280 likes | 430 Views
What you may have understood of Dusko’s talk yesterday if he hadn’t been speaking so fast. An Encapsulated Authentication Logic for Reasoning about Key Distribution Protocols. Part I. Iliano Cervesato Tulane University. Catherine Meadows NRL. Dusko Pavlovic Kestrel Institute.
E N D
What you may have understood of Dusko’s talk yesterday if he hadn’t been speaking so fast An Encapsulated Authentication Logic for Reasoning about Key Distribution Protocols Part I Iliano Cervesato Tulane University Catherine Meadows NRL Dusko Pavlovic Kestrel Institute Protocol eXchange June 10, 2005
Contributions • Separate • Authentication reasoning • Secrecy reasoning • Define a logic of pure authentication • Secrecy as assumptions • Embed it in derivational framework • Apply to shared-key server-assisted key distribution protocols • Taxonomy • Comparative study • Clear understanding of underlying mechanisms I.Cervesato: Encapsulated Authentication Logic
KD0 Server-Assisted SharedKey DistributionProtocols KD1 KD2 KD3 KD4 http://theory.stanford.edu/~iliano/papers/csfw05.pdf DS NSSK0 NSSKfix0 K5core0 K4core0 NSSK1 NSSKfix1 K5core K4core NSSK NSSKfix I.Cervesato: Encapsulated Authentication Logic
Generate k Send k to A Send k to B • Secrecy depends on authentication • ksecret only if sent over authenticated channels Authentication Secrecy • Authentication depends on secrecy Authentication • Cryptographic authentication relies on secrecy of long-term keys Secrecy KeyDistributionProtocols I.Cervesato: Encapsulated Authentication Logic
Authentication Completing partial order of actions Get piping right Local reasoning Positive inference Secrecy Secret goes only to intended recipients Pipes do not leak Global reasoning Negative inference Verifying KD Protocols Historically single monolithic proofs … BUT … secrecy and authentication rely on very different proof methods I.Cervesato: Encapsulated Authentication Logic
Divide et Conquera • Two coordinated logics • Logic of authentication • Relies on secrecy assumptions • Logic of secrecy • Relies on authentication assumptions • Benefits • Much simpler proofs • Modularity • Deeper understanding of • mechanisms • properties I.Cervesato: Encapsulated Authentication Logic
Describing Protocol Runs • Principal actions • <m: A -> B>A – Send • (X: Y -> Z)A – Receive • (m/p(x))A – match • (n n)A , (t t)A – new nonce, timestamp • Runs • Partial order of actions • Every receive has a send • Every match has succeeded • Observations • Protocols • Set of parametric roles • Akin to observations I.Cervesato: Encapsulated Authentication Logic
Authentication Logic • First-Order logic with 3 predicates • aA – action aA has occurred • aA < bB – aA has occurred before bB • aA = bB – aA and bB are the same action Nothing else! • Usage • Given A’s observations, extend them with other principal’s actions • Derive compatible runs A: ObsA F A: Y & ObsA F • Iterated application of axioms I.Cervesato: Encapsulated Authentication Logic
Honesty Principal does not deviate from role honest S Secrecy Key uncompromised for given principals secret(k, G) =k mX< X G &(x/k y)X X G A S Z? k m secret(k,[A,S]) Logical Assumptions I.Cervesato: Encapsulated Authentication Logic
