Formal Analysis of Security

Protocols
Dr. Changyu Dong
[email protected]

Security Protocols
Are protocols concerning with
security properties, e.g. integrity and
confidentiality.
For example
SSL, Kerberos, WPA, CHAP, Contract
signing, E-voting, E-money.

They have to be right, but they often

arent.

Formal Analysis
There are now several methods for
analysing security protocols, based on:
Modal and temporal logics
Process algebras (CSP, pi-calculus)
Theorem-proving tools

They have resulted in:

increased confidence in some protocols,
discovery of many protocol flaws,
a better understanding of how to design
robust protocols.

BAN Logic
Named after its authors Burrows, Abadi
and Needham.
A modal logic for analysing
authentication protocols.
First formal analysis technique for
Security Protocols.
Easy to use.
Finds many attacks on known protocols.

Authentication, an Intuitive
Example
Imaging you received this email from your
best friends address. Would you click the
link?
Hi,
Here are some wonderful pictures. Click the
link below:
flickr.com
Tom

Authentication, an Intuitive
Example
Now imaging the email is written in this way
Hi,
Remember the guy who drank beer through
his nose last night in the pub? Ive put some
photos online. Click the link below:
flickr.com
Tom

Would you click the link?

Authentication, an Intuitive
Example
Now imaging you received this email and
your friend Bob told you he received the
same message and the link was genuine.
Hi,
Here are some wonderful pictures. Click the
link below:
flickr.com
Tom

Would you click the link?

The Key Factors in

Authentication
Some secrets
Or some trust
And

Authentication, an Intuitive
Example
Imaging you received this email again one week
later
Hi,
Remember the guy who drank beer through
his nose last night in the pub? Ive put some
photos online. Click the link below:
flickr.com
Tom

Would you click the link?

The Key Factors in

Authentication
Some secrets
Or some trust
And Freshness

BAN Logic: Basic Notations

P believes X: Principle P believes X. P acts as if
X is true. P knows X is indeed true or the
truth of X is justified by some evidence.
P sees X: The principal P receives a message
containing X. Seeing is NOT believing. P does
not necessarily believes X even if P sees X.
P said X: At some point in the past, P is known
to have sent a message including X.
P controls X: P has jurisdiction over X, or P is
trusted as an authority on X.

BAN Logic: Basic Notations

Fresh(X): X is recent or has not been used
before. It is a fresh value (nonce,
timestamp).
K
P
Q: P and Q may used the shared key
K to communicate. K is only known to P and
Q or a principal trusted by P and Q (such as
an authentication server).
P: P has K as a public key. The private
key (K-1) is known only to P.
P X Q: X is a shared secret between P and

Q.
K

BAN Logic: Basic Notations

{X}K: X is encrypted under the key K.
<X>Y: X is combined with a secret Y.
X,Y means X and Y

Authentication goals:
formalised

Mutually Authenticated key

establishment between A and B:
Mutually Authenticated & confirmed
key establishment between A and B:
Data Origin Authentication

Inference Rules
Message-meaning

K is a key shared between Q and P,

so if P sees a message encrypted by
K, it must come from Q (P ignores its
own messages). Similarly:

Inference Rules
Nonce-verification

If P believes that Q once said X, then

P believes that Q once believed X. If
X is fresh, then Q should still hold
this belief.

Inference Rules
Jurisdiction rule

If P trusts Q as an authority on X,
then P should believe X if Q does so.

Inference Rules
Decomposition rules

Decryption rules

Inference Rules
Freshness rule

If part of the message is fresh, then

the whole message is also fresh.

Protocol Analysis with BAN

Logic

Idealise the protocol by replacing

concrete messages by idealised
messages.
State the initial assumptions
Apply the inference rules to each
message and interpret the meaning
of derived formulas.

Idealise the Protocol

Drop unencrypted messages, because they
do not contribute to the growth of
principles beliefs.
Drop all other data that does not
contribute to the growth of beliefs. (Usually
nonces and timestamps need to be left in.)
Understand the real meaning of messages
and represent the meaning in the idealised
messages using correct formulas.

Andrew Secure RPC

This protocol is intended to distribute a new session key
between two principals A and B who share a long-term key.

Idealise

Initial Assumptions
Kab is pre-shared

Kab is generated by
B
Na is generated by A
Nb is generated by B

Analyse the Protocol

The goal of the protocol is to distribute a
new shared keys between A and B.
That means, at the end of the protocol, A
should believe that it shares K ab with B and
B should believe that it shares K ab with A.

The first goal is in the initial assumptions,

how about the second?

Analyse the Protocol

Lets go backwards:

Analyse the Protocol

Analyse the Protocol

How to prove
Unfortunately, we cannot.
That means the protocol
has a flaw.

A cannot verify the new

key is fresh.
An attacker can mount a replay attack.

Modified Protocol

A Few Words at the End

BAN logic can help you find flaws
But not all the flaws
The Needham-Schroeder public-key protocol
was proved to be correct in the BAN logic
paper, but later was found flawed.

The original paper is worth reading

A Logic of Authentication, M Burrows, M
Abadi, R Needham, ACM Transactions on
Computer Systems 1990