Ban Logic Tutorial

Formal Veri�cation of Cryptographic Protocol &Tutorial on BAN Logic

Avinanta Tarigan

Center for Information Security Research

Gunadarma University

Avinanta Tarigan BAN Logic

Security & Safety

Security is fun idea of :

attacking and defensingmanaging human's problem(user - attacker - designer)

Safety is also fun idea of :

preventing failuresreacting upon failuresmanaging human and environmental

Both is considered to be factor of dependability


Cryptography (review)

Algorithm to protect secrecy of data

Also used to gain :

authentication

integrity

non repudiation

Includes : algorithm and key(s)

In implementation requires a protocol

(Cryptographic Protocol)

Example: SSL, Kerberos, WPA, CHAP, Contract signing,

E-voting, E-money.


Symmetric Crypt.

A 7→B : {M}Kab

Principal A sends B message Mencrypted with shared-key Kab

Key is shared between 2 principals

Needs N2 keys for N principals

Fast but key management is not easy


Asymmetric/Public Key Crypt.

A 7→B : {M}Kb

Principal A sends B message Mencrypted with B's public-key Kb

Only with private-key K −1b, B can decrypt M

Principal has its own K which is published and K −1 which

must be keeped secret

Key management is less di�cult, requires Certi�cationAuthority


Cryptographic Protocol

Implementation of Cryptography Algorithm

Achieving security properties (authentication,

secrecy, etc.)

Example :

Needham-Schroeder (authentication)Kerberos (authentication)SSL/TLS (auth - secrecy)



Example : Needham-Schroeder Protocol

M1 A 7→S : A, B, Na

M2 S 7→A : {Na, B, Kab, {Kab, A}Kbs}Kas

M3 A 7→B : {Kab, A}Kbs

M4 B 7→A : {Nb}Kab

M5 A 7→B : {Nb−1}Kab

Intoducing Nonce (N)



More example : Kerberos Protocol

M1 A 7→S : A, BM2 S 7→A : {Ts , L, B, Kab, {Ts , L, Kab, A}Kbs

}Kas

M3 A 7→B : {Ts , L, Kab, A}Kbs, {A, Ta}Kab

M4 B 7→A : {Ta + 1}Kab

Introducing TimeStamp (T ) and Lifetime (L)

Used in many system, including Windows



Problem :

Wrong design could lead to �aw

Needham-Schroeder Protocol

SSLv1.0

Wrong implementation could lead to vulnerability

Padding problem in SSL, SSH, and WTLS

Vulnerability arise between two protection technologies

(Anderson, Ross)


Formal Method for Crypt. Protocol I

Formal Methods are a particular kind of mathematically-based

techniques for the speci�cation, development and veri�cation

of algorithms, software and hardware systems

Cryptographic Protocol is an algorithm that is using

cryptographic operation that carries out security objective(s),

i.e. :

AuthenticationSecrecyKey-ExchangeNon-Repudiation

In this case it to prove correctness in achieving security

properties that the protocol carry out, i.e :

to prove that Kerberos protocol does correct authentication asspeci�ed


Formal Method for Crypt. Protocol II

There are two development approach :

Extention from method used in communication

Newly developed method

Four classi�cations :

1. General purpose tools 3. Expert System

2. Logic based 4. Algebraic approach


General Purpose Tools

Treated as ordinary communication protocol

Adversary is explicit, capable in read, intercept, and modify

messages

Method : FSM, CSP, FDR, Petri Nets

Example : Lotos, Ina Jo, Murphy

A BINTRUDER

System State


Using Expert System

Investigate every possible scenario of Attack - Flaw -

Defence

Needs to de�ne insecure states and search paths to them

More successful than General Purpose Tools

Example : Interrogator by Millen, NRL Protocol Analyzer by

Meadows, Longley and Rigby


Algebraic Approach

Capabilties in modeling knowledge which represents

component in cryptographic operation (Nonce, Key(s), and oldmessages)

Example :

Dolev - Yao (term re-writing systems)S−Π - Calculus by Abadi and Gordon (to prove secrecy)


