An Encapsulated Authentication Logic for Reasoning about Key - PowerPoint PPT Presentation

An Encapsulated Authentication Logic for Reasoning about Key Distribution Protocols Catherine Meadows Dusko Pavlovic NRL Kestrel Institute Iliano Cervesato Tulane University CSFW 2005 June 20, 2005

Contributions Separate • Authentication reasoning  Secrecy reasoning  Define a logic of pure authentication • Secrecy as assumptions  Proof obligations  Embed it in derivational framework • Apply to key distribution protocols • Taxonomy  Comparative study  Clear understanding of underlying mechanisms  I.Cervesato : Encapsulated Authentication Logic 1/28

KD 0 Server-Assisted Shared KD 1 Key Distribution KD 2 Protocols KD 3 KD 4 DS NSSK 0 NSSKfix 0 K5core 0 K4core 0 NSSK 1 NSSKfix 1 K5core K4core NSSK NSSKfix I.Cervesato : Encapsulated Authentication Logic 2/28

Key Distribution Generate k Protocols Send k to A Send k to B Secrecy depends on authentication • k secret only if sent over  authenticated channels Authentication Authentication depends on secrecy • Secrecy Cryptographic authentication relies on  Authentication secrecy of long-term keys Secrecy I.Cervesato : Encapsulated Authentication Logic 3/28

Verifying KD Protocols Historically single monolithic proofs … BUT … secrecy and authentication rely on very different proof methods Authentication Secrecy • •  Completing partial  Secret goes only to order of actions intended recipients Get piping right Pipes do not leak    Local reasoning  Global reasoning  Positive inference  Negative inference I.Cervesato : Encapsulated Authentication Logic 4/28

Divide et Conquera Two coordinated logics •  Logic of authentication Relies on secrecy assumptions  – Proof obligation in secrecy logic  Logic of secrecy Relies on authentication assumptions  – Proof obligation in auth. logic Benefits •  Much simpler proofs  Modularity Independent of notion of secrecy  I.Cervesato : Encapsulated Authentication Logic 5/28

Describing Protocol Runs Messages • k m - encryption  m,m’ - pairing  Abbrv. Principal actions •  m: A -> B  A – send  m  A  (X: Y -> Z) A – receive  ((m)) A (m/p(x)) A – match   m  A< ( ν n) A , ( τ t) A – new nonce, timestamp  Protocols Runs • • Set of parametric roles Partial order of actions   Akin to observations Every receive has a send   Every match has succeeded  Observations  I.Cervesato : Encapsulated Authentication Logic 6/28

Authentication Logic First-Order logic with 3 predicates • a A – action a A has occurred  a A < b B – a A has occurred before b B  a A = b B – a A and b B are the same action  Nothing else! Usage • Given A’s observations, extend them with other  principal’s actions Derive compatible runs  A: Obs A  Φ A: Ψ & Obs A  Φ Iterated application of axioms  I.Cervesato : Encapsulated Authentication Logic 7/28

Logical Assumptions Honesty Secrecy • •  Principal does not  Key uncompromised deviate from role for given principals secret(k, G) = honest S  k m  X<  X ∈ G & (x/k y) X  X ∈ G A S Z? k m secret(k,[A,S]) I.Cervesato : Encapsulated Authentication Logic 8/28

Axioms Basic truths about domain • A X  Receive axiom m Y: ((m)) A   m  X< < ((m)) A time  Timestamp axiom B A t A - δ A: honest B &  t  B< < ((t)) A t  (t- δ ) A < ( τ t) B <  t  B< < ((t)) A < (t- ∆ ) A t t A Allow inferring new • Honest B t A + ∆ actions/ordering I.Cervesato : Encapsulated Authentication Logic 9/28

A B Schemas and Instances n n K n Desired functionalities • secret(K, [A,B]) Nonce-based Challenge-Response property  A: Φ & ( ν n) A <  C n  A< < (( R n)) A  ( ν n) A <  C n  A< < (( C n)) B <  R n  B< < (( R n)) A Verified instances • Challenge in the clear/Response encrypted  A: secret(K, [A,B]) & ( ν n) A <  n  A< < ((K n)) A  ( ν n) A <  n  A< < ((n)) B <  K n  B< < ((K n)) A I.Cervesato : Encapsulated Authentication Logic 10/28

A S B Abstract Key k ν Distribution K AS k K BS k S spontaneously • Generates k  secret(K AS , [A,S]) & honest S & secret(K AS , [A,S]) & A: A: A: A: Sends it to A, B  (K AS (K AS (K AS (K AS k) A k) A k) A k) A A, B hardwired   K AS k  S< Encrypted with K AS , K BS  ( ν k) S <  K AS  K AS k  S< k  X< < (K AS < (K AS < (K AS (K AS k) A k) A k) A k) A      K BS k  S< A observes only (K AS k) • A reconstructs run • A A A A X S S B Must assume  honest S  secret(K AS , [A,S]) k  ν Not secret(K BS , [B,S]) K AS K AS K AS K AS k k k k K BS k  ? B’s reception unknown  secret(K AS , [A,S]) secret(K AS , [A,S]) honest S Dual for B • I.Cervesato : Encapsulated Authentication Logic 11/28

