EE5552 Network Security and Encryption
Download
Report
Transcript EE5552 Network Security and Encryption
EE5552 Network Security and
Encryption
block 2
Dr. T.J. Owens CMath, FIMA, MIEEE
Dr T. Itagaki MIET, MIEEE, MAES
Block 2
BAN Logic and Passwords
Objectives (1)
• To give a flavour of formal methods by introducing
BAN logic
• To appreciate that BAN logic provides help in finding
flaws in authentication protocols, it cannot
guarantee they are not flawed
– This will help you avoid situations of “the King’s new
clothes”
Objectives (2)
By way of light relief:
– To present the goals an ideal password authentication
scheme would achieve
Introduction (1)
In distributed computing protocols provide the rules on how to
communicate.
To protect communications from attackers cryptographic
protocols were developed. A cryptographic protocol is a
protocol that uses encryption in some way.
Unfortunately, many cryptographic protocols have been found to
be vulnerable to attacks that do not require that the
encryption be broken.
Introduction (2)
In such attacks the messages in the protocol are manipulated by
the attacker in some way to the benefit of the attacker.
o The consequences can range from confidentiality being compromised
to the attacker being able to impersonate a legitimate user.
A class of cryptographic protocols that are fundamental to the
security of a system are the authentication protocols.
Introduction (3)
To be able to design a robust authentication protocol it is
necessary to fully understand what it is it achieves.
The logic of authentication formally describes the knowledge
and the beliefs of the legitimate parties involved in
authentication, and while analyzing the protocol step by step,
describes how their knowledge and beliefs change at each
step. After the analysis, all the final states of the protocol are
set out.
BAN Logic (1)
The BAN logic appeared in 1989 in a publication by Burrows,
Abadi and Needham who invented it and give it its name.
– It was the first attempt to formalise the description and
analysis of authentication protocols.
A protocol in the BAN logic is described by logical formulas with
the aim of writing each step of the protocol in such a way that
all the essential information gained from the step is shown.
– This is an idealisation of the protocol.
BAN Logic (2)
The some of most often used formulas of the BAN logic are:
P believes X.
The principal P may act as if X is true
P sees X.
P has received X in a message and can read and repeat X (send it
on)
P once said X.
P sent a message at some point including X. It is known that P
believed X when the message was sent
BAN Logic (3)
P has jurisdiction over X
P has delegated authority over statement X
The message X is fresh
X has not been sent before. This is usually assumed to be that
case for nonces
BAN Logic (4)
P and Q may used shared key K to
Communicate; K is assumed to be secure
P and Q share the secret X
• An important example of X is a password
Message X encrypted under key K
Time (1)
In the BAN logic, time is divided into the past and the present.
The present begins when the protocol starts running. All
messages sent before this are in the past and the protocol
should reject such messages.
The above formulas are manipulated using logical postulates.
In the BAN logic
means if P is true then Q is true.
The logical postulates include message-meaning rules which
explain how to derive beliefs about the source of messages.
Time (2)
For shared keys, the BAN logic postulates:
That is, if A believes that the key K is shared with B and sees a
message X encrypted under K, then A believes that B once
said X.
For this rule to be sound, we must guarantee that A did not send
X herself; it is enough to remember that
stands for a
formula of the form
from R
for some R and to require that
Time (3)
The nonce verification rule expresses the check that a message is
recent, and therefore that the sender still believes in it:
This says that if A believes that X could have been created only
recently and that B once said X, then A believes that B
believes X. For the sake of simplicity, X must be plaintext.
Time (4)
The jurisdiction rule states that if A believes that B has
jurisdiction over X and A believes that B believes X then A
believes X.
Given the postulates proofs in logic can be constructed.
Protocol Idealization (1)
A protocol is presented in steps where each step involves the
sending and the receiving of one message.
A protocol step is normally written in standard protocol
engineering notation, for example,
This means that A sends and B receives a message encrypted
with KBP (a shared key that can be taken to be Bob’s public
key). The message consists of the name of A and a shared key
KAB to be used by A and B for secure communication between
them.
