information security of embedded systems 10.2.2010: ban-logic prof. dr. holger schlingloff institut...

Information Security of Embedded Systems

10.2.2010: BAN-Logic

Prof. Dr. Holger SchlingloffInstitut für Informatik

undFraunhofer FIRST

10.2.2010Embedded Security © Prof. Dr. H. Schlingloff 2010 2

Symmetric keys with authentication server


Kerberos key distribution protocol


Structure

1. Introductory example2.Embedded systems

engineering1. definitions and terms2. design principles

3.Foundations of security1. threats, attacks, measures2. construction of safe

systems

4.Design of secure systems1. design challenges2. safety modelling and

assessment3. cryptographic algorithms

5. Communication of embedded systems

1. remote access2. sensor networks

6. Algorithms and measures

1. digital signatures2. key management3. authentication4. authorization

7. Formal methods for security

1. protocol verification2. logics and proof

methods


BAN Logic

• M. Burrows, M.Abadi, R. Needham: „A Logic of Authentication", ACM Transactions on Computer Systems, Vol. 8, No. 1, pp. 18-36, February 1990 a formal method for verifying that two principals

(people, computer, services) are entitled to believe they are communicating with each other and not the intruders

• Goal: Formally prove security of authentication protocols make hidden assumptions explicit exhibit design flaws support trust in the correctness


Main Purposes of BAN Logic

• BAN logic helps to prove whether or not a protocol does or does not meet its security goals

• BAN logic helps make the protocols more efficient by eliminating messages, contents of message, or encryptions of messages• Despite eliminating them, the security goals still

can be reached

• BAN logic helps clarify the protocol’s assumptions by formally stating them

slides / text from http://www.lix.polytechnique.fr/~catuscia/teaching/cg597/01Fall/lecture_notes/BAN_Logic.ppt#256,1, BAN LOGIC

http://www.lix.polytechnique.fr/~catuscia/teaching/cg597/01Fall/lecture_notes/BAN_Logic.ppt#Information%20Security%20of%20%20Embedded%20Systems%20%2010.2.2010:%20BAN-Logic

http://www.lix.polytechnique.fr/~catuscia/teaching/cg597/01Fall/lecture_notes/BAN_Logic.ppt#Information%20Security%20of%20%20Embedded%20Systems%20%2010.2.2010:%20BAN-Logic


Modal Logic of Belief

• BAN logic concentrates on the beliefs of trustworthy parties involved in the protocol and the evolution of these beliefs through communication processes

• The steps of BAN logic to analyze the original protocol are as follows: 1)The protocol is transformed into some “idealized” form2)Identify the initial assumptions in the language of BAN logic3)Use the postulates and rules of the logic to deduce new

predicates4)Interpret the statements you’ve proved by the process:

Have the original goals been met?


Formalism

Basic Notation• Formalism built on a several sorts of objects: principals,

encryption keys, and formulas(statements)• A, B, and S denote specific principals• Kab, Kas, and Kbs denoted specific shared keys

• Kb, Ka, and Ks denote specific public keys

• Kb-1

, Ka-1

, and Ks-1 denote corresponding secret keys

• Na, Nb, Nc denote specific statements

• P, Q, and R range over principals• X and Y range over statements• K ranges over encryption keys


Formalism

P | X P believes X. P would be entitled to believe X. The principal P may act as though X is

trueP X P sees X. P can read the contents of X(possibly

after decryption, assuming P has the needed keys) and P can include X in messages to other principals

P |~ X P once said X: P at some time sent a message including the statement X. It is not

known when the message was sent(in the past or in the current run of the protocol) but P believed that X was true when it send the message

P | X P controls X. P has jurisdiction over X. P is a trusted authority on the truth of X

#(X) X is fresh. X is fresh if it is not contained in any message sent in the past


Basic Notation

K

P Q K is a shared key for P and Q. K is a secure key for communication between P and Q,

and it will never be discovered by any principal except for P or Q, or a principal trusted by either P or Q.

K | P K is a public key for P. The matching secret

key(the inverse of K, denoted by K-1 will never be discovered by any principal except P, or a

principals trusted by P.

