information security of embedded systems 10.2.2010: ban-logic prof. dr. holger schlingloff institut...
Post on 22-Dec-2015
214 views
TRANSCRIPT
Information Security of Embedded Systems
10.2.2010: BAN-Logic
Prof. Dr. Holger SchlingloffInstitut für Informatik
undFraunhofer FIRST
10.2.2010Embedded Security © Prof. Dr. H. Schlingloff 2010 2
Symmetric keys with authentication server
10.2.2010Embedded Security © Prof. Dr. H. Schlingloff 2010 4
Structure
1. Introductory example2.Embedded systems
engineering1. definitions and terms2. design principles
3.Foundations of security1. threats, attacks, measures2. construction of safe
systems
4.Design of secure systems1. design challenges2. safety modelling and
assessment3. cryptographic algorithms
5. Communication of embedded systems
1. remote access2. sensor networks
6. Algorithms and measures
1. digital signatures2. key management3. authentication4. authorization
7. Formal methods for security
1. protocol verification2. logics and proof
methods
10.2.2010Embedded Security © Prof. Dr. H. Schlingloff 2010 5
BAN Logic
• M. Burrows, M.Abadi, R. Needham: „A Logic of Authentication", ACM Transactions on Computer Systems, Vol. 8, No. 1, pp. 18-36, February 1990 a formal method for verifying that two principals
(people, computer, services) are entitled to believe they are communicating with each other and not the intruders
• Goal: Formally prove security of authentication protocols make hidden assumptions explicit exhibit design flaws support trust in the correctness
10.2.2010Embedded Security © Prof. Dr. H. Schlingloff 2010 6
Main Purposes of BAN Logic
• BAN logic helps to prove whether or not a protocol does or does not meet its security goals
• BAN logic helps make the protocols more efficient by eliminating messages, contents of message, or encryptions of messages• Despite eliminating them, the security goals still
can be reached
• BAN logic helps clarify the protocol’s assumptions by formally stating them
slides / text from http://www.lix.polytechnique.fr/~catuscia/teaching/cg597/01Fall/lecture_notes/BAN_Logic.ppt#256,1, BAN LOGIC
10.2.2010Embedded Security © Prof. Dr. H. Schlingloff 2010 7
Modal Logic of Belief
• BAN logic concentrates on the beliefs of trustworthy parties involved in the protocol and the evolution of these beliefs through communication processes
• The steps of BAN logic to analyze the original protocol are as follows: 1)The protocol is transformed into some “idealized” form2)Identify the initial assumptions in the language of BAN logic3)Use the postulates and rules of the logic to deduce new
predicates4)Interpret the statements you’ve proved by the process:
Have the original goals been met?
10.2.2010Embedded Security © Prof. Dr. H. Schlingloff 2010 8
Formalism
Basic Notation• Formalism built on a several sorts of objects: principals,
encryption keys, and formulas(statements)• A, B, and S denote specific principals• Kab, Kas, and Kbs denoted specific shared keys
• Kb, Ka, and Ks denote specific public keys
• Kb-1
, Ka-1
, and Ks-1 denote corresponding secret keys
• Na, Nb, Nc denote specific statements
• P, Q, and R range over principals• X and Y range over statements• K ranges over encryption keys
10.2.2010Embedded Security © Prof. Dr. H. Schlingloff 2010 9
Formalism
P | X P believes X. P would be entitled to believe X. The principal P may act as though X is
trueP X P sees X. P can read the contents of X(possibly
after decryption, assuming P has the needed keys) and P can include X in messages to other principals
P |~ X P once said X: P at some time sent a message including the statement X. It is not
known when the message was sent(in the past or in the current run of the protocol) but P believed that X was true when it send the message
P | X P controls X. P has jurisdiction over X. P is a trusted authority on the truth of X
#(X) X is fresh. X is fresh if it is not contained in any message sent in the past
10.2.2010Embedded Security © Prof. Dr. H. Schlingloff 2010 10
Basic Notation
K
P Q K is a shared key for P and Q. K is a secure key for communication between P and Q,
and it will never be discovered by any principal except for P or Q, or a principal trusted by either P or Q.
K | P K is a public key for P. The matching secret
key(the inverse of K, denoted by K-1 will never be discovered by any principal except P, or a
principals trusted by P.
{X}K X encrypted under K. It represents the message X encrypted using the key K.
10.2.2010Embedded Security © Prof. Dr. H. Schlingloff 2010 11
Formalism
• (Hilbert style) derivation system consists of axioms and inference rules
• “All human are mortal”, “Sokrates is human” |- “Sokrates is mortal”
• Statement Z follows from a conjunction of statements X and Y
(X, Y) _________
Z
10.2.2010Embedded Security © Prof. Dr. H. Schlingloff 2010 12
Inference rules (1)
• Message meaning rule (MMR): Rule concerns the interpretation of messages. This rule helps to explain the origin of the messages.
