Ban Logic Tutorial
-
Upload
inaagustina879124 -
Category
Documents
-
view
462 -
download
17
Transcript of Ban Logic Tutorial
Formal Veri�cation of Cryptographic Protocol &Tutorial on BAN Logic
Avinanta Tarigan
Center for Information Security Research
Gunadarma University
Avinanta Tarigan BAN Logic
Security & Safety
Security is fun idea of :
attacking and defensingmanaging human's problem(user - attacker - designer)
Safety is also fun idea of :
preventing failuresreacting upon failuresmanaging human and environmental
Both is considered to be factor of dependability
Avinanta Tarigan BAN Logic
Cryptography (review)
Algorithm to protect secrecy of data
Also used to gain :
authentication
integrity
non repudiation
Includes : algorithm and key(s)
In implementation requires a protocol
(Cryptographic Protocol)
Example: SSL, Kerberos, WPA, CHAP, Contract signing,
E-voting, E-money.
Avinanta Tarigan BAN Logic
Symmetric Crypt.
A 7→B : {M}Kab
Principal A sends B message Mencrypted with shared-key Kab
Key is shared between 2 principals
Needs N2 keys for N principals
Fast but key management is not easy
Avinanta Tarigan BAN Logic
Asymmetric/Public Key Crypt.
A 7→B : {M}Kb
Principal A sends B message Mencrypted with B's public-key Kb
Only with private-key K −1b, B can decrypt M
Principal has its own K which is published and K −1 which
must be keeped secret
Key management is less di�cult, requires Certi�cationAuthority
Avinanta Tarigan BAN Logic
Cryptographic Protocol
Implementation of Cryptography Algorithm
Achieving security properties (authentication,
secrecy, etc.)
Example :
Needham-Schroeder (authentication)Kerberos (authentication)SSL/TLS (auth - secrecy)
Avinanta Tarigan BAN Logic
Cryptographic Protocol
Example : Needham-Schroeder Protocol
M1 A 7→S : A, B, Na
M2 S 7→A : {Na, B, Kab, {Kab, A}Kbs}Kas
M3 A 7→B : {Kab, A}Kbs
M4 B 7→A : {Nb}Kab
M5 A 7→B : {Nb−1}Kab
Intoducing Nonce (N)
Avinanta Tarigan BAN Logic
Cryptographic Protocol
More example : Kerberos Protocol
M1 A 7→S : A, BM2 S 7→A : {Ts , L, B, Kab, {Ts , L, Kab, A}Kbs
}Kas
M3 A 7→B : {Ts , L, Kab, A}Kbs, {A, Ta}Kab
M4 B 7→A : {Ta + 1}Kab
Introducing TimeStamp (T ) and Lifetime (L)
Used in many system, including Windows
Avinanta Tarigan BAN Logic
Cryptographic Protocol
Problem :
Wrong design could lead to �aw
Needham-Schroeder Protocol
SSLv1.0
Wrong implementation could lead to vulnerability
Padding problem in SSL, SSH, and WTLS
Vulnerability arise between two protection technologies
(Anderson, Ross)
Avinanta Tarigan BAN Logic
Formal Method for Crypt. Protocol I
Formal Methods are a particular kind of mathematically-based
techniques for the speci�cation, development and veri�cation
of algorithms, software and hardware systems
Cryptographic Protocol is an algorithm that is using
cryptographic operation that carries out security objective(s),
i.e. :
AuthenticationSecrecyKey-ExchangeNon-Repudiation
In this case it to prove correctness in achieving security
properties that the protocol carry out, i.e :
to prove that Kerberos protocol does correct authentication asspeci�ed
Avinanta Tarigan BAN Logic
Formal Method for Crypt. Protocol II
There are two development approach :
Extention from method used in communication
Newly developed method
Four classi�cations :
1. General purpose tools 3. Expert System
2. Logic based 4. Algebraic approach
Avinanta Tarigan BAN Logic
General Purpose Tools
Treated as ordinary communication protocol
Adversary is explicit, capable in read, intercept, and modify
messages
Method : FSM, CSP, FDR, Petri Nets
Example : Lotos, Ina Jo, Murphy
A BINTRUDER
System State
Avinanta Tarigan BAN Logic
Using Expert System
Investigate every possible scenario of Attack - Flaw -
Defence
Needs to de�ne insecure states and search paths to them
More successful than General Purpose Tools
Example : Interrogator by Millen, NRL Protocol Analyzer by
Meadows, Longley and Rigby
Avinanta Tarigan BAN Logic
Algebraic Approach
Capabilties in modeling knowledge which represents
component in cryptographic operation (Nonce, Key(s), and oldmessages)
Example :
Dolev - Yao (term re-writing systems)S−Π - Calculus by Abadi and Gordon (to prove secrecy)
Avinanta Tarigan BAN Logic
Logic Based
One sees cryptographic protocol as distributed algorithm
Develop logics from modal logic
There are inference rules
Goal is to derived statements which represents correctcondition
Example : BAN Logic and GNY Logic
Avinanta Tarigan BAN Logic
Books, Papers, and Links
Schneider et. al. �Modelling and Analysis of Security
Protocols�
Ross Anderson, �Security Engineering�
Donald Mackenzie, �Mechanizing Proof�
Martin Abadi's papers at
http://www.cse.ucsc.edu/~abadi/allpapers.html#jsds
Papers at
http://chacs.nrl.navy.mil/projects/crypto.html
Avinanta Tarigan BAN Logic
Tutorial on BAN Logic I
Burrows, Abadi, Needham, �The Logic of Authentication�,
SRC Research Report 39, 1989.