{X}K X encrypted under K. It represents the message X encrypted using the key K.


Formalism

• (Hilbert style) derivation system consists of axioms and inference rules

• “All human are mortal”, “Sokrates is human” |- “Sokrates is mortal”

• Statement Z follows from a conjunction of statements X and Y

(X, Y) _________

Z


Inference rules (1)

• Message meaning rule (MMR): Rule concerns the interpretation of messages. This rule helps to explain the origin of the messages.

K

P | Q P, P {X}K

____________________________

P | Q |~ X

• Nonce-verification rule (NVR): This rule checks that a message is recent, and also checks if the sender still believes in it.

P | #(X), P | Q |~ X

__________________________________

P | Q | X


Inference rules (2)

• Jurisdiction rule (JUR): This rule states what it means for a principal to be the trusted authority on the truth of X.

P | Q X, P | Q | X

________________________________

P | X

• Belief Rules (BEL): The rules state that a principal believes a collection of statements if and only if it believes each of the statements individually.

A) P | X, P | Y B) P | (X, Y) ___________________

___________________

P | (X, Y) P | X

C) P | Q | (X, Y) etc.

____________________

P | Q | X


Inference rules (3)

• Saying rules (SAY): These rules say that a principal sees all the components of every message it sees, provided that the principal knows the necessary key

K A) P (X, Y) B) P | Q P, P {X}K

____________________

______________________________

P X P X

• Freshness Rule (FRS): This rule states that any message with a fresh component is also fresh.

P | #(X)

____________________

P | #(X, Y)


Idealized Protocols

• Typical protocol step: P Q : messageExample: A B : {A, Kab}Kbs

• Transform each protocol into an idealized form1. Omit the parts of the message that do not contribute to the beliefs

of the recipient2. Omit clear text communication because it can be forged

Idealized version: Kab

A B : {A B}Kbs

When message is sent to B it can be deduced that: Kab

B {A B}kbs

The receiving principle becomes aware of the message (sees the message) and can act upon it


Goals of Authentication

• Authentication rests on communication protected by shared session key, so the goals of authentication may be reached between A and B if there is a K such that:

K K

A | A B B | A B

• However, often we want to achieve more: K K

A | B| A B B | A | A B

principals are mutually convinced of authentity


Steps in Protocol Analysis

• Derive the idealized protocol from the original one

• Write assumptions about the initial state

• Use the postulates and rules of the logic to deduce new predicates

• This is repeated through all the protocol messages

• Determine if goals of authentication have been met


Analysis of Needham-Schröder

• Original version without idealizationMessage 1 A S: (A, B, NA)

Message 2 S A: {NA, B, KAB, {KAB, A}KBS} KAS

Message 3 A B: {KAB, A}KBS

Message 4 B A: {NB}KAB

Message 5 A B: {NB – 1}KAB

• Idealized version Kab Kab Kab

(Msg2) S A: A {NA, (A B), # (A B), {A B}Kbs} Kas

Kab

(Msg3) A B: B {A B}Kbs

Kab

(Msg4) B A: A {NB, (A B)}Kab from B

Kab

(Msg5) A B: B {NB, (A B)}Kab from A


Analysis (1)

Kab Kab Kab

(Msg2) A {Na, (A B), #(A B), {A B}Kbs}Kas

Kas

(ass1) A | A S K

Rule (MMR): P | Q P, P {X}K____________________________

P | Q |~ X

With (ass1), (MMR) and (Msg2):

Kab Kab Kab

(1) A | S |~ (Na, (A B), #(A B), {A B}Kbs)


Analysis (2)

(ass9) A | #(Na)

Rule (FRS): P | #(X)_________P | #(X, Y)

Hence:

Kab Kab Kab

(2) A | #(Na, (A B), #(A B), {A B}Kbs)


Analysis (3)

Kab Kab Kab

(1) A | S |~ (Na, (A B), #(A B), {A B}Kbs)

Kab Kab Kab

(2) A | #(Na, (A B), #(A B), {A B}Kbs)

