Design of key establishment protocols
- basic concepts, definitions, and classification
- examples (Wide-Mouth-Frog, Needham-Schroeder protocols) - robustness principles
- formal analysis and the BAN logic
“… our task is to program a computer which gives answers which are subtly and maliciously wrong at the most inconvenient possible moment.”
-- Ross Anderson and Roger Needham, Programming Satan’s computer
© Levente Buttyán 2
Goal and motivitaion
goal of key establishment protocols
– to setup a shared secret between two (or more) parties in a dynamic way
– established shared secret is used as a session key to protect communication between the parties
motivation for use of session keys – to limit available ciphertext for cryptanalysis
– to limit exposure caused by the compromise of a session key – to avoid long-term storage of a large number of secret keys (keys
are created on-demand when actually required) – to create independence across communication sessions or
applications
Basic concepts, definitions, and classification
© Levente Buttyán 3
Basic classification
key transport protocols
– one party creates or otherwise obtains a secret value, and securely transfers it to the other party
key agreement protocols
– a shared secret is derived by the parties as a function of information contributed by each, such that no party can predetermine the resulting value
Basic concepts, definitions, and classification
© Levente Buttyán 4
Further protocol characterestics
provided guarantees – entity authentication
• one party is assured about the identity of a second party with which it is communicating
– implicit key authentication
• one party is assured that no other party aside from a specifically identified second party (and possibly some trusted third parties) may gain access to the established session key
– key confirmation
• one party is assured that a second (possibly unidentified) party actually possesses the session key
• possession of a key can be demonstrated by – producing a one- way hash value of the key or – encryption of known data with the key – explicit key authentication
• implicit key authentication + key confirmation – key freshness
• one party is assured that the key is new (never used before)
Basic concepts, definitions, and classification
© Levente Buttyán 5
Further protocol characterestics
reciprocity
– guarantees are provided unilaterally – guarantees are provided mutually efficiency
– number of message exchanges (passes) required – total number of bits transmitted (i.e., bandwidth used) – complexity of computations by each party
– possibility of pre-computations to reduce on-line computational complexity
third party requirements
– on-line, off-line, or no third party at all – degree and type of trust required in the third party system setup
– distribution of initial keying material
Basic concepts, definitions, and classification
© Levente Buttyán 6
Attacker model
it is assumed that the underlying cryptographic primitives (such as encryption, hash functions, etc) used in the protocol are secure
– the attacker is not a cryptanalyst, but someone who tries to subvert the protocol objectives by defeating the manner in which the crypto primitives are combined in the protocol
it is assumed that the network used by the protocol parties is under the full control of the attacker
– essentially, honest parties send and receive messages to and from the attacker who can decide whether to pass them on or carry out some of the following actions (with no noticeable delay):
• eavesdrop messages (passively)
• delete, insert, and modify messages
• replay old messages (recorded in the past)
• initiate one or more executions of the protocol
• participate in multiple concurrent protocol executions and interleave messages from different executions
Basic concepts, definitions, and classification
© Levente Buttyán 7
Attacker model
objectives of the attacker – deduce a long-term key
• the attacker obtains the long-term key of a honest party A – deduce a session key
• the attacker obtains a session key shared between two honest parties A and B
– masquerade as a honest party B to A
• A believes that he established a session key with B, but in fact he established the key with the attacker
– deceive a honest party A regarding the identity of the other party
• A believes that he established a session key with B, but in fact he established the key with another honest party C
• the attacker does not know the established session key
Basic concepts, definitions, and classification
© Levente Buttyán 8
Attacker model
sometimes it is assumed that the attacker has access to additional information beyond what is generally available
– compromise of past session keys
• obviously, the corresponding session is compromised
• can this be used by the attacker to compromise – future or past sessions?
– long- term secrets?
– compromise of long-term secrets (symmetric keys or private keys)
• obviously, owners of compromised keys can be impersonated in future sessions
• can this be used by the attacker to compromise past sessions?