Protocol Idealization (2)
In the BAN logic this protocol step would be written in an
idealized way as:
This means that A sends and B receives a message encrypted
with KBP and that the message includes a shared key KAB to be
used by A and B for secure communication between them.
Protocol Idealization (3)
The crucial point is that:
The purpose of idealization is to omit the parts of the message
that do not contribute to the beliefs of the recipient.
In this case the name of A is omitted because the protocol
engineering notation for the step implicitly assumes that B
accepts that the message came from A when he receives it
and that possession of the name of A does not change this.
Protocol Analysis
using the BAN Logic (1)
In the BAN logic the analysis of a protocol is carried out in four
stages:
1. Each step of the protocol is written in idealized form
2. Assumptions about the initial state are written
3. Logical formulas are attached to the idealized steps of the
protocol, as assertions about the state of the system after
each step
4. The BAN logic postulates are applied to the assumptions and
the assertions in order to determine the beliefs held by the
parties in the protocol.
Protocol Analysis
using the BAN Logic (2)
This procedure may be repeated as new assumptions are found
to be necessary and as the idealized protocol is refined.
It is very important to realize that the idealized form of each
message cannot be determined by looking merely at a single
protocol step by itself. Only knowledge of the entire protocol
can determine the essential logical contents of the message.
Typically, the assumptions include the statements about key
possession and sharing, nonce generation and trust between
the principals.
Protocol Analysis
using the BAN Logic (3)
Specifically, idealized protocols are annotated with formulas
which are then manipulated with the postulates. A protocol is
a sequence of “send" statements of the form
with
.
An annotation for a protocol consists of a sequence of assertions
inserted before the first statement and after each statement;
the assertions used are conjunctions of formulas of the BAN
logic.
The first assertion contains the assumptions, while the last
assertion contains the conclusions.
Representing the Needham-Schroeder
Protocol using the BAN Logic (1)
First note that an idealized protocol in the BAN logic omits plain
text messages because they can be forged, and so do not
contribute anything useful to the authentication protocol. So
step 1 of the Needham-Schroeder protocol is omitted. Recall
that the subsequent steps are:
Message 2:
Message 3:
Message 4:
Message 5:
Representing the Needham-Schroeder
Protocol using the BAN Logic (2)
After receiving Message 3 B decrypts
and then carries out a
nonce handshake with A to check that A is ready to receive a
message from him since Message 3 might have been a replay.
The use of
in the last message is conventional. Almost any
function of
would do, as long as B can distinguish his
message from A's thus, subtraction is used to indicate that the
message is from A, rather than from B.
Representing the Needham-Schroeder
Protocol using the BAN Logic (3)
The above steps in idealized form are:
Message 2:
Message 3:
Message 4:
from B
Message 5:
from A
Representing the Needham-Schroeder
Protocol using the BAN Logic (4)
The # statement about KAB in Message 2 is present because A
believes that KAB is fresh.
The statements about KAB in Messages 4, and 5 are present
because the messages were sent assure B that the key is fresh
and to assure each principal that the other believes the key is
good. The from statements are included to distinguish
Messages 4 and 5.
Analyzing the Protocol (1)
To fully understand the protocol the all the initial assumptions
made must be understood, BAN logic helps achieve this.
After a little thought the following initial assumptions should be
obvious:
KA
A A
T
KB
B B
T
KA
T A
T
KB
T B
T
K AB
T A
B
Analyzing the Protocol (2)
After a little thought the following initial assumptions should be
obvious:
K AB
A T A
B
K AB
A T # A
B
A # N A
B # N B
K AB
T # A
B
K AB
B T A
B
Analyzing the Protocol (3)
A logical proof of the protocol will now be attempted.