K
P | Q P, P {X}K
____________________________
P | Q |~ X
• Nonce-verification rule (NVR): This rule checks that a message is recent, and also checks if the sender still believes in it.
P | #(X), P | Q |~ X
__________________________________
P | Q | X
10.2.2010Embedded Security © Prof. Dr. H. Schlingloff 2010 13
Inference rules (2)
• Jurisdiction rule (JUR): This rule states what it means for a principal to be the trusted authority on the truth of X.
P | Q X, P | Q | X
________________________________
P | X
• Belief Rules (BEL): The rules state that a principal believes a collection of statements if and only if it believes each of the statements individually.
A) P | X, P | Y B) P | (X, Y) ___________________
___________________
P | (X, Y) P | X
C) P | Q | (X, Y) etc.
____________________
P | Q | X
10.2.2010Embedded Security © Prof. Dr. H. Schlingloff 2010 14
Inference rules (3)
• Saying rules (SAY): These rules say that a principal sees all the components of every message it sees, provided that the principal knows the necessary key
K A) P (X, Y) B) P | Q P, P {X}K
____________________
______________________________
P X P X
• Freshness Rule (FRS): This rule states that any message with a fresh component is also fresh.
P | #(X)
____________________
P | #(X, Y)
10.2.2010Embedded Security © Prof. Dr. H. Schlingloff 2010 15
Idealized Protocols
• Typical protocol step: P Q : messageExample: A B : {A, Kab}Kbs
• Transform each protocol into an idealized form1. Omit the parts of the message that do not contribute to the beliefs
of the recipient2. Omit clear text communication because it can be forged
Idealized version: Kab
A B : {A B}Kbs
When message is sent to B it can be deduced that: Kab
B {A B}kbs
The receiving principle becomes aware of the message (sees the message) and can act upon it
10.2.2010Embedded Security © Prof. Dr. H. Schlingloff 2010 16
Goals of Authentication
• Authentication rests on communication protected by shared session key, so the goals of authentication may be reached between A and B if there is a K such that:
K K
A | A B B | A B
• However, often we want to achieve more: K K
A | B| A B B | A | A B
principals are mutually convinced of authentity
10.2.2010Embedded Security © Prof. Dr. H. Schlingloff 2010 17
Steps in Protocol Analysis
• Derive the idealized protocol from the original one
• Write assumptions about the initial state
• Use the postulates and rules of the logic to deduce new predicates
• This is repeated through all the protocol messages
• Determine if goals of authentication have been met
10.2.2010Embedded Security © Prof. Dr. H. Schlingloff 2010 18
Analysis of Needham-Schröder
• Original version without idealizationMessage 1 A S: (A, B, NA)
Message 2 S A: {NA, B, KAB, {KAB, A}KBS} KAS
Message 3 A B: {KAB, A}KBS
Message 4 B A: {NB}KAB
Message 5 A B: {NB – 1}KAB
• Idealized version Kab Kab Kab
(Msg2) S A: A {NA, (A B), # (A B), {A B}Kbs} Kas
Kab
(Msg3) A B: B {A B}Kbs
Kab
(Msg4) B A: A {NB, (A B)}Kab from B
Kab
(Msg5) A B: B {NB, (A B)}Kab from A
10.2.2010Embedded Security © Prof. Dr. H. Schlingloff 2010 19
Initial assumptions
Kas Kbs
(ass1) A | A S (ass2) B | B S Kas Kbs
Kab
(ass3) S | A S (ass4) S | B S (ass5) S | A B
Kab Kab
(ass6) A | (S | A B) (ass7) B | (S | A B) Kab
(ass8) A | (S | #(A B))
(ass9) A | #(Na) (ass10) B | #(Nb) Kab Kab
(ass11) S | #(A B) (ass12) B | #(A B)
10.2.2010Embedded Security © Prof. Dr. H. Schlingloff 2010 20
Analysis (1)
Kab Kab Kab
(Msg2) A {Na, (A B), #(A B), {A B}Kbs}Kas
Kas
(ass1) A | A S K
Rule (MMR): P | Q P, P {X}K____________________________
P | Q |~ X
With (ass1), (MMR) and (Msg2):
Kab Kab Kab
(1) A | S |~ (Na, (A B), #(A B), {A B}Kbs)
10.2.2010Embedded Security © Prof. Dr. H. Schlingloff 2010 21
Analysis (2)
(ass9) A | #(Na)
Rule (FRS): P | #(X)_________P | #(X, Y)
Hence:
Kab Kab Kab
(2) A | #(Na, (A B), #(A B), {A B}Kbs)
10.2.2010Embedded Security © Prof. Dr. H. Schlingloff 2010 22
Analysis (3)
Kab Kab Kab
(1) A | S |~ (Na, (A B), #(A B), {A B}Kbs)
Kab Kab Kab
(2) A | #(Na, (A B), #(A B), {A B}Kbs)
Rule (NVR): P | #(X), P | Q |~ X
__________________________________
P | Q | X
Kab Kab Kab
(3) A | S | (Na, (A B), #(A B), {A B}Kbs)
