Professional Documents
Culture Documents
Ban Logic Tutorial
Ban Logic Tutorial
Avinanta Tarigan
Avinanta Tarigan
BAN Logic
Avinanta Tarigan
BAN Logic
Cryptography (review)
secrecy
of data
Includes :
algorithm
and
key(s)
Cryptographic Protocol )
Avinanta Tarigan
BAN Logic
Symmetric Crypt.
A B
Principal
: {M }K
ab
Kab M
sends
message
principals
easy
Avinanta Tarigan
BAN Logic
A B
Principal
: {M }K
b
M Kb
sends
encrypted with
B 's
message
public-key
Only with
1 private-key K b ,B
can
secret
which is
which
Authority
Avinanta Tarigan
BAN Logic
Cryptographic Protocol
security properties
(authentication,
Avinanta Tarigan
BAN Logic
Cryptographic Protocol
A S S A A B BA A B
Intoducing
A, B , Na : {Na , B , Kab , {Kab , A}Kbs }Kas : {Kab , A}Kbs : {Nb }Kab : {Nb 1}Kab Nonce (N )
:
Avinanta Tarigan
BAN Logic
Cryptographic Protocol
A S S A A B BA
: : : :
A, B {Ts , L, B , Kab , {Ts , L, Kab , A}Kbs }Kas {Ts , L, Kab , A}Kbs , {A, Ta }Kab {Ta + 1}Kab
(T )
and Lifetime
Introducing TimeStamp
(L)
Avinanta Tarigan
BAN Logic
Cryptographic Protocol
Problem :
Needham-Schroeder Protocol
SSLv1.0
Wrong implementation could lead to vulnerability
Avinanta Tarigan
BAN Logic
Avinanta Tarigan
BAN Logic
System State
INTRUDER
Avinanta Tarigan
BAN Logic
Defence
Needs to dene insecure states and
search
paths to them
More successful than General Purpose Tools Example : Interrogator by Millen, NRL Protocol Analyzer by Meadows, Longley and Rigby
Avinanta Tarigan
BAN Logic
Algebraic Approach
messages )
Example :
Dolev - Yao (term re-writing systems) S - Calculus by Abadi and Gordon (to prove secrecy)
Avinanta Tarigan
BAN Logic
Logic Based
One sees cryptographic protocol as distributed algorithm Develop logics from modal logic There are inference rules Goal is to derived statements which represents correct
condition
Example :
Avinanta Tarigan
BAN Logic
Schneider et. al. Modelling and Analysis of Security Protocols Ross Anderson, Security Engineering Donald Mackenzie, Mechanizing Proof Martin Abadi's papers at
http://www.cse.ucsc.edu/~abadi/allpapers.html#jsds
Papers at
http://chacs.nrl.navy.mil/projects/crypto.html
Avinanta Tarigan
BAN Logic
A, B , S
Specic Shared Key : Kab , Kas , Kbs Specic Public Key : Ka , Kb , Ks 1 , K 1 , K 1 Specic Private Key : Ka s b
Avinanta Tarigan
BAN Logic
| X : P believes X
X
| X : P once said X P X : P has jurisdiction over X (X ) : Formula X is fresh Q : P and Q use shared-key K P : P has K as a public-key and corresponding
P
: P Sees X
private-key X P Q : Formula X is a secret known only to P and Q {X }K : Formula X encrypted under key K X Y : Y is proof of origin for X
as
Avinanta Tarigan
BAN Logic
K P | Q P , P {X }K P | Q | X K P | Q , P {X }K 1 P | Q | X Y P | Q P , P X Y P | Q | X
(1)
(2)
(3)
Nonce verication
P | (X ), P | Q | X P | Q | X
Avinanta Tarigan BAN Logic
(4)
P | Q X , P | Q | X P | X P | X , P | X P | (X , Y )
(5)
Conjuction of belief
(6)
Some decompositions
P | (X , Y ) P | X P | Q | (X , Y ) P | Q | X P | Q | (X , Y ) P | Q | X
Avinanta Tarigan BAN Logic
(7)
(8)
(9)
P P
(X , Y )
(10)
X Y P X
{X }K
(11)
K P | Q P , P P X
more on decompositions ...
(12)
K P | P , P {X }K P X
Avinanta Tarigan BAN Logic
(13)
P | (Y ) P | (Y , X )
(15)
Shared-Key Commutative
K P | R R K P | R R K P | Q | R R K P | Q | R R
(16)
(17)
Avinanta Tarigan
BAN Logic
Shared-Secret Commutative
P | R P | R P | Q | R P | Q | R
X X X X
R R R R
(18)
(19)
Avinanta Tarigan
BAN Logic
Stages
Skip the message parts that do not contribute to the receiver's beliefs
2 3
State assumptions about original message Make annotated idealized protocols for each protocol statement with assertions
4 5
Apply logical rules to assumptions and assertions Deduce beliefs held at the end of protocol
Avinanta Tarigan
BAN Logic
Idealization
To formalize and remove ambiguity in protocol bit string Skip the message parts that do not contribute to the receiver's beliefs Example :
ab {Na , A B }Kab
Avinanta Tarigan
BAN Logic
M1 : M2 : M3 : M4 :
A B : M , A, B , {Na , M , A, B }Kas B S : M , A, B , {Na , M , A, B }Kas , {Nb , M , A, B }Kbs S B : M , {Na , Kab }Kas , {Nb , Kab }Kbs B A : M , {Na , Kab }Kas A B : {Na , Nc }Kas B S : {Na , Nc }Kas , {Nb , Nc }Kbs
Idealized into :
M1 : M2 : M3 :
Avinanta Tarigan
BAN Logic
Avinanta Tarigan
BAN Logic
We begin with M2
S
10
a. b.
and then M3
{Na , Nc }Kas
S
as | A S
| A | (Na , Nc )
S
{Nb , Nc }Kbs
S
bs S | B
| B | (Nb , Nc )
Avinanta Tarigan
BAN Logic
ab {Nb , A B , A | Nc }Kbs
B
bs | B S
ab | S | (Nb , A B , A | Nc )
B B
1
B
ab | (A B , A | Nc )
| (Nb )
15
ab | S | (A B , A | Nc )
B
4 7
ab | S | A B (a) B | S | A | Nc (b)
from M3
a.
ab | S | A B
B
| S A B
b.
| S
ab | A B | A | Nc B | S A | X
B
| A | Nc
after that M4 :
Avinanta Tarigan
BAN Logic
ab {Na , A B , B | Nc }Kas
A
as | A S
ab | S | (Na , A B , B | Nc )
A A
1
A
| (A B , B | Nc )
Kab
| (Na )
15
ab | S | (A B , B | Nc )
A
4 7
ab | S | A B (a) A | S | B | Nc (b)
from M4
a.
ab B | S | A
A
| S A B
| A B
Kab
b.
| S | B | Nc A | S B | X A | B | Nc
A
| (Nc )
| B | Nc
Avinanta Tarigan
BAN Logic
Limitations
Final beliefs can be believed only if all original assumptions hold true
BAN does not account for improper encryption
Avinanta Tarigan
BAN Logic
The End
Avinanta Tarigan
BAN Logic