulates and rules of the logic to deduce new predicates.

  18. The Kerberos Protocol S 2: {Ts, L, Kab,B, {Ts, L, Kab,A} Kbs} Kbs 1: A, B 3: {Ts, L, Kab, A} Kbs ,{A, Ta} Kab A B 4: { Ta+1} Kab Message1: A  S : A, B Message2: S  A : {Ts, L, Kab, B, {Ts, L, Kab, A} Kbs}Kas Message3: A  B : {Ts, L, Kab, A} Kbs, {A, Ta}Kab Message4: B  A : { Ta+1} Kab

  19. Kab Kab Kab Kab Kab A B A B A B A B A B Confusion Idealized protocol Message1: A  S : A, B Message2: S  A : {Ts, L, Kab, B, {Ts, L, Kab, A} Kbs}Kbs Message3: A  B : {Ts, L, Kab, A} Kbs, {A, Ta}Kab Message4: B  A : { Ta+1} Kab Message2: S  A : {Ts, , {Ts, } Kbs }Kas Message3: A  B : {Ts, } Kbs, {Ta, }Kabfrom A Message4: B  A : { Ta, } Kabfrom B

  20. Kas Kas Kas Kas Kas A | B | B S B S A B A S A S S | S | K K S | A B A B B | (S | ) A | (S | ) Protocol Analysis • Initial assumptions : A |#(Ta) B |#(Ts) B |#(Ta)

  21. Goals of Authentication • Authentication rests on communication protected by shared session key, so the goals of authentication may be reached between A and B if there is a K such that: • Authentication between A and B is compete once there is a K such : K K A |AB B |AB • Some authentication protocols achieve this final goal: K K A |B |AB B |A |AB

  22. Kab A | A B Goal of authentication • Prove from the postulats of BAN and assumptions, the goal of the protocol

  23. A  { }Kas A | Kas S A A | S A, A  {X}k A | S |~ X A |#( ) Kab Kab Kab Kab Kab Kab A |#(X), A | S |~ X __________________________ A | S | X A B A B A B A B A B A B B | (S | ) A | S | , A | S | A | Verification

  24. Content 1. Introduction - Syntax - Logical postulates (rules) 2. Protocol analysis - Different steps - Detailed example (Kerberos protocol) 3. Conclusion - Needham-Shroeder protocol (outline) - Limitations and advantages - Conclusion

  25. Needham-Schroeder Analysis • Original version without idealization S Message 1 A  S: A, B, NA Message 2 S  A:{NA, B, KAB, {KAB, A}KBS} KAS 1 2 Message 3 A  B: {KAB, A}KBS Message 4 B  A:{NB}KAB 3 B A 4 Message 5 A  B:{NB – 1}KAB 5 • Corresponding idealized protocol Kab Kab KabMessage 2 S  A: {NA, (AB), # (AB), {AB}Kbs} Kas Kab Message 3 A  B: {AB}Kbs Kab Message 4 B  A: {NB, (AB)}Kab from B KabMessage 5 A  B: {NB, (AB)}Kab from A

  26. Needham-Schroeder Analysis (Con.) • The original Needham-Schroeder is worth idealization because so much work has been based on it, since too many authentication protocols have been derived from it. • The goal of this idealization is to see if both principals A & B can be convinced of each other’s presence. KK A | A  B B | A  B and KK A | B | A  B B | A | A  B

  27. Needham-Schroeder Analysis (Con.) Initial assumptions: What client trust the server to do Kab A | (S | AB) Kab B | (S | AB) Kab A | (S | #(AB)) Keys already known to the principals Kas A |AS Kbs B |BS Kas S |AS Kbs S |BS Kab S |AB A | #(Na) Ka B | #(Nb) Kab S | #(AB) Kab B | #(AB)

  28. Needham-Schroeder Analysis (Con.) • Now we can apply the logical postulate rules to each message with assumptions to see if we can achieve our goal. • There are too many steps to achieve the goal, unfortunately, there is no enough time to state them.

  29. Conclusions of Analysis Finally, this has been achieved: The goals of the Needham-Schroeder protocol are that A and B each believe that they share a secret key Kab and they each believe that the other believes it. K K B | A  B A | A  B the final goal has also been achieved: KK A | B | A  B B | A | A  B BAN finds that this authentication protocol has an extra assumption, which is that B assumes the key it receives from A is fresh

  30. BAN limitations • Conversion to idealized form • Lack of ability to state something a principle does not know • BAN does not catch all protocol flaws. • - False-positives can result. • A principal’s beliefs cannot be changed at later stages of the protocol • - No division of time in protocol run. • Provides a proof of trust on part of principles, but not a proof of security • -Final beliefs can be believed only if all original assumptions hold true. • BAN does not account for improper encryption.

  31. Advantages of BAN Logic • Huge success for formal methods in cryptography, useful tool. • BAN Logic successful in uncovering implicit assumptions and weaknesses in a number of protocols • Vehicle for extensive research in the areas for basis and development of other logic systems. • BAN’s strengths lie in its simplicity of its logic and its ease of use

  32. Conclusion • BAN Logic isone of earliest successful attempts at formally reasoning about authentication protocols. • BAN logic involves idealizing a protocol, identifying initial assumptions, using logical postulates to deduce new predicates and determining if the goals of authentication have been met. • BAN logic can be used to analyze existing protocols and bring out their flaws. • As we saw in the Needham Schroeder protocol, BAN logic helped to uncover an extra assumption that the authors themselves did not realize. • BAN logic has its flaws, but overall it is a welcome success for formal methods in cryptography.

  33. Thank you

More Related