First attempt on Logic in verifying Authentication Protocols
Developed using Epistemic Logic (Logic of Knowledge)
Notation:
Principals : P,Q,RSpeci�c Principals : A,B,SEncryption Keys :
Speci�c Shared Key : Kab,Kas ,KbsSpeci�c Public Key : Ka,Kb,KsSpeci�c Private Key : K−1a ,K−1
b,K−1s
Avinanta Tarigan BAN Logic
Tutorial on BAN Logic II
Notation:
P |≡ X : P believes XPCX : P Sees XP |∼ X : P once said XP Z⇒ X : P has jurisdiction over X](X ) : Formula X is fresh
PK←→ Q : P and Q use shared-key K
K7→ P : P has K as a public-key and corresponding K−1 asprivate-key
PX
Q : Formula X is a secret known only to P and Q{X}K : Formula X encrypted under key K〈X 〉Y : Y is proof of origin for X
Avinanta Tarigan BAN Logic
Tutorial on BAN Logic III
Postulates
Message Meaning :
P |≡ QK←→ P, PC{X}K
P |≡ Q |∼ X(1)
P |≡ K7→ Q, PC{X}K−1P |≡ Q |∼ X
(2)
P |≡ QY
P, PC 〈X 〉YP |≡ Q |∼ X
(3)
Nonce veri�cation
P |≡ ](X ), P |≡ Q |∼ X
P |≡ Q |≡ X(4)
Avinanta Tarigan BAN Logic
Tutorial on BAN Logic IV
JurisdictionP |≡ Q Z⇒ X , P |≡ Q |≡ X
P |≡ X(5)
Conjuction of belief
P |≡ X , P |≡ X
P |≡ (X ,Y )(6)
Some decompositions
P |≡ (X ,Y )
P |≡ X(7)
P |≡ Q |≡ (X ,Y )
P |≡ Q |≡ X(8)
P |≡ Q |∼ (X ,Y )
P |≡ Q |∼ X(9)
Avinanta Tarigan BAN Logic
Tutorial on BAN Logic V
More decompositions
PC (X ,Y )
PCX(10)
PC 〈X 〉YPCX
(11)
P |≡ QK←→ P, PC{X}KPCX
(12)
more on decompositions ...