(break-backward protection or perfect forward secrecy)
Basic concepts, definitions, and classification
© Levente Buttyán 9
The Wide- Mouth- Frog protocol
Alice Server Bob
generate k
A, EKas( B, k, Ta )
EKbs( A, k, Ts ) summary: a simple key transport protocol that uses a trusted third party
Alice generates the session key and sends it to Bob via the trusted third party
characteristics:unilateral entity authentication of Alice mutual implicit key authentication no key confirmation
key freshness with timestamps (flawed) key control for Alice
on- line third party trusted for secure relaying of keys and verification of freshness
initial long- term keys between the parties and the server are required
Examples / Wide-Mouth-Frog
© Levente Buttyán 10
A flaw in the Wide- Mouth- Frog protocol
summary:after observing one run of the protocol, Trudy can continuously use the Server as an oracle until she wants to bring about re- authentication between Alice and Bob
B, EKbs( A, k, Ts) EKas( B, k, Ts(1)) A, EKas( B, k, Ts(1))
EKbs( A, k, Ts(2))
... EKbs( A, k, Ts(n)) Bob Trudy
Server
Examples / Wide-Mouth-Frog
© Levente Buttyán 11
The Needham- Schroeder protocol
Alice Server Bob
A, B, ra
generate k EKas(ra, B, k, EKbs(k, A))
EKbs(k, A) Ek(rb) Ek(rb- 1)
summary: Alice requests a session key from the Server; the Server generates the key and sends it to Alice and to Bob via Alice; Alice and Bob performs entity authentication and key confirmation
characteristics:mutual entity authentication, mutual explicit key authentication, key freshness with fresh random numbers (flawed), on- line third party trusted for generation of session keys, initial long- term keys between the parties and the server are required
Examples / Symmetric key Needham-Schroeder
© Levente Buttyán 12
A flaw in the Needham - Schroeder protocol
Trudy Bob
EKbs(k, A) Ek(rb’) Ek(rb’ - 1) Alice
assumption: Trudy recorded a successful run of the protocol and compromised the session key k; thus, she knows k and EKbs(k, A)
summary: Trudy masquerades as Alice to Bob and makes Bob accept the old and compromised session key k
Examples / Symmetric key Needham-Schroeder
© Levente Buttyán 13
The Needham- Schroeder public- key protocol
Bob PKb(ra, A)
PKa(ra, rb) PKb( rb) Alice
summary:originally a challenge- response type mutual authentication protocol based on public- key encryption only (no signatures); however, since the random numbers exchanged never appear in clear, it was suggested to derive a session key from them
key derivation: both party computes k = f(ra, rb)
characteristics:mutual entity authentication, mutual implicit key authentication (flawed), no key confirmation, key freshness with random numbers, no party can control the key, off- line third party for issuing public key certificates may be required, initial exchange of public keys between the parties may be required
Examples / Asymmetric key Needham-Schroeder
© Levente Buttyán 14
Lowe’s attack
Alice Bob PKm(ra, A)
PKa(ra, rb) PKm( rb)
PKb( rb) PKb(ra, A) PKa(ra, rb) Mallory assumption: Mallory is a malicious user, his public key is Km
summary: when Alice starts the protocol with Mallory, he can masquerade as Alice to Bob;
Mallory uses Alice as an oracle to decrypt a message received from Bob;
if the protocol is used for key establishment, then Bob falsely believes that he shares a secret key with Alice, but indeed he shares it with Mallory
Examples / Asymmetric key Needham-Schroeder
Robustness principles
- names - encryption - timeliness
- recognizing messages and encodings - trust
© Levente Buttyán 16
Robustness principles
informal guidelines for engineering key establishment protocols can complement formal analysis methods
they are neither necessary nor sufficient for correctness they are simply helpful