First A sends a plaintext message including a nonce. In Message
2 Trent repeats the nonce in a reply which also contains KAB.
A can decrypt Message 2 so:
Since A knows NA is fresh the nonce verification postulate can be
applied to give:
K AB
A T A
B
K AB
A T # A
B
Analyzing the Protocol (4)
The jurisdiction postulate gives:
A A
B
K AB
A # A
B
K AB
Also:
Analyzing the Protocol (5)
So A can send this to B. At this point, B decrypts the message and
the appropriate message-meaning postulate gives:
However, it is impossible to proceed unless the assumption is
made that:
This highlights the weakness of the protocol because B has
nothing to tell him the message is fresh. In effect this is an
initial assumption of the protocol that was overlooked by its
creators.
Limitations of Formal Verification (1)
Formal methods can be useful in finding flaws in protocols.
However, the idealization of protocol messages in BAN logic is
not straightforward and can be a source of disagreement.
– This is serious issue, since analysis using BAN logic is only as good as
the informal protocol idealization upon which it rests.
The 3GPP (Third Generation Partnership Project) used BAN logic
to verify 3GPP AKA (Authentication and Key Agreement) and it
is vulnerable to a base station in the middle attack.
Limitations of Formal Verification (2)
Using BAN logic requires practice and Burrows et al. (1989)
provide lots of examples to explore.
BAN logic is not the only formal system for reasoning about
security and authentication.
Lampson et al. (1992) developed a theory of authentication and
trust based on the concept of a minimal trusted computing
base (TCB), in which the trustworthiness of each resource that
is not included in the TCB can be derived formally.
A formal system called Security Logic (SL) was developed by
Glasgow et al. (1992) for reasoning about security policies.
Limitations of Formal Verification (3)
In this context, security policies concern secrecy and integrity in
a distributed system.
– Secrecy is formally translated into propositions about principals and
what they have permission to know
– Integrity is translated into propositions about what these principals
are required to know.
Passwords: The bigger picture (1)
When you logon the University network you enter a password in
a box labelled password.
– PIN numbers are also passwords whether used in connection with
your bank card or mobile phone.
When ringing up a building society about a mortgage application
you will be asked several security questions including typically
your mother’s maiden name or postcode.
– The ease with which such information can be found has resulted in a
significant problem with identity theft, combating this is a major
driving force behind the use of identity cards.
Passwords: The bigger picture (2)
Passwords are a huge issue for security engineering as they are
the basis on which most network security resides.
For example, when rarely visited web sites request a password,
users commonly reuse a password they use regularly typically
in connection with their work to be sure they can remember
the password when they need to.
– This means not only can outsiders attack corporate networks but
insiders of other systems.
Passwords: The bigger picture (3)
According to:
H. J. Kim, “Biometrics, is it a viable proposition for identity authentication and
access control,” Computers & Security, vol. 14, pp. 205–214, 1995
Passwords are only one way of authentication people to processors.
In general, there are three types of identity authentication tasks:
• Identity authentication for something known, such as a password;
• Identity authentication for something possessed, such as a smart
card;
• Identity authentication for some personal characteristics, such as
fingerprints.
Applied Psychology Issues (1)
There are broadly three concerns with passwords:
– Will the user disclose the password to another person
intentionally, accidentally, or because they were deceived?
– Will the user be able to regularly enter the password
correctly?
– Will users be able to remember their passwords or will
they have to record them somewhere or choose easily
guessed passwords?
Applied Psychology Issues (2)
When an attacker obtains a password directly from its user by
deceit the attack is known as social engineering.
If a password is too random its user will not easily remember it
and if it is too long it can be too time consuming to enter, in
some stressful situations this can be a safety critical issue.
Note: Firing codes for US nuclear weapons are no longer than 12
digits.
Design Errors (1)
Designing systems so passwords are memorable is dangerous.
Asking for mother’s maiden name is a classic example of what
not to do.
– This information is easily obtained from public records.
Also this makes a cultural assumption and such assumptions
should be avoided whenever possible.
Design Errors (2)
Do not use your bank PIN for anything else.
– If you do and your card is stolen and the thief manages to access your
account you will probably not be able to recover any of the stolen
money from the bank.
