Formal Verication of Cryptographic Protocol & Tutorial on BAN Logic

Avinanta Tarigan

Center for Information Security Research

Gunadarma University

Avinanta Tarigan

BAN Logic

Security & Safety

Security is fun idea of :

attacking and defensing managing human's problem (user - attacker - designer )

Safety is also fun idea of :

preventing failures reacting upon failures managing human and environmental

Both is considered to be factor of dependability

Avinanta Tarigan

BAN Logic

Cryptography (review)

Algorithm to protect Also used to gain :

authentication integrity non repudiation

secrecy

of data

Includes :

algorithm

and

key(s)

In implementation requires a protocol (

Cryptographic Protocol )

Example: SSL, Kerberos, WPA, CHAP, Contract signing, E-voting, E-money.

Avinanta Tarigan

BAN Logic

Symmetric Crypt.

A B
Principal

: {M }K

ab
Kab M

sends

message

encrypted with shared-key

Key is shared between 2 Needs Fast

principals
easy

N 2 keys for N principals but key management is not

Avinanta Tarigan

BAN Logic

Asymmetric/Public Key Crypt.

A B
Principal

: {M }K

b
M Kb

sends

encrypted with

B 's

message

public-key

Only with

1 private-key K b ,B

can

Principal has its own must be keeped

secret

which is

decrypt M published and K 1 Certication

which

Key management is less dicult, requires

Authority

Avinanta Tarigan

BAN Logic

Cryptographic Protocol

Implementation of Cryptography Algorithm Achieving

security properties

(authentication,

secrecy, etc.) Example :

Needham-Schroeder (authentication) Kerberos (authentication) SSL/TLS (auth - secrecy )

Avinanta Tarigan

BAN Logic

Cryptographic Protocol

Example : Needham-Schroeder Protocol

M1 M2 M3 M4 M5

A S S A A B BA A B
Intoducing

A, B , Na : {Na , B , Kab , {Kab , A}Kbs }Kas : {Kab , A}Kbs : {Nb }Kab : {Nb 1}Kab Nonce (N )
:

Avinanta Tarigan

BAN Logic

Cryptographic Protocol

More example : Kerberos Protocol

M1 M2 M3 M4

A S S A A B BA

: : : :

A, B {Ts , L, B , Kab , {Ts , L, Kab , A}Kbs }Kas {Ts , L, Kab , A}Kbs , {A, Ta }Kab {Ta + 1}Kab
(T )
and Lifetime

Introducing TimeStamp

(L)

Used in many system, including Windows

Avinanta Tarigan

BAN Logic

Cryptographic Protocol

Problem :

Wrong design could lead to aw

Needham-Schroeder Protocol
SSLv1.0
Wrong implementation could lead to vulnerability

Padding problem in SSL, SSH, and WTLS

Vulnerability arise between two protection technologies (Anderson, Ross)

Avinanta Tarigan

BAN Logic

Formal Method for Crypt. Protocol I

Formal Methods are a particular kind of mathematically-based techniques for the specication, development and verication of algorithms, software and hardware systems Cryptographic Protocol is an algorithm that is using cryptographic operation that carries out security objective(s), i.e. :

Authentication Secrecy Key-Exchange Non-Repudiation

In this case it to prove correctness in achieving security properties that the protocol carry out, i.e :

to prove that Kerberos protocol does correct authentication as specied

Avinanta Tarigan BAN Logic

Formal Method for Crypt. Protocol II

There are two development approach :

Extention from method used in communication Newly developed method

Four classications : 1. General purpose tools 2. Logic based 3. Expert System 4. Algebraic approach

Avinanta Tarigan

BAN Logic

General Purpose Tools

Treated as ordinary communication protocol Adversary is explicit, capable in read, intercept, and modify messages Method : FSM, CSP, FDR, Petri Nets Example : Lotos, Ina Jo, Murphy

System State

INTRUDER

Avinanta Tarigan

BAN Logic

Using Expert System

Investigate every possible scenario of Attack - Flaw -

Defence
Needs to dene insecure states and

search

paths to them

More successful than General Purpose Tools Example : Interrogator by Millen, NRL Protocol Analyzer by Meadows, Longley and Rigby

Avinanta Tarigan

BAN Logic

Algebraic Approach

Capabilties in modeling knowledge which represents component in cryptographic operation (

messages )
Example :

Nonce, Key(s), and old

Dolev - Yao (term re-writing systems) S - Calculus by Abadi and Gordon (to prove secrecy)

Avinanta Tarigan

BAN Logic

Logic Based

One sees cryptographic protocol as distributed algorithm Develop logics from modal logic There are inference rules Goal is to derived statements which represents correct
condition

Example :

BAN Logic and GNY Logic

Avinanta Tarigan

BAN Logic

Books, Papers, and Links

Schneider et. al. Modelling and Analysis of Security Protocols Ross Anderson, Security Engineering Donald Mackenzie, Mechanizing Proof  Martin Abadi's papers at

http://www.cse.ucsc.edu/~abadi/allpapers.html#jsds
Papers at

http://chacs.nrl.navy.mil/projects/crypto.html

Avinanta Tarigan

BAN Logic

Tutorial on BAN Logic I

Burrows, Abadi, Needham, The Logic of Authentication, SRC Research Report 39, 1989. First attempt on Logic in verifying Authentication Protocols Developed using Epistemic Logic (Logic of Knowledge) Notation:

Principals : P , Q , R Specic Principals : Encryption Keys :

A, B , S

Specic Shared Key : Kab , Kas , Kbs Specic Public Key : Ka , Kb , Ks 1 , K 1 , K 1 Specic Private Key : Ka s b