Robustness principles
© Levente Buttyán 17
General principles
Principle 1
every message should say what it means; its interpretation should depend only on its content
– if something which is essential to the meaning of a message is left to be inferred from the context, then (re)using the message in a different context may lead to inferring that essential information erroneously
Principle 2
the conditions for a message to be acted upon should be clearly set out so someone reviewing a design may see whether they are acceptable or not
– understanding a message is one thing, but in order to act upon it, a variety of other conditions must hold
– e.g., A may understand that it received a session key from B, but in order to accept this key, A should trust B for generating good quality keys; this trust required in B should be set out explicitly
Robustness principles
© Levente Buttyán 18
Explicit mention of names
Principle 3
if the identity of a principal is essential to the meaning of a message, then it is prudent to mention the name of the principal explicitly in the message
– an early version of SSL:
msg1 A B: PKb(k) msg2 B A: Ek(Nb) msg3 A B: Ek(CertA, SKa(Nb)) – attack:
msg1 A B: PKb(k) msg1 B C: PKc(k) msg2 C B: Ek(Nc) msg2 B A: Ek(Nc) msg3 A B: Ek(CertA, SKa(Nc))
msg3 B C: Ek(CertA, SKa(Nc)) – fix:
msg3 A B: Ek(CertA, SKa(A, B, k, Nb))
Robustness principles / Names
© Levente Buttyán 19
Use of encryption
Principle 4
be clear on why encryption is being done; encryption is not synonymous with security and its improper use can lead to errors – encryption can be used for various purposes in a protocol – the most common uses are the following:
• to provide confidentiality for the session key
• to provide key confirmation
• to bind parts of a message together
– receiving Ek(X, Y) is not the same as receiving Ek(X) and Ek(Y)
Robustness principles / Encryption
© Levente Buttyán 20
Use of encryption
– Needham-Schroeder with timestamps:
msg1 A S: A, B
msg2 S A: EKas(Ts, k, B, EKbs(Ts, k, A)) msg3 A B: EKbs(Ts, k, A) msg4 B A: Ek(rb) msg5 A B: Ek(rb- 1) – use of encryption
msg2, msg3
• to ensure the confidentiality of k
• to bind together Ts, K, and A/B msg4, msg5
• to prove knowledge of k – why nested encryption in msg2 ?
• at first sight, it does not add too much to the protocol
• but a more careful analysis reveals that nested encryption do have a role:
– when B receives msg3 near Ts, he knows that A must have extracted it from msg2 near Ts, and hence A must know k (part of msg2) near Ts
msg5 is not needed
• conclusion:
– either nested encryption in msg2 and no msg5 – or no nested encryption in msg2 and msg5 is needed
Robustness principles / Encryption
© Levente Buttyán 21
Signing encrypted data
Principle 5
– when a principal signs something that has already been encrypted, it should not be inferred that he knows the content of the message
– it is proper to infer that a principal that signs a message and then encrypts it knows the content of the message
– X.509 protocol:
msg1 A B: A, SKa(Ta, Na, B, Xa, PKb(Ya)) – B can be sure that the message comes from A – B cannot be sure that A knows Ya:
msg1 C B: C, SKc(Tc, Nc, B, Xc, PKb(Yc)) msg1 A B: A, SKa(Ta, Na, B, Xa, PKb(Yc))
Robustness principles / Encryption
© Levente Buttyán 22
Use of random nonces
Principle 6
be clear on what properties you are assuming about nonces; what may do for ensuring temporal succession may not do for ensuring association
– Otway-Rees protocol:
msg1 A B: M, A, B, EKas(Na, M, A, B)
msg2 B S: M, A, B, EKas(Na, M, A, B), EKbs(Nb, M, A, B) msg3 S B: M, EKas(Na, k), EKbs(Nb, k)
msg4 B A: M, EKas(Na, k)
– Naand Nbare used to ensure freshness of k in msg3 and msg4 – Naand Nbare also used as references to A and B in msg3 and
msg4
• Nais bound with A and B by encryption in msg1