Where a bank allows its customers to choose their own PIN it is
believed about one third of customers use a birth date.
Operational Issues
A classic mistake for system administrators to make is not
resetting default passwords supplied with some systems.
System Issues (1)
To understand what is required of a password system it is
necessary to understand how it can be attacked.
Attacks on passwords can be broadly classified as:
– A targeted attack on one account: The attacker tries to obtain a
particular user’s password.
– Attempt to penetrate any account on a system: The attacker tries to
steal any password for the system. For example, by a dictionary attack.
– Attempt to penetrate any account on any system: This is when an
attacker is seeking access to any system within a given domain.
– Service denial attack: An attacker may want to prevent a specific user
from using the system.
System Issues (2)
Additional factors have to be considered when designing
countermeasures against attacks on passwords.
Attacks will be looked at in more detail later on.
Who are the Potential Attackers?
Does the system need to protect its users from each other?
Multilateral security is a major topic in this module. It includes
ensuring possession of one password will not allow other
passwords to be stolen.
In some cases a user who chooses an easily guessed password
has harmed only them self, in others where multilateral
security has not been applied this is not the case.
Intrusion Detection
An important consideration is how a password system interacts
with an intrusion detection system. If you enter three bad PIN
numbers into a cash machine your card is frozen or not
returned. However, in some cases such an approach leaves a
system open to denial of service attacks.
Training Users
Users can be trained and to some extent controlled.
– They can be required to choose a good password and disciplined if
they do not.
– However, this is not appropriate where the system is offering a service
to the public.
It is good practice for a system administrator to periodically run a
password cracking program to identify weak passwords so
they can be changed or removed.
Technical Protection of Passwords
Password entry needs to be protected. Other people should not
be able to see the password entered, e.g. when Chip and PIN
is used.
The machine you logon to may be malicious.
Windows NT uses to the secure attention sequence ctrl-alt-del to
ensure the user sees a genuine password prompt.
– A facility that assures the user they are talking to the genuine system
is called a trusted path.
Attacks on Password Storage (1)
If a system logs failed password attempts the log may contain a
large number of genuine passwords because of users getting
the username and password sequence wrong.
A plain text file of passwords must not be kept on the system.
– Normally, when a password is entered it is passed through a one-way
function and the result checked to see if it matches a stored value.
• The one-way function may be a hash algorithm or an encryption
algorithm.
Attacks on Password Storage (2)
Some systems that use an encrypted password file make it
widely readable.
– Unix used to make the encrypted password file world readable.
– An attacker could steal this file and perform a dictionary attack by
passing each entry in the dictionary through the appropriate one way
function and seeing if they obtain a match.
Absolute Limits
There are often absolute limits imposed on passwords by the
underlying operating system.
Unix systems used to limit the length of a password to eight
characters.
This gives 968 possible passwords which is about 252 and the
average effort for a search is about half that.
A well organised group of attackers can break any encrypted
password in a standard Unix password file.
State-of-the-Art (1)
Chwei-Shyong Tsai, Cheng-Chi Lee, and Min-Shiang Hwang,
“Password Authentication Schemes: Current “Status and Key
Issues”, International Journal of Network Security, Vol.3, No.2,
PP.101–115, Sept. 2006 (http://ijns.nchu.edu.tw/)
Surveys current password-authentication-related schemes and
classifies them in terms of several crucial criteria. They
conclude that:
“Most of the existing schemes are vulnerable to various attacks
and fail to serve all the purposes an ideal password
authentication scheme should.”
State-of-the-Art (2)
An ideal password authentication scheme has to withstand the
following attacks:
SR1. Denial of Service Attacks
An attacker can update false verification information of a legal
user for the next login phase. Afterwards, the legal user will
not be able to login successfully anymore.
SR2. Forgery Attacks (Impersonation Attacks)
An attacker attempts to modify intercepted communications to
masquerade the legal user and login to the system.
State-of-the-Art (3)
SR3. Forward Secrecy
It ensures that the previously generated passwords in the system
are secure even if the system’s secret key has been revealed in
public by accident or is stolen.