X B A A m n n K n secret(K, [A,B]) B A t t Honest B Axioms • Basic truths about domain • Receive axiom Y: ((m))A mX<< ((m))A • Challenge-response axiom A: secret(K, [A,B]) & (n n)A < nA<< ((K n))A (n n)A < nA<< ((n))B < K nB<< ((K n))A • Timestamp axiom A: honest B &tB<< ((t))A ( t)A < (t t)B < tB<< ((t))A < ( t)A • Allow inferring new actions/ordering I.Cervesato: Encapsulated Authentication Logic
KD0 A S B n k KAS k KBS k A KAS k A: (KAS k)A A X KAS k A: (KAS k)A < KAS kX< < (KAS k)A secret(KAS, [A,S]) & A: (KAS k)A A S A S B < KAS kS< < (KAS k)A KAS k secret(KAS, [A,S]) & honest S & secret(KAS, [A,S]) A: n k (KAS k)A KAS k KBS k ? KAS kS<KBS kS< (n k)S < < (KAS k)A secret(KAS, [A,S]) honest S Abstract KeyDistribution • S spontaneously • Generates k • Sends it to A, B • A, B hardwired • Encrypted with KAS, KBS • A observes only (KAS k) • A reconstructs run • Must assume • honest S • secret(KAS, [A,S]) • Not secret(KBS, [B,S]) • B’s reception unknown • Dual for B I.Cervesato: Encapsulated Authentication Logic
Derivational Approach • Use rules, not just axioms • Operate on protocol and properties • Refinements • Transformations • Advantages • Abstract general constructions • Reuse protocol fragments • Structured understanding of • Mechanism • Properties • Relations between protocols • Open-ended taxonomies I.Cervesato: Encapsulated Authentication Logic
KD1 A S B A,B n k KAS k KBS k A A S X A,B A,B n k A: A,BA < (KAS k)AB KAS k KAS k KXS k ? secret(KAS, [A,S]) honest S secret(KAS, [A,S]) & honest S & A: A,BA < (KAS k)A X S B B A,BA X,B < (KAS k)A KAS kS<KXS kS< (A,X)S < (n k)S < n k KXS k KBS k ? honest S secret(KBS, [B,S]) Key Request • A issues request • A may not be talking to B • Even if S honest • Same holds for B I.Cervesato: Encapsulated Authentication Logic
KD2 A S B A,B n k KAS (B,k) KBS (A,k) A A S B A,B A,B n k KAS (B,k) KAS (B,k) KBS (A,k) ? secret(KAS, [A,S]) honest S Binding • S includes names • A (B) authenticated to B (A) Similar for B • Not how typical KD protocols are set up • S sends to 1 party only I.Cervesato: Encapsulated Authentication Logic
KD3 A S B A,B n k KAS(B,k), KBS(A,k) KBS(A,k) A A A A S B A,B A,B n k KAS (B,k), M KAS (B,k), M KAS (B,k), KBS (A,k) M M ? secret(KAS, [A,S]) honest S Concatenated Relay • S sends all to A • A forwards to B • Seedling of Kerberos 5 • A knows S sent KAS (B,k), KBS (A,k) • A received KAS (B,k), M • A doesn’t know if M = KBS (A,k) • Documented anomaly of Kerberos 5 I.Cervesato: Encapsulated Authentication Logic
KD4 A S B A,B A A A A S B A,B A,B n k KAS(B,k,KBS(A,k)) n k KAS (B,k, M) KAS (B,k, KBS (A,k)) KBS(A,k) M KBS (A,k) ? secret(KAS, [A,S]) honest S Embedded Relay • Encrypted “ticket” • Basis of • NSSK • Denning Sacco • Kerberos 4 I.Cervesato: Encapsulated Authentication Logic
KD4 A S B B A,B n k KAS (B,k, KBS (A,k)) ? X A S B KBS (A,k) KBS (A,k) A,B secret(KBS, [B,S]) honest S n k KAS(B,k,KBS(A,k)) A S B A,B KBS(A,k) n k KAS (B,k, KBS (A,k)) KBS (A,k) secret(KBS, [B,S]) honest S secret(KAS, [A,S]) B’s Point of View • With only • secret(KBS, [B,S]) knows S generated k • With also • secret(KAS, [A,S]) knows A knows k • A may not be honest I.Cervesato: Encapsulated Authentication Logic
