Logic of Authentication Dennis Kafura Derived from materials - - PowerPoint PPT Presentation

logic of authentication
SMART_READER_LITE
LIVE PREVIEW

Logic of Authentication Dennis Kafura Derived from materials - - PowerPoint PPT Presentation

Dec 23, 2022 220 likes •390 views

Logic of Authentication Dennis Kafura Derived from materials authored by: Burrows, Abadi, Needham CS 6204, Spring 2005 1 Goals and Scope Goals develop a formalism to reason about authentication protocols uses determine

slide-1
SLIDE 1

1 CS 6204, Spring 2005

Logic of Authentication

Dennis Kafura

Derived from materials authored by: Burrows, Abadi, Needham

slide-2
SLIDE 2

2 CS 6204, Spring 2005

Goals and Scope

♦ Goals

– develop a formalism to reason about authentication protocols – uses

  • determine guarantees provided by a protocol
  • compare assumptions needed by different protocols
  • identify extraneous protocol steps

♦ Out of scope concerns

– defects in practical implementations (e.g., deadlocks) – hostile or malicious parties

slide-3
SLIDE 3

3 CS 6204, Spring 2005

Outline

♦ Notation – Symbols for keys, principals, etc. – Constructs related to beliefs, signatures, etc. ♦ Formalism – Logic postulates : formal rules for reasoning about beliefs – Annotations of protocol steps – Usual logical primitives (conjunction denoted by “,”) ♦ Method – Form idealized protocol – Define assumptions – Prove properties based on logic postulates ♦ Examples – Kerberos – Andrews Secure RPC handshake – Needham-Schroeder Public Key Protocol – CCITT/X.509 Protocol

slide-4
SLIDE 4

4 CS 6204, Spring 2005

Notation

♦ Principals

– A, B, S, …

♦ Keys

– Shared keys: Kab, Kbs – Public keys: Ka, Kb,… – Secret keys: Ka-1, Kb-1 , …

♦ Statements

– Na, Nb,…

slide-5
SLIDE 5

5 CS 6204, Spring 2005

Constructs

P believes X P is entitled to believe that (or may act as if) X is true P sees X P received a message containing X P said X P sent a message containing X at some time in the past P controls X P is authoritative for X fresh(X) X is within the current run of the protocol P K Q K is a shared secret key between P and Q KP P has public key K P =X= Q X is a shared secret between P and Q {X}K X encrypted with K <X>Y X combined with Y

slide-6
SLIDE 6

6 CS 6204, Spring 2005

Logic Postulates (1)

(1) Message meaning rules:

Secret key Public key Shared secret

slide-7
SLIDE 7

7 CS 6204, Spring 2005

Logic Postulates (2)

(2) Nonce Verification rule: (3) Jurisdiction rule:

slide-8
SLIDE 8

8 CS 6204, Spring 2005

Logic Postulates (3)

(4) Visibility rules: (5) Freshness rule:

slide-9
SLIDE 9

9 CS 6204, Spring 2005

Annotations and Goals

The steps in a protocol are annotated with logical formulas before the first step and after each step:

  • if X holds before the message P Q : Y

then both X and Q sees Y holds afterwards,

  • if Y can be derived from X by the logical postulates

then Y holds whenever X holds.

Conjunctions can be “broken” (i.e., if P said (X,Y) then P said X) The logic can be used to prove various authentication goals, such as:

slide-10
SLIDE 10

10 CS 6204, Spring 2005

Kerberos: messages

“Real” protocol: “Idealized” protocol:

slide-11
SLIDE 11

11 CS 6204, Spring 2005

Kerberos: assumptions

slide-12
SLIDE 12

12 CS 6204, Spring 2005

Kerberos: message 2

(1) A sees { TS, AKab B, {TS, AKab B} Kbs } Kas by annotation rule. (2) A believes S said (TS, AKab B, {TS, AKab B} Kbs ) by assumption A believes AKasS and message meaning rule. (3) A believes S said (TS, AKab B) by breaking conjunctions. (4) A believes S believes (TS, AKab B) by assumption A believes fresh(TS) and nonce verification rule. (5) A believes S believes (AKab B) by breaking conjunctions. (6) A believes S controls (AKab B) by instantiating Kab in assumption A believes S controls (AK B). (7) A believes (AKab B) by jurisdiction rule.

slide-13
SLIDE 13

13 CS 6204, Spring 2005

Kerberos: message 3 (part 1)

(1) B sees {TS, AKab B}Kbs , {Ta, AKab B} Kab by annotation rule. (2) B believes S said (TS, AKab B), by breaking conjunctions, assumption A believes AKbsS and message meaning rule. (3) B believes S believes (TS, AKab B) by assumption A believes fresh(TS) and nonce verification rule. (4) B believes S believes (AKab B) by breaking conjunctions. (5) B believes S controls (AKab B) by instantiating Kab in assumption B believes S controls (AK B). (6) B believes (AKab B) by jurisdiction rule.

slide-14
SLIDE 14

14 CS 6204, Spring 2005

Kerberos: message 3 (part 2)

(1) B sees {Ta, AKab B} Kab by breaking conjunctions and annotation rule. (2) B believes A said (Ta, AKab B), by proof that B believes AKab B and message meaning rule. (3) B believes A believes (Ta, AKab B) by assumption B believes fresh(Ta) and nonce verification rule. (4) B believes A believes (AKab B) by breaking conjunctions.

slide-15
SLIDE 15

15 CS 6204, Spring 2005

Kerberos: message 4

(1) A sees {Ta, AKab B} Kab by breaking conjunctions and annotation rule. (2) A believes B said (Ta, AKab B), by proof that B believes AKab B and message meaning rule. (3) A believes B believes (Ta, AKab B) by assumption A believes fresh(Ta) and nonce verification rule. (4) A believes B believes (AKab B) by breaking conjunctions.