SR4. Mutual Authentication
The user and the server can authenticate each other.
Not only can the server verify the legal users, but the users can
also verify the legal server.
– Mutual authentication can help withstand the server spoofing attack
where an attacker pretends to be the server to manipulate sensitive
data of the legal users.
State-of-the-Art (4)
SR5. Parallel Session Attacks
Without knowing a user’s password, an attacker can masquerade
as the legal user by creating a valid login message out of some
eavesdropped communication between the user and the
server.
SR6. Password Guessing Attacks
Most passwords have such low entropy that they are vulnerable
to password guessing attacks, where an attacker intercepts
authentication messages and stores them locally and then
uses a guessed password and seeks verify the correctness of
their guess using these authentication messages.
State-of-the-Art (5)
SR7. Replay Attacks
Having intercepted previous communications, an attacker can
replay the intercepted messages to impersonate the legal user
to login to the system.
SR8. Smart Card Loss Attacks
When the smart card is lost or stolen, unauthorized
State-of-the-Art (6)
An ideal password authentication scheme should with-stand all
of the above attacks, and achieve the following goals:
1. The passwords or verification tables are not stored in the
system.
2. The passwords can be chosen and changed freely by the
users.
3. The passwords cannot be revealed by the administrator of the
server.
State-of-the-Art (7)
An ideal password authentication scheme should with-stand all
of the above attacks, and achieve the following goals:
4 The passwords are not transmitted in plain text over the
network.
5 The length of a password must be appropriate for
memorization.
6 The scheme must be efficient and practical.
State-of-the-Art (8)
An ideal password authentication scheme should with-stand all
of the above attacks, and achieve the following goals:
7 Any unauthorized login can be quickly detected when a user
inputs a wrong password.
8 A session key is established during the password
authentication process to provide confidentiality of
communication.
State-of-the-Art (9)
An ideal password authentication scheme should with-stand all
of the above attacks, and achieve the following goals:
9 The ID should be dynamically changed for each login session
to avoid partial information leakage about the user’s login
message.
10 The proposed scheme is still secure even if the secret key of
the server is leaked out or stolen.
Many existing password-authentication schemes use a password
with something possessed like a smart card to identify a user.
Future Directions (1)
To achieve an ideal password authentication scheme it is
anticipated that in addition to something possessed a
biometric such as an iris pattern will be used.
Significantly, most current password authentication schemes are
designed for a single-server environment.
Some recent schemes work with multi-server architectures,
where users can register at the register centre only once and
access resources from different servers efficiently.
• Kerberos is such a scheme but all the servers have to be on the same
network.
Future Directions (2)
It is anticipated that significant effort will go into enhancing such
schemes in the coming years.
Note: For the purposes of authenticating the identity of one
computing device to another, cryptographic protocols are
more difficult to circumvent than passwords.
References
Burrows, M., Abadi, M. and Needham, R. (1989) “A Logic of Authentication”,
Tech. Report 39, Palo Alto CA: Digital Equipment Corporation Systems
Research Center.
Coulouris, G,. Dollimore, J. and Kindberg, T. (1994) Archive material from
Edition 2 of Distributed Systems: Concepts and Design,
http://www.cdk3.net/security/Ed2/BANLogic.pdf
Glasgow, J., MacEwan, G. and Pananageden, P. (1992) “A Logic for Reasoning
about Security”, ACM Trans. Computer Systems, vol.10, no. 3. pp. 265-310.
Lampson, B.W., Abadi, M., Burrows, M. and Wobber, E. (1992) “Authentication
in Distributed Systems: Theory and Practice”, ACM Trans. on Computer
Systems, vol. 10, no. 4, pp. 265–310.
http://www.acsac.org/2005/papers/Bell.pdf
home work
• Burrows et al. (1989) - lots of examples to explore.
• Third Generation Partnership Project) used BAN logic to verify
3GPP AKA (Authentication and Key Agreement) – how?
• TCB
• SL