Derivational Approach Use rules, not just axioms • Operate on protocol and properties   Refinements  Transformations Advantages •  Abstract general constructions  Reuse protocol fragments  Structured understanding of Mechanism  Properties  Relations between protocols   Open-ended taxonomies I.Cervesato : Encapsulated Authentication Logic 12/28

KD 0 Parameter Key Request discharge KD 1 KD 2 A S B A,B KD 3 KD 4 k ν K AS k K BS k DS NSSK 0 NSSKfix 0 K5core 0 K4core 0 NSSK 1 NSSKfix 1 A may not be talking to B •  Even if S honest Same for B K5core K4core NSSK NSSKfix • I.Cervesato : Encapsulated Authentication Logic 13/28

KD 0 Binding KD 1 Name binding KD 2 KD 3 KD 4 DS NSSK 0 A S B A,B NSSKfix 0 k ν K AS (B,k) K BS (A,k) K5core 0 K4core 0 NSSK 1 NSSKfix 1 A (B) authenticated to B (A) • K5core K4core NSSK NSSKfix I.Cervesato : Encapsulated Authentication Logic 14/28

KD 0 Concatenated Relay KD 1 Relay KD 2 A S B A,B KD 3 KD 4 k ν K AS (B,k), K BS (A,k) DS NSSK 0 K BS (A,k) NSSKfix 0 A knows S sent K AS (B,k), K BS (A,k) • K5core 0 K4core 0 NSSK 1 NSSKfix 1 A received K AS (B,k), M • A doesn’t know if M = K BS (A,k) • Documented anomaly of Kerberos 5 K5core K4core NSSK NSSKfix • I.Cervesato : Encapsulated Authentication Logic 15/28

KD 0 Embedded Relay KD 1 Relay A S B A,B KD 2 k ν K AS (B,k,K BS (A,k)) KD 3 KD 4 K BS (A,k) DS NSSK 0 Auth. injection NSSKfix 0 A authenticates B assuming • K5core 0 K4core 0 NSSK 1 NSSKfix 1  secret(K BS , [B,S]) K5core K4core NSSK NSSKfix I.Cervesato : Encapsulated Authentication Logic 16/28

A S B A,B B’s Point of View k ν K AS (B,k,K BS (A,k)) A S B B A,B K BS (A,k) k ν K AS (B,k, K BS (A,k)) ? With only • X  secret(K BS , [B,S]) K BS (A,k) K BS (A,k) secret(K BS , [B,S]) honest S knows S generated k A S B With also • A,B k secret(K AS , [A,S]) ν  K AS (B,k, K BS (A,k)) knows A knows k K BS (A,k)  A may not be honest secret(K BS , [B,S]) honest S secret(K AS , [A,S]) I.Cervesato : Encapsulated Authentication Logic 17/28

Additional Properties Recency • k ) S  ( ν bracketed by events controlled by A/B Otherwise, intruder can infer k and attack protocol  Even if S is honest   Not satisfied so far Key confirmation •  A/B knows that B/A has k Essential for using k   Only B in KD 4 (under assumption) I.Cervesato : Encapsulated Authentication Logic 18/28

Recency with Nonces Use challenge-response as bracket • A S B A S n ν n A,B k ν K AS n K AS (B,k, K BS (A,k)) K BS (A,k) n ν A,B,n k ν K AS (n,B,k, K BS (A,k)) K BS (A,k) I.Cervesato : Encapsulated Authentication Logic 19/28

KD 0 Core NSSK KD 1 Nonce-based KD 2 CR KD 3 KD 4 DS NSSK 0 A S B n ν n,A,B NSSKfix 0 Ensures recency of k to A k • ν K AS (n,B,k,K BS (A,k)) A can reconstruct run up K5core 0 K4core 0 • NSSK 1 NSSKfix 1 to B’s action K BS (A,k) No such guarantees for B • K5core K4core NSSK NSSKfix Denning-Sacco attack  I.Cervesato : Encapsulated Authentication Logic 20/28

KD 0 Core NSSKfix KD 1 KD 2 Nonce-based KD 3 KD 4 CR DS NSSK 0 A S B A NSSKfix 0 n’ ν K BS (A,n’) n ν n,A,B, K BS (A,n’) K5core 0 K4core 0 NSSK 1 NSSKfix 1 k ν K AS (n,B,k,K BS (A,k,n’)) K5core K4core NSSK NSSKfix K BS (A,k,n’) I.Cervesato : Encapsulated Authentication Logic 21/28

KD 0 Key Confirmation KD 1 Under the assumption • KD 2 secret(k, [A,B,S])  KD 3 KD 4 Post- DS NSSK 0 composition NSSKfix 0 A S B n ν n,A,B K5core 0 K4core 0 NSSK 1 NSSKfix 1 k ν K AS (n,B,k,K BS (A,k)) K BS (A,k) K5core K4core NSSK NSSKfix k m I.Cervesato : Encapsulated Authentication Logic 22/28

A S B NSSK does more! n ν n,A,B k ν K AS (n,B,k,K BS (A,k)) B concludes with CR • K BS (A,k) n’  k not confirmed to A ν k n’ Unless tagging  k (n’+1)  B already knows A has k Exchange typical of repeated authentication •  B repeatedly request service from A … but A is initiator!  Similarly for NSSK-fix • I.Cervesato : Encapsulated Authentication Logic 23/28