• Nbis bound with A and B by encryption in msg2
• encryption is used not for secrecy but for binding
Robustness principles / Timeliness
© Levente Buttyán 23
Use of random nonces
– Otway-Rees made simpler:
msg1 A B: A, Na msg2 B S: A, B, Na, Nb
msg3 S B: EKas(Na, A, B, k), EKbs(Nb, A, B, k) msg4 B A: EKas(Na, A, B, k)
– uses fewer encryptions – role of nonces is clear
– names are mentioned explicitly in messages
Robustness principles / Timeliness
© Levente Buttyán 24
Predictable nonces
Principle 7
predictable quantities can be used as nonces in challenge-response protocols, but they should be protected so that an attacker cannot simulate a challenge and later replay a response – a protocol to access a time server:
msg1 A S: A, Na msg2 S A: EKas(Ts, Na) – if Nais predictable:
at T0: X S: A, Na S X: EKas(T0, Na) at T1: A X%S: A, Na
X%S A: EKas(T0, Na)
Robustness principles / Timeliness
© Levente Buttyán 25
Timestamps
Principle 8
if timestamps are used as freshness guarantees then clocks must be synchronized and the time maintenance mechanism becomes part of the trusted computing base
– a slow clock is dangerous:
• a principal with a slow clock may accept expired certificates – a fast clock may be dangerous too:
• principal with a fast clock may sign a message at T0using a timestamp T1> T0
• an attacker can replay this message at T1
Robustness principles / Timeliness
© Levente Buttyán 26
Key freshness
Principle 9
a key may have been used recently, for example to encrypt fresh data, yet be quite old and possibly compromised
– example:
• attack on the Needham-Schroeder symmetric-key protocol
Robustness principles / Timeliness
© Levente Buttyán 27
Encoding of messages
Principle 10
it should be possible to deduce from the encoding of a message which run of what protocol it belongs to, and what its number is in the protocol
– Wide-Mouth-Frog protocol:
msg1 A S: A, EKas(Ta, k, B) msg2 S B: EKbs(Ts, k, A)
– problem:
• direction is not encoded in the messages – fix:
msg1 A S: A, EKas(“WMF#1”, Ta, k, B) msg2 S B: EKbs(“WMF#2”, Ts, k, A)
Robustness principles / Encoding of messages
© Levente Buttyán 28
Interference between protocols
Please, transfer 1 M $ from the account of Alice to the account of Bob.
hash
hash of message
sign
signature of message
Please, transfer 1 M $ from the account of Alice to the account of Bob.
signature of message
A hash of msg SKa( hash of msg )
Alice Bob
- the following should be made impossible by appropriate encoding
Private key of Alice
Robustness principles / Encoding of messages
© Levente Buttyán 29
Trust
Principle 11
be clear on which trust relations your protocol depends on and why the dependence is necessary
– examples:
• in the Wide-Mouth-Frog protocol, one of the parties (A) should be trusted for generating good quality keys; this might be unacceptable in some applications (e.g., where A is a smart card)
• if authenticity of a public key is verified by checking certificate chains, then all issuers in the chain must be trusted
• …
Robustness principles / Trust
BAN logic
- language and inference rules
- methodology of protocol analysis with BAN (like) logic(s) - example: analysis of the Needham-Schroeder protocol - some limitations of BAN logic
© Levente Buttyán 31
Motivation for formal methods
many protocols have been proposed, but most of them are flawed
– how can these flaws be explained?
flaws are subtle and hard to find – how can flaws be uncovered?
in order to avoid flaws, we need more understanding – what does the protocol really achieve?
– does the protocol need more assumptions than another one?
– does the protocol do anything unnecessary that could be left out without weakening it?
• e.g., does the protocol encrypt something that could be sent in clear?