Rule (NVR): P | #(X), P | Q |~ X

__________________________________

P | Q | X

Kab Kab Kab

(3) A | S | (Na, (A B), #(A B), {A B}Kbs)


Analysis (4)

Kab Kab Kab

(3) A | S | (Na, (A B), #(A B), {A B}Kbs)

Rule (BEL): P | Q | (X,Y)

__________________________

P | Q | X

Kab

(4) A | S | (A B)and:

Kab

(5) A | S | #(A B)


Analysis (5) Kab Kab

(4) A | S | (A B) (5) A | S | #(A B) Kab Kab

(ass6) A | (S | A B) (ass8) A | (S | #(A B)

Rule (JUR): P | Q | X, P | Q | X __________________________________

P | X

Kab Kab

(6) A | (A B) and (7) A | #(A B)


Analysis (6)

Kab

(Msg3) B {A B}Kbs

Kbs

(ass2) B | S B

(MMR) K

P | Q P, P {X}k ___________________________

P | Q |~ X

Kab

(8) B | S |~ {A B}Kbs


Analysis (7)

Kab

(ass12) B | #(A B)

Kab

(8) B | S |~ {A B}Kbs

We can apply (NVR):

P | #(X), P | Q |~ X ______________________________________

P | Q | X

And derive:

Kab

(9) B | S | {A B}


Analysis (8)

Recall the Assumption: Kab

B | (S | A B)

Also recall the derived formula above stating: Kab

B | S | {A B}We can apply the jurisdiction rule which is:

P | Q | X, P | Q | X ____________________________________

P | X

And we can derive: Kab

(10) B | {A B}


Analysis (9)

Now we can apply the logical postulate rules to the next message with assumptions

Kab

(Msg4) B A: {Nb, (A B)}Kab

We can then say that: Kab

A {Nb, (A B)} Kab

We can use (SAY):

P (X,Y) _________________

P X

We can then derive that: Kab

A {(A B)} Kab


Analysis (10)

previously we obtained:

Kab

A | (B A)

Also recall the result that we just obtained the previous step: Kab

A {(A B)}Kab

We can apply the message meaning rule: K

P | Q P, P {X}k ___________________________

P | Q |~ XFinally, we can deduce that:

Kab

A | B |~ (A B)


Analysis (11)

Recall a previous result we obtained:

Kab

A | #(A B)

Also recall the result that we just obtained the previous step: Kab

A | B |~ (A B)

We can apply the nonce-verification rule: P | #(X), P | Q |~ X

_______________________________________

P | Q | XWe then obtain:

Kab

A | B| (A B)In similar manner, we can also derive that:

Kab

B | A| (A B)


Conclusions of Analysis

The goals of the Needham-Schroeder protocol are that A and B each believe that they share a secret key Kab and that moreover they each believe that the other believes it

K K

B | A B (msg 3) A | A B (msg 2)

We also achieve this final goal: K K

A | B | A B (msg 4) B | A | A B (msg 4)

Our analysis achieves these results, since we have derived these goals.This authentication protocol has an extra assumption, which is that B assumes the key B receives from A is fresh. So Needham-Schroeder protocol had this flaw in it.


Advantages of BAN Logic

• One of earliest successful attempts at formally reasoning about authentication protocols.

• Huge success for formal methods in cryptography, useful tool

• Uncovered implicit assumptions and weaknesses in a number of protocols

• Involves idealizing a protocol, identifying initial assumptions, using logical postulates to deduce new predicates and determining if the goals of authentication have been met.

• Strengths in its simplicity of its logic and its ease of use


Deficits of BAN Logic

• Belief logic is much different from a knowledge logic. Knowledge logics have an axiom of the following form

“If x knows p, then p is true.”However, belief systems do not have this axiom, since a belief in p says nothing about the truth or falsity of p.

• Assumption that all principals taking part in a protocol are honest, in the sense that each principal believes in the truth of each message it sends. However, honesty is not a logical assumption to make

• Vehicle for extensive research in the areas for basis and development of other logic systems

information security of embedded systems 10.2.2010: ban-logic prof. dr. holger schlingloff institut...

Documents