Foundations of Computer SecurityLecture 65: The BAN Logic: Needham-SchroederDr. Bill YoungDepartment of Computer SciencesUniversity of Texas at AustinLecture 65: 1 The BAN Logic: Needham-SchroederNeedham-Schroeder: IdealizationRecall the Needham-Schroeder protocol:1A → S : A, B, Na2S → A : {Na, B, Kab, {Kab, A}Kbs}Kas3A → B : {Kab, A}Kbs4B → A : {Nb}Kab5A → B : {Nb− 1}KabNeedham-Schroeder is idealized as follows:1omitted since all components are plaintext2S → A : {Na, (AKab←→ B), #(AKab←→ B), {AKab←→ B}Kbs}Kas3A → B : {AKab←→ B}Kbs4B → A : {Nb, (AKab←→ B)}Kabfrom B5A → B : {Nb, (AKab←→ B)}Kabfrom ALecture 65: 2 The BAN Logic: Needham-SchroederBAN Logic: AssumptionsThe following initial assumptions are given for Needham-Schroeder:A|≡ AKas←→ S B|≡ BKbs←→ S S|≡ AKas←→ SS|≡ BKbs←→ SS|≡ AKab←→ BA|≡ (S =⇒ AK←→ B) B|≡ (S =⇒ AK←→ B)A|≡ (S =⇒ #(AK←→ B))A|≡ #(Na) B|≡ #(Nb) S|≡ #(AKab←→ B)B|≡ #(AK←→ B)The very last of these is pretty strong. Needham and Schroederdid not realize they were making it, and were criticized for it.Lecture 65: 3 The BAN Logic: Needham-SchroederBAN Logic: Analyzing the ProtocolFrom step 2 of the (idealized) protocol:A ⊳ {Na, (AKab←→ B), #(AKab←→ B), {AKab←→ B}Kbs}KasThe Nonce Verification Rule says:A|≡ (#(X )), A|≡ (S|∼ X )A|≡ (S|≡ X )Since A believes Nato be fresh, we get:A|≡ (S|≡ AKab←→ B)Lecture 65: 4 The BAN Logic: Needham-SchroederBAN Logic: Analyzing the ProtocolThe Jurisdiction Rule says that:A|≡ (S =⇒ X ), A|≡ (S|≡ X )A|≡ XFrom this we obtain:A|≡ AKab←→ BA|≡ #(AKab←→ B)Lecture 65: 5 The BAN Logic: Needham-SchroederBAN Logic: Analyzing the ProtocolSince A has also seen the part of the message encrypted under B’skey, he can send it to B. B decrypts the message and obtains:B|≡ (S|∼ AKab←→ B)meaning that B believes that S once sent the key.At this point, we need the final dubious assumption:B|≡ #(AK←→ B)With it, we can get:B|≡ AKab←→ BLecture 65: 6 The BAN Logic: Needham-SchroederBAN Logic: Analyzing the ProtocolFrom the last two messages, we can infer the following. How?A|≡ AKab←→ BB|≡ AKab←→ BA|≡ (B|≡ AKab←→ B)B|≡ (A|≡ AKab←→ B)These are the point of the protocol. The proof exhibits someassumptions that were not apparent.Lecture 65: 7 The BAN Logic: Needham-SchroederLessonsUse of a logic like BAN shows what is provable and also whatmust be assumed.Using BAN effectively requires a lot of practice and insightinto the protocol.Next lecture: PGPLecture 65: 8 The BAN Logic:
View Full Document
Unlocking...