formal methods may help answering these questions
BAN / Preliminaries
© Levente Buttyán 32
Applications of formal methods
specification construction verification
– logics
• general purpose: HOL/Isabelle
• special: BAN, GNY, SvO, … – process algebrae
• general purpose: CSP/FDR
• special: spi-calculus – strand spaces (Athena) – model checking (Murphi, …)
– specialized expert systems (NRL protocol analyzer, Interrogator)
BAN / Preliminaries
© Levente Buttyán 33
Basic ideas
BAN logic is a formalism that allows us to describe the beliefs of parties in the protocol and to study the evolution of these beliefs as a consequence of communication
examples:
– if you have sent Bob a number that you have never used for this purpose before, and if you subsequently receive from Bob something that depends on knowing that number, then you should believe that Bob’s message originated recently (at least after yours)
– if you believe that only you and Bob know K, then you should believe that anything you receive encrypted with K comes originally from Bob
– if you believe that K is Bob’s public key, then you should believe that any signed message that you can successfully verify with K comes originally from Bob
– …
BAN / Basic ideas
© Levente Buttyán 34
Language
notation:P, Q, R principals (or parties)
K (symmetric) key
PuK, PrK public - private keys X, Y statements { X }K encryption (signature)
P believes X
principal Pacts as though the statement Xis true P sees X
someone has sent a message containing Xto P, who can read (and possibly repeat) X
P said X
Pat some time sent a message including X; it is not known whether the message was sent long ago or recently, but it is known that P believed Xwhen he sent it
P controls X
Pis an authority on Xand should be trusted on this matter
BAN / Language
© Levente Buttyán 35
Language
X is fresh
Xhas not been sent in a message at any time before the current run of the protocol (this is typically true for nonces)
P K Q
Pand Qmay use the shared key Kto communicate; the key Kis good, in that it will never be discovered by any principal other than Pand Q,or principals trusted by Por Q
PuK = P
Phas PuKas a public key; the corresponding private key PrKwill never be discovered by any principal other than P,or principals trusted by P
X is secret to P, Q
Xis a secret known only to P and Q and possible to principals trusted by them
BAN / Language
© Levente Buttyán 36
Inference rules
P believes PK Q , P sees { X }K P believes ( Q said X ) message meaning rules:
P believes PuK=Q , P sees { X }PrK P believes ( Q said X )
nonce verification rule:
P believes ( X is fresh ) , P believes ( Q said X ) P believes ( Q believes X )
control rule:
P believes ( Q controls X ) , P believes ( Q believes X ) P believes X
BAN / Inference rules
© Levente Buttyán 37
Inference rules
belief rules:
P believes X , P believes Y
P believes ( X and Y ) P believes X , P believes Y P believes ( X and Y )
P believes ( Q believes X ) P believes ( Q believes ( X and Y ) )
saying rules:
P believes ( Q said X ) P believes ( Q said [ X, Y ] )
seeing rules:
P sees X P sees [ X, Y ]
P sees X P believes PK Q , P sees { X }K
P sees X P believes PuK=P, P sees { X }PuK
P sees X P believes PuK=Q , P sees { X }PrK
BAN / Inference rules
© Levente Buttyán 38
Inference rules
freshness rule:
P believes ( [ X, Y] is fresh ) P believes ( X is fresh)
symmetry of shared secrets:
P believes R’K R P believes RK R’
P believes ( K is secret to R’, R ) P believes ( K is secret to R , R’)
P believes ( Q believes R’K R ) P believes ( Q believes RK R’ )
P believes ( Q believes ( K is secret to R’, R ) ) P believes ( Q believes ( K is secret to R , R’) )
BAN / Inference rules
© Levente Buttyán 39
Summary of assumptions
cryptography and communication
– cryptographic primitives are secure and perfect (unbreakable) – each encrypted message contains sufficient redundancy to allow a
principal who decrypts it to verify that he has used the right key – principals recognize and ignore their own messages
time
– time is divided into past and present; the present epoch begins at the start of the particular run of the protocol under consideration belief
– all beliefs held in the present are stable for the entirety of the protocol run