secret(KAS, [A,S]) & honest S & A: A,BA < (KAS k)A A S X A,B A,BA n k KAS k KXS k KAS kS<KXS kS< ? < (KAS k)A secret(KAS, [A,S]) honest S (A,X)S < (n k)S < Additional Properties • Recency • (n k)S bracketed by events controlled by A/B • Otherwise, intruder can infer k and attack protocol • Even if S is honest • Not satisfied so far • Key confirmation • A/B knows that B/A has k • Essential for using k • Only B in KD4 (under assumption) I.Cervesato: Encapsulated Authentication Logic
A S B A S n n n A,B n k KASn KAS (B,k, KBS (A,k)) KBS (A,k) n n A,B,n n k KAS (n,B,k, KBS (A,k)) KBS (A,k) Recency with Nonces • Use challenge-response as bracket I.Cervesato: Encapsulated Authentication Logic
NSSK0 A S B n n n,A,B n k KAS(n,B,k,KBS(A,k)) KBS(A,k) secret(KAS, [A,S]) & honest S & A: (n n)A < A,B,nA < (KAS (n,B,k,M))A < (M)A (n n)A < A,B,nA <(A,B,n)S < (n k)S < KAS (n,B,k, KBS (A,k))S< < (KAS (n,B,k, KAS (A,k)))A< (KAS (A,k))A Core NSSK • (n k)S bounded by (n n)A • Ensures recency of k to A • A can reconstruct run up to B’s action • No such guarantees for B • Denning-Sacco attack I.Cervesato: Encapsulated Authentication Logic
NSSKfix0 A S B Core NSSK-fix A n n’ KBS(A,n’) n n n,A,B, KBS(A,n’) • Same device for B • Complications • Keeping A as initiator • Sending n’ to A • Achieves recency for B too • Complicated n k KAS(n,B,k,KBS(A,k,n’)) KBS(A,k,n’) I.Cervesato: Encapsulated Authentication Logic
NSSK1 A A S B n n n n A,B,n A,B,n n k KAS (n,B,k, M) KAS (n,B,k, KBS (A,k)) M KBS (A,k) k m k m secret(KAS, [A,S]) secret(k, [A,B,S]) honest S A S B Key Confirmation n n n,A,B n k KAS(n,B,k,KBS(A,k)) • B knows A has k • B tells A he has k bysending agreed message KBS(A,k) k m ExtendstoNSSK-fix I.Cervesato: Encapsulated Authentication Logic
NSSK A S B NSSK does more! n n n,A,B n k KAS(n,B,k,KBS(A,k)) • B concludes with CR • k not confirmed to A • Unless tagging • B already knows A has k • Exchange typical of repeated authentication • B repeatedly request service from A • … but A is initiator! • Similarly for NSSK-fix KBS(A,k) n n’ k n’ k (n’+1) I.Cervesato: Encapsulated Authentication Logic
A S KAS m t t S KAS (m,t) S A A t KAS m KAS (m,t) secret(KAS, [A,S]) Honest S secret(KAS, [A,S]) Recency with Timestamps • Timestamp as bracketingdevice • Requires loosely synchronizedclocks I.Cervesato: Encapsulated Authentication Logic
DS A S B Denning-Sacco A,B n kt t KAS(B,k,t,KBS(A,k,t)) • Use timestamp forrecency • Guarantee recency to both A and B • Same assurance as core NSSK-fix • Only 3 messages KBS(A,k,t) I.Cervesato: Encapsulated Authentication Logic
K4core A S B Core Kerberos 4 A,B n kt t KAS(B,k,t,KBS(A,k,t)) t t’ • = NSSK + key confirmation + repeated authentication • Timestamp ensures recency of each new request • A is client and initiator • Kerberos 4 • 2 rounds of core Kerberos • Many more fields, options, … KBS(A,k,t), k(A,t’) k m[t’] I.Cervesato: Encapsulated Authentication Logic
K5core A S B Kerberos 5 A,B KAS(B,k,t),KBS(A,k,t) n kt t t t’ • Same developmentbut… • Start fromconcatenated variant of Denning Sacco KBS(A,k,t), k(A,t’) k m[t’] I.Cervesato: Encapsulated Authentication Logic
Current Future Work Define Secrecy Logic • Authentication as assumptions • Modular model of secrecy • Dolev-Yao • Information-theoretic • Computational • Apply to examples • Diffie-Hellman hierarchy • Full Kerberos 5 • PKINIT • Implement within Kestrel’s PDA Future I.Cervesato: Encapsulated Authentication Logic