Logic Based

One sees cryptographic protocol as distributed algorithm

Develop logics from modal logic

There are inference rules

Goal is to derived statements which represents correctcondition

Example : BAN Logic and GNY Logic


Books, Papers, and Links

Schneider et. al. �Modelling and Analysis of Security

Protocols�

Ross Anderson, �Security Engineering�

Donald Mackenzie, �Mechanizing Proof�

Martin Abadi's papers at

http://www.cse.ucsc.edu/~abadi/allpapers.html#jsds

Papers at

http://chacs.nrl.navy.mil/projects/crypto.html


Tutorial on BAN Logic I

Burrows, Abadi, Needham, �The Logic of Authentication�,

SRC Research Report 39, 1989.

First attempt on Logic in verifying Authentication Protocols

Developed using Epistemic Logic (Logic of Knowledge)

Notation:

Principals : P,Q,RSpeci�c Principals : A,B,SEncryption Keys :

Speci�c Shared Key : Kab,Kas ,KbsSpeci�c Public Key : Ka,Kb,KsSpeci�c Private Key : K−1a ,K−1

b,K−1s


Tutorial on BAN Logic II

Notation:

P |≡ X : P believes XPCX : P Sees XP |∼ X : P once said XP Z⇒ X : P has jurisdiction over X](X ) : Formula X is fresh

PK←→ Q : P and Q use shared-key K

K7→ P : P has K as a public-key and corresponding K−1 asprivate-key

PX

Q : Formula X is a secret known only to P and Q{X}K : Formula X encrypted under key K〈X 〉Y : Y is proof of origin for X


Tutorial on BAN Logic III

Postulates

Message Meaning :

P |≡ QK←→ P, PC{X}K

P |≡ Q |∼ X(1)

P |≡ K7→ Q, PC{X}K−1P |≡ Q |∼ X

(2)

P |≡ QY

P, PC 〈X 〉YP |≡ Q |∼ X

(3)

Nonce veri�cation

P |≡ ](X ), P |≡ Q |∼ X

P |≡ Q |≡ X(4)


Tutorial on BAN Logic IV

JurisdictionP |≡ Q Z⇒ X , P |≡ Q |≡ X

P |≡ X(5)

Conjuction of belief

P |≡ X , P |≡ X

P |≡ (X ,Y )(6)

Some decompositions

P |≡ (X ,Y )

P |≡ X(7)

P |≡ Q |≡ (X ,Y )

P |≡ Q |≡ X(8)

P |≡ Q |∼ (X ,Y )

P |≡ Q |∼ X(9)


Tutorial on BAN Logic V

More decompositions

PC (X ,Y )

PCX(10)

PC 〈X 〉YPCX

(11)

P |≡ QK←→ P, PC{X}KPCX

(12)

more on decompositions ...

P |≡ K7→ P, PC{X}KPCX

(13)


Tutorial on BAN Logic VI

P |≡ K7→ Q, PC{X}K−1PCX

(14)

Nonce in�uenceP |≡ ](Y )

P |≡ ](Y ,X )(15)

Shared-Key Commutative

P |≡ RK←→ R ′

P |≡ R ′K←→ R

(16)

P |≡ Q |≡ RK←→ R ′

P |≡ Q |≡ R ′K←→ R

(17)


Tutorial on BAN Logic VII

Shared-Secret Commutative

P |≡ RX

R ′

P |≡ R ′X

R(18)

P |≡ Q |≡ RX

R ′

P |≡ Q |≡ R ′X

R(19)


Stages

Stages in using BAN proof :

1 Transform message into idealized logical formula

Skip the message parts that do not contribute to the receiver'sbeliefs

2 State assumptions about original message

3 Make annotated idealized protocols for each protocol

statement with assertions

4 Apply logical rules to assumptions and assertions

5 Deduce beliefs held at the end of protocol


Idealization

To formalize and remove ambiguity in protocol bit string

Skip the message parts that do not contribute to the receiver's

beliefs

Example :