– when a principal says something, then he actually believes it – beliefs held in the past are not necessarily carried forward into
the present
BAN / Assumptions
© Levente Buttyán 40
Analysis methodology
protocol
formal protocol description idealization
assumptions
goals
annotation achievements
compare
BAN / Analysis methodology
© Levente Buttyán 41
Idealization
translation into a logical form
– logical form = implementation independent encoding – original: A→B: msg
– logical: B sees ( a formula that represents msg) there’s no general rule for this translation
– idealization requires to understand the protocol conceptually – once it is understood, it is fairly easy to generate a useful logical
form of the protocol guidelines
– leave out everything that do not contribute to the beliefs of the recipient of the message
– in particular, remove cleartext hints
– a real message msgcan be interpreted as a formula Xif whenever the recipient gets msghe may deduce that the sender must have believed Xwhen he sent msg
BAN / Analysis methodology
© Levente Buttyán 42
Assumptions and goals formalized
assumptions
– pre-established channels
• A believes ( A K S ) – nonces
• A believes ( rais fresh ) – trust
• A believes ( S controls ( A K B) ) goals
– entity authentication
• A believes ( B said X ) andA believes ( X is fresh ) – implicit key authentication
• A believes ( A K B) – key confirmation
• A believes ( B believes ( A K B ) ) – key freshness
• A believes ( K is fresh )
BAN / Analysis methodology
© Levente Buttyán 43
Protocol annotation
S0- assumptions
S1- set of formulae derivable from S0∪{ B sees f( msg1 )}
S2- set of formulae derivable from S1∪{ A sees f( msg2 )}
Sn- set of formulae derivable from Sn-1∪{ B sees f( msgn)} B sees f( msg1)
A sees f( msg2)
B sees f( msgn)
…
BAN / Analysis methodology
© Levente Buttyán 44
The Needham- Schroeder protocol
BAN / Analysis of the NS protocol
Alice Server Bob
A, B, ra
generate k EKas(ra, B, k, EKbs(k, A))
EKbs(k, A) Ek(rb) Ek(rb- 1)
summary: Alice requests a session key from the Server; the Server generates the key and sends it to Alice and to Bob via Alice; Alice and Bob performs entity authentication and key confirmation
characteristics:mutual entity authentication, mutual explicit key authentication, key freshness with fresh random numbers (flawed), on- line third party trusted for generation of session keys, initial long- term keys between the parties and the server are required
© Levente Buttyán 45
Idealization
BAN / Analysis of the NS protocol
original:
A S : A, B, ra
S A : { ra, B, k, { k, A }Kbs}Kas A B : { k, A }Kbs
B A : { rb}k A B : { rb- 1 }k
idealized:
A sees { ra, Ak B, k is fresh, { Ak B, k is fresh }Kbs}Kas B sees { Ak B, k is fresh }Kbs
A sees { rb, Ak B }k B sees { rb- 1, Ak B }k
© Levente Buttyán 46
Assumptions
pre-established channels:
A believes ( AKas S ) S believes ( AKas S ) B believes ( BKbs S ) S believes ( BKbs S ) trust:
A believes ( S controls ( Ak B ) ) B believes ( S controls ( Ak B ) ) A believes ( S controls (k is fresh) ) B believes ( S controls (k is fresh) ) nonces:
A believes ( rais fresh ) B believes ( rbis fresh ) session key:
S believes ( Ak B ) S believes ( k is fresh )
BAN / Analysis of the NS protocol
© Levente Buttyán 47
Analysis
A sees { ra, Ak B, k is fresh, { Ak B, k is fresh }Kbs}Kas
A sees { ra, Ak B, k is fresh { Ak B, k is fresh }Kbs}Kas A believes ( AKas S )
A believes ( S said [ ra, Ak B, k is fresh, { Ak B, k is fresh }Kbs] ) A believes ( rais fresh )
A believes ( [ ra, Ak B, k is fresh, { Ak B, k is fresh }Kbs] is fresh )
A believes ( S said [ra, Ak B, k is fresh, { Ak B, k is fresh }Kbs] ) A believes ( [ra, Ak B, k is fresh, { Ak B, k is fresh }Kbs] is fresh )
A believes ( S believes ( Ak B ) ) A believes ( S believes ( k is fresh ) )
A believes ( S believes ( Ak B ) ) A believes ( S controls ( Ak B ) )
A believes ( Ak B )
A believes ( S believes ( k is fresh ) ) A believes ( S controls ( k is fresh ) )
A believes ( k is fresh )
BAN / Analysis of the NS protocol
© Levente Buttyán 48
Analysis
B sees { Ak B, k is fresh }Kbs
B sees { Ak B, k is fresh }Kbs B believes ( AKbs S ) B believes ( S said [Ak B, k is fresh] )
???