Avinanta Tarigan

BAN Logic

Tutorial on BAN Logic II

Notation:
P P P

| X : P believes X
X

| X : P once said X P X : P has jurisdiction over X (X ) : Formula X is fresh Q : P and Q use shared-key K P : P has K as a public-key and corresponding
P

: P Sees X

private-key X P Q : Formula X is a secret known only to P and Q {X }K : Formula X encrypted under key K X Y : Y is proof of origin for X

as

Avinanta Tarigan

BAN Logic

Tutorial on BAN Logic III

Postulates Message Meaning :

K P | Q P , P {X }K P | Q | X K P | Q , P {X }K 1 P | Q | X Y P | Q P , P X Y P | Q | X

(1)

(2)

(3)

Nonce verication

P | (X ), P | Q | X P | Q | X
Avinanta Tarigan BAN Logic

(4)

Tutorial on BAN Logic IV

Jurisdiction

P | Q X , P | Q | X P | X P | X , P | X P | (X , Y )

(5)

Conjuction of belief

(6)

Some decompositions

P | (X , Y ) P | X P | Q | (X , Y ) P | Q | X P | Q | (X , Y ) P | Q | X
Avinanta Tarigan BAN Logic

(7)

(8)

(9)

Tutorial on BAN Logic V

More decompositions

P P

(X , Y )

(10)

X Y P X
{X }K

(11)

K P | Q P , P P X
more on decompositions ...

(12)

K P | P , P {X }K P X
Avinanta Tarigan BAN Logic

(13)

Tutorial on BAN Logic VI

K P | Q , P {X }K 1 P X
Nonce inuence (14)

P | (Y ) P | (Y , X )

(15)

Shared-Key Commutative

K P | R R K P | R R K P | Q | R R K P | Q | R R

(16)

(17)

Avinanta Tarigan

BAN Logic

Tutorial on BAN Logic VII

Shared-Secret Commutative

P | R P | R P | Q | R P | Q | R

X X X X

R R R R

(18)

(19)

Avinanta Tarigan

BAN Logic

Stages

Stages in using BAN proof :

1

Transform message into idealized logical formula

Skip the message parts that do not contribute to the receiver's beliefs
2 3

State assumptions about original message Make annotated idealized protocols for each protocol statement with assertions

4 5

Apply logical rules to assumptions and assertions Deduce beliefs held at the end of protocol

Avinanta Tarigan

BAN Logic

Idealization

To formalize and remove ambiguity in protocol bit string Skip the message parts that do not contribute to the receiver's beliefs Example :

A B : {A, Na , Kab }Kab

to

ab {Na , A B }Kab

Avinanta Tarigan

BAN Logic

Proving simple protocol I

Example : Otway Rees Protocol (1987)

M1 : M2 : M3 : M4 :

A B : M , A, B , {Na , M , A, B }Kas B S : M , A, B , {Na , M , A, B }Kas , {Nb , M , A, B }Kbs S B : M , {Na , Kab }Kas , {Nb , Kab }Kbs B A : M , {Na , Kab }Kas A B : {Na , Nc }Kas B S : {Na , Nc }Kas , {Nb , Nc }Kbs

Idealized into :

M1 : M2 : M3 :

Kab Kab S B : {Na , A B , B | Nc }Kas , {Nb , A B , A | Na }Kbs Kab M4 : B A : {Na , A B , B | Nc }Kas

Avinanta Tarigan

BAN Logic

Proving simple protocol II

We have assumptions :

Kas A | A S Kbs S | B S K B | S A B A | (Na ) Kas S | A S B | S A | X

Kbs B | B S Kab S | A B A | S B | X A | (Nc ) K A | S A B B | (Nb )

Avinanta Tarigan

BAN Logic

Proving simple protocol III

PROOF

We begin with M2
S

{Na , Nc }Kas , {Nb , Nc }Kbs

S S

{Na , Nc }Kas (a) {Nb , Nc }Kbs (b)

10

a. b.
and then M3

{Na , Nc }Kas
S

as | A S

| A | (Na , Nc )
S

{Nb , Nc }Kbs
S

bs S | B

| B | (Nb , Nc )

Avinanta Tarigan

BAN Logic

Proving simple protocol IV

B

ab {Nb , A B , A | Nc }Kbs
B

bs | B S

ab | S | (Nb , A B , A | Nc )
B B

1
B

ab | (A B , A | Nc )

| (Nb )

15

ab | S | (A B , A | Nc )
B

4 7

ab | S | A B (a) B | S | A | Nc (b)

from M3

a.

ab | S | A B
B

| S A B

b.

| S

ab | A B | A | Nc B | S A | X
B

| A | Nc

after that M4 :

Avinanta Tarigan

BAN Logic

Proving simple protocol V

A

ab {Na , A B , B | Nc }Kas
A

as | A S

ab | S | (Na , A B , B | Nc )
A A

1
A

| (A B , B | Nc )

Kab

| (Na )

15

ab | S | (A B , B | Nc )
A

4 7

ab | S | A B (a) A | S | B | Nc (b)

from M4

a.

ab B | S | A
A

| S A B

| A B

Kab

b.

| S | B | Nc A | S B | X A | B | Nc
A

| (Nc )

| B | Nc

Avinanta Tarigan

BAN Logic

Limitations

BAN does not catch all protocol aws

False-positives can result

A principal's beliefs cannot be changed at later stages of the protocol

No division of time in protocol run

Provides a proof of trust on part of principles, but not a proof of security

Final beliefs can be believed only if all original assumptions hold true
BAN does not account for improper encryption

Avinanta Tarigan

BAN Logic

The End

Thank You Vielen Dank Tack s Mycket Matur Nuwun Terimakasih

Avinanta Tarigan

BAN Logic