10.2.2010Embedded Security © Prof. Dr. H. Schlingloff 2010 23
Analysis (4)
Kab Kab Kab
(3) A | S | (Na, (A B), #(A B), {A B}Kbs)
Rule (BEL): P | Q | (X,Y)
__________________________
P | Q | X
Kab
(4) A | S | (A B)and:
Kab
(5) A | S | #(A B)
10.2.2010Embedded Security © Prof. Dr. H. Schlingloff 2010 24
Analysis (5) Kab Kab
(4) A | S | (A B) (5) A | S | #(A B) Kab Kab
(ass6) A | (S | A B) (ass8) A | (S | #(A B)
Rule (JUR): P | Q | X, P | Q | X __________________________________
P | X
Kab Kab
(6) A | (A B) and (7) A | #(A B)
10.2.2010Embedded Security © Prof. Dr. H. Schlingloff 2010 25
Analysis (6)
Kab
(Msg3) B {A B}Kbs
Kbs
(ass2) B | S B
(MMR) K
P | Q P, P {X}k ___________________________
P | Q |~ X
Kab
(8) B | S |~ {A B}Kbs
10.2.2010Embedded Security © Prof. Dr. H. Schlingloff 2010 26
Analysis (7)
Kab
(ass12) B | #(A B)
Kab
(8) B | S |~ {A B}Kbs
We can apply (NVR):
P | #(X), P | Q |~ X ______________________________________
P | Q | X
And derive:
Kab
(9) B | S | {A B}
10.2.2010Embedded Security © Prof. Dr. H. Schlingloff 2010 27
Analysis (8)
Recall the Assumption: Kab
B | (S | A B)
Also recall the derived formula above stating: Kab
B | S | {A B}We can apply the jurisdiction rule which is:
P | Q | X, P | Q | X ____________________________________
P | X
And we can derive: Kab
(10) B | {A B}
10.2.2010Embedded Security © Prof. Dr. H. Schlingloff 2010 28
Analysis (9)
Now we can apply the logical postulate rules to the next message with assumptions
Kab
(Msg4) B A: {Nb, (A B)}Kab
We can then say that: Kab
A {Nb, (A B)} Kab
We can use (SAY):
P (X,Y) _________________
P X
We can then derive that: Kab
A {(A B)} Kab
10.2.2010Embedded Security © Prof. Dr. H. Schlingloff 2010 29
Analysis (10)
previously we obtained:
Kab
A | (B A)
Also recall the result that we just obtained the previous step: Kab
A {(A B)}Kab
We can apply the message meaning rule: K
P | Q P, P {X}k ___________________________
P | Q |~ XFinally, we can deduce that:
Kab
A | B |~ (A B)
10.2.2010Embedded Security © Prof. Dr. H. Schlingloff 2010 30
Analysis (11)
Recall a previous result we obtained:
Kab
A | #(A B)
Also recall the result that we just obtained the previous step: Kab
A | B |~ (A B)
We can apply the nonce-verification rule: P | #(X), P | Q |~ X
_______________________________________
P | Q | XWe then obtain:
Kab
A | B| (A B)In similar manner, we can also derive that:
Kab
B | A| (A B)
10.2.2010Embedded Security © Prof. Dr. H. Schlingloff 2010 31
Conclusions of Analysis
The goals of the Needham-Schroeder protocol are that A and B each believe that they share a secret key Kab and that moreover they each believe that the other believes it
K K
B | A B (msg 3) A | A B (msg 2)
We also achieve this final goal: K K
A | B | A B (msg 4) B | A | A B (msg 4)
Our analysis achieves these results, since we have derived these goals.This authentication protocol has an extra assumption, which is that B assumes the key B receives from A is fresh. So Needham-Schroeder protocol had this flaw in it.
10.2.2010Embedded Security © Prof. Dr. H. Schlingloff 2010 32
Advantages of BAN Logic
• One of earliest successful attempts at formally reasoning about authentication protocols.
• Huge success for formal methods in cryptography, useful tool
• Uncovered implicit assumptions and weaknesses in a number of protocols
• Involves idealizing a protocol, identifying initial assumptions, using logical postulates to deduce new predicates and determining if the goals of authentication have been met.
• Strengths in its simplicity of its logic and its ease of use
10.2.2010Embedded Security © Prof. Dr. H. Schlingloff 2010 33
Deficits of BAN Logic
• Belief logic is much different from a knowledge logic. Knowledge logics have an axiom of the following form
“If x knows p, then p is true.”However, belief systems do not have this axiom, since a belief in p says nothing about the truth or falsity of p.
• Assumption that all principals taking part in a protocol are honest, in the sense that each principal believes in the truth of each message it sends. However, honesty is not a logical assumption to make
• Vehicle for extensive research in the areas for basis and development of other logic systems