A→ B : {A,Na,Kab}Kab

to

BC{Na,AKab←→ B}Kab


Proving simple protocol I

Example : Otway Rees Protocol (1987)

M1 : A→ B : M,A,B,{Na,M,A,B}Kas

M2 : B → S : M,A,B,{Na,M,A,B}Kas,{Nb,M,A,B}Kbs

M3 : S → B : M,{Na,Kab}Kas,{Nb,Kab}Kbs

M4 : B → A : M,{Na,Kab}Kas

Idealized into :

M1 : A→ B : {Na,Nc}Kas

M2 : B → S : {Na,Nc}Kas,{Nb,Nc}Kbs

M3 :

S → B : {Na,AKab←→ B,B |∼ Nc}Kas

,{Nb,AKab←→ B,A |∼ Na}Kbs

M4 : B → A : {Na,AKab←→ B,B |∼ Nc}Kas


Proving simple protocol II

We have assumptions :

A |≡ AKas←→ S B |≡ B

Kbs←→ S

S |≡ BKbs←→ S S |≡ A

Kab←→ B

B |≡ S Z⇒ AK←→ B A |≡ S Z⇒ B |∼ X

A |≡ ](Na) A |≡ ](Nc)

S |≡ AKas←→ S A |≡ S Z⇒ A

K←→ BB |≡ S Z⇒ A |∼ X B |≡ ](Nb)


Proving simple protocol III

PROOF

We begin with M2

SC{Na,Nc}Kas,{Nb,Nc}Kbs

10SC{Na,Nc}Kas

(a)

SC{Nb,Nc}Kbs(b)

a.SC{Na,Nc}Kas

S |≡ AKas←→ S

1S |≡ A |∼ (Na,Nc)

b.SC{Nb,Nc}Kbs

S |≡ BKbs←→ S

1S |≡ B |∼ (Nb,Nc)

and then M3


Proving simple protocol IV

BC{Nb,AKab←→ B,A |∼ Nc}Kbs

S |≡ BKbs←→ S

1B |≡ S |∼ (Nb,A

Kab←→ B,A |∼ Nc) B |≡ ](Nb)15

B |≡ ](AKab←→ B,A |∼ Nc)

4B |≡ S |≡ (A

Kab←→ B,A |∼ Nc)7

B |≡ S |≡ AKab←→ B (a)

B |≡ S |≡ A |∼ Nc (b)

from M3

a.B |≡ S |≡ A

Kab←→ B B |≡ S Z⇒ AK←→ B

5B |≡ A

Kab←→ B

b.B |≡ S |≡ A |∼ Nc B |≡ S Z⇒ A |∼ X

5B |≡ A |∼ Nc

after that M4 :


Proving simple protocol V

AC{Na,AKab←→ B,B |∼ Nc}Kas

A |≡ AKas←→ S

1A |≡ S |∼ (Na,A

Kab←→ B,B |∼ Nc) A |≡ ](Na)15

A |≡ ](AKab←→ B,B |∼ Nc)

4A |≡ S |≡ (A

Kab←→ B,B |∼ Nc)7

A |≡ S |≡ AKab←→ B (a)

A |≡ S |≡ B |∼ Nc (b)

from M4

a.A |≡ S |≡ A

Kab←→ B A |≡ S Z⇒ AK←→ B

5A |≡ A

Kab←→ B

b.A |≡ S |≡ B |∼ Nc A |≡ S Z⇒ B |∼ X

A |≡ B |∼ Nc A |≡ ](Nc)4

A |≡ B |≡ Nc


Limitations

BAN does not catch all protocol �aws

False-positives can result

A principal's beliefs cannot be changed at later stages of the

protocol

No division of time in protocol run

Provides a proof of trust on part of principles, but not a proof

of security

Final beliefs can be believed only if all original assumptionshold true

BAN does not account for improper encryption


The End

Thank You

Vielen Dank

Tack så Mycket

Matur Nuwun

Terimakasih


Ban Logic Tutorial

Documents

Transcript of Ban Logic Tutorial