B believes ( [ Ak B, k is fresh ] is fresh ) B believes ( S said [Ak B, k is fresh ] ) B believes ( [Ak B, k is fresh ] is fresh )
B believes ( S believes ( Ak B ) ) B believes ( S believes ( k is fresh ) ) B believes ( S believes ( Ak B ) )
B believes ( S controls ( Ak B ) ) B believes ( Ak B )
B believes ( S believes ( k is fresh ) ) B believes ( S controls ( k is fresh ) )
B believes ( k is fresh )
BAN / Analysis of the NS protocol
© Levente Buttyán 49
Analysis
A sees { rb, Ak B }k A sees { rb, Ak B }k A believes ( Ak B ) A believes ( B said [rb, Ak B ] )
A believes ( k is fresh ) A believes ( [ rb, Ak B ] is fresh ) A believes ( B said [ rb, Ak B ] )
A believes ( [ rb, Ak B ] is fresh ) A believes ( B believes ( Ak B ) )
B sees { rb- 1, Ak B }k B sees { rb- 1, Ak B }k B believes ( Ak B ) B believes ( A said [ rb- 1, Ak B ] )
B believes ( rb is fresh ) B believes ( [ rb- 1, Ak B ] is fresh ) B believes ( A said [ rb- 1, Ak B ] )
B believes ( [ rb- 1, Ak B ] is fresh ) B believes ( A believes ( Ak B ) )
BAN / Analysis of the NS protocol
© Levente Buttyán 50
Nessett’s critique
Nessett protocol:
A B : { Ta, B, k }PrKa B A : { Tb}k
idealized Nessett protocol:
B sees { Ta, Ak B }PrKa A sees { Tb, Ak B}k analysis:
B sees { Ta , Ak B }PrKa B believes ( PuKa= A ) B believes ( A said [ Ta , Ak B ] )
B believes ( Tais fresh ) B believes ( [ Ta , Ak B ] is fresh ) B believes ( A said [ Ta , Ak B ] )
B believes ( [ Ta , Ak B ] is fresh ) B believes ( A believes ( Ak B ) ) B believes ( A believes ( Ak B ) ) B believes ( A controls ( Ak B ) )
B believes ( Ak B )
conclusion: the BAN analysis suggests that the protocol is correct, but it is obviously flawed
BAN / Limitations
© Levente Buttyán 51
BAN’s rejoinder
from Burrows, Abadi, and Needham, Rejoinder to Nessett, Operating Systems Review, Vol. 24. No. 2. April 1990
– “… while we allow for the possibility of hostile intruders, there is no attempt to deal with the authentication of an untrustworthy principal, nor to detect weaknesses of encryption schemes or unauthorized release of secrets ...”
– “… The main difficulty comes with the introduction of the assumption A believes ( Ak B ), which says that Abelieves that kis a good shared key for Aand B. This assumption is clearly inconsistent with the message exchange, where Apublishes k. The inconsistency is not manifested by our formalism, but it is not beyond the wit of man to notice. ...”
BAN / Limitations
© Levente Buttyán 52
Conclusion on BAN logic
formal methods can be very helpful
but no formal method exist that discover every security weaknesses in a protocol
when you use a formal method you should be aware of the limitations of that method
BAN logic is one of the most popular formal methods to analyze cryptographic protocols (it is simple and intuitive)
BAN logic helped researchers
– to discover previously unknown flaws in published protocols, and – to understand the basic principles of authentication and key
establishment
BAN logic has limitations and weaknesses – it failed to discover certain flaws in certain protocols – it seems to have problems in analyzing secrecy properties – it requires “protocol idealization”, which may lead to errors
BAN / Conclusion
© Levente Buttyán 53
Summary
basic concepts
– key establishment, key transport, key agreement
– implicit key authentication, key confirmation, key freshness, … – attacker model
• black box crypto
• attacker controls the network
• simple replays and interleaving attacks robustness principles
– be explicit!
• especially, mention names explicitly formal methods and the BAN logic
– be aware of the limitations of the particular method you use!
© Levente Buttyán 54
Recommended readings
M. Abadi and R. Needham, Prudent engineering practice for cryptographic protocols, In IEEE Transactions on Software Engineering, 22(1), 1996.
R. Anderson and R. Needham, Programming Satan's computer, In Computer Science Today, Springer LNCS 1000, 1995.
R. Anderson and R. Needham, Robustness principles for public- key protocols, In Advances in Cryptology -- CRYPTO'95, Springer, 1995.
M. Burrows, M. Abadi and R. Needham, A logic of
authentication, In Proceedings of the Royal Society, December 1989.