P |≡ K7→ P, PC{X}KPCX
(13)
Avinanta Tarigan BAN Logic
Tutorial on BAN Logic VI
P |≡ K7→ Q, PC{X}K−1PCX
(14)
Nonce in�uenceP |≡ ](Y )
P |≡ ](Y ,X )(15)
Shared-Key Commutative
P |≡ RK←→ R ′
P |≡ R ′K←→ R
(16)
P |≡ Q |≡ RK←→ R ′
P |≡ Q |≡ R ′K←→ R
(17)
Avinanta Tarigan BAN Logic
Tutorial on BAN Logic VII
Shared-Secret Commutative
P |≡ RX
R ′
P |≡ R ′X
R(18)
P |≡ Q |≡ RX
R ′
P |≡ Q |≡ R ′X
R(19)
Avinanta Tarigan BAN Logic
Stages
Stages in using BAN proof :
1 Transform message into idealized logical formula
Skip the message parts that do not contribute to the receiver'sbeliefs
2 State assumptions about original message
3 Make annotated idealized protocols for each protocol
statement with assertions
4 Apply logical rules to assumptions and assertions
5 Deduce beliefs held at the end of protocol
Avinanta Tarigan BAN Logic
Idealization
To formalize and remove ambiguity in protocol bit string
Skip the message parts that do not contribute to the receiver's
beliefs
Example :
A→ B : {A,Na,Kab}Kab
to
BC{Na,AKab←→ B}Kab
Avinanta Tarigan BAN Logic
Proving simple protocol I
Example : Otway Rees Protocol (1987)
M1 : A→ B : M,A,B,{Na,M,A,B}Kas
M2 : B → S : M,A,B,{Na,M,A,B}Kas,{Nb,M,A,B}Kbs
M3 : S → B : M,{Na,Kab}Kas,{Nb,Kab}Kbs
M4 : B → A : M,{Na,Kab}Kas
Idealized into :
M1 : A→ B : {Na,Nc}Kas
M2 : B → S : {Na,Nc}Kas,{Nb,Nc}Kbs
M3 :
S → B : {Na,AKab←→ B,B |∼ Nc}Kas
,{Nb,AKab←→ B,A |∼ Na}Kbs
M4 : B → A : {Na,AKab←→ B,B |∼ Nc}Kas
Avinanta Tarigan BAN Logic
Proving simple protocol II
We have assumptions :
A |≡ AKas←→ S B |≡ B
Kbs←→ S
S |≡ BKbs←→ S S |≡ A
Kab←→ B
B |≡ S Z⇒ AK←→ B A |≡ S Z⇒ B |∼ X
A |≡ ](Na) A |≡ ](Nc)
S |≡ AKas←→ S A |≡ S Z⇒ A
K←→ BB |≡ S Z⇒ A |∼ X B |≡ ](Nb)
Avinanta Tarigan BAN Logic
Proving simple protocol III
PROOF
We begin with M2
SC{Na,Nc}Kas,{Nb,Nc}Kbs
10SC{Na,Nc}Kas
(a)
SC{Nb,Nc}Kbs(b)
a.SC{Na,Nc}Kas
S |≡ AKas←→ S
1S |≡ A |∼ (Na,Nc)
b.SC{Nb,Nc}Kbs
S |≡ BKbs←→ S
1S |≡ B |∼ (Nb,Nc)
and then M3
Avinanta Tarigan BAN Logic
Proving simple protocol IV
BC{Nb,AKab←→ B,A |∼ Nc}Kbs
S |≡ BKbs←→ S
1B |≡ S |∼ (Nb,A
Kab←→ B,A |∼ Nc) B |≡ ](Nb)15
B |≡ ](AKab←→ B,A |∼ Nc)
4B |≡ S |≡ (A
Kab←→ B,A |∼ Nc)7
B |≡ S |≡ AKab←→ B (a)
B |≡ S |≡ A |∼ Nc (b)
from M3
a.B |≡ S |≡ A
Kab←→ B B |≡ S Z⇒ AK←→ B
5B |≡ A
Kab←→ B
b.B |≡ S |≡ A |∼ Nc B |≡ S Z⇒ A |∼ X
5B |≡ A |∼ Nc
after that M4 :
Avinanta Tarigan BAN Logic
Proving simple protocol V
AC{Na,AKab←→ B,B |∼ Nc}Kas
A |≡ AKas←→ S
1A |≡ S |∼ (Na,A
Kab←→ B,B |∼ Nc) A |≡ ](Na)15
A |≡ ](AKab←→ B,B |∼ Nc)
4A |≡ S |≡ (A
Kab←→ B,B |∼ Nc)7
A |≡ S |≡ AKab←→ B (a)
A |≡ S |≡ B |∼ Nc (b)
from M4
a.A |≡ S |≡ A
Kab←→ B A |≡ S Z⇒ AK←→ B
5A |≡ A
Kab←→ B
b.A |≡ S |≡ B |∼ Nc A |≡ S Z⇒ B |∼ X
A |≡ B |∼ Nc A |≡ ](Nc)4
A |≡ B |≡ Nc
Avinanta Tarigan BAN Logic
Limitations
BAN does not catch all protocol �aws
False-positives can result
A principal's beliefs cannot be changed at later stages of the
protocol
No division of time in protocol run
Provides a proof of trust on part of principles, but not a proof
of security
Final beliefs can be believed only if all original assumptionshold true
BAN does not account for improper encryption
Avinanta Tarigan BAN Logic