EE5552 Network Security and Encryption block 2 Dr. T.J. Owens CMath, FIMA, MIEEE Dr T. Itagaki MIET, MIEEE, MAES

EE5552 Network Security and Encryption

block 2

Dr. T.J. Owens CMath, FIMA, MIEEEDr T. Itagaki MIET, MIEEE, MAES

Block 2BAN Logic and Passwords

Objectives (1)• To give a flavour of formal methods by introducing

BAN logic

• To appreciate that BAN logic provides help in finding flaws in authentication protocols, it cannot guarantee they are not flawed– This will help you avoid situations of “the King’s new

clothes”

Objectives (2)By way of light relief:– To present the goals an ideal password authentication

scheme would achieve

Introduction (1)In distributed computing protocols provide the rules on how to

communicate.

To protect communications from attackers cryptographic protocols were developed. A cryptographic protocol is a protocol that uses encryption in some way.

Unfortunately, many cryptographic protocols have been found to be vulnerable to attacks that do not require that the encryption be broken.

Introduction (2)In such attacks the messages in the protocol are manipulated by

the attacker in some way to the benefit of the attacker. o The consequences can range from confidentiality being compromised

to the attacker being able to impersonate a legitimate user.

A class of cryptographic protocols that are fundamental to the security of a system are the authentication protocols.

Introduction (3)To be able to design a robust authentication protocol it is

necessary to fully understand what it is it achieves. The logic of authentication formally describes the knowledge

and the beliefs of the legitimate parties involved in authentication, and while analyzing the protocol step by step, describes how their knowledge and beliefs change at each step. After the analysis, all the final states of the protocol are set out.

BAN Logic (1)The BAN logic appeared in 1989 in a publication by Burrows,

Abadi and Needham who invented it and give it its name. – It was the first attempt to formalise the description and

analysis of authentication protocols.

A protocol in the BAN logic is described by logical formulas with the aim of writing each step of the protocol in such a way that all the essential information gained from the step is shown. – This is an idealisation of the protocol.

BAN Logic (2)The some of most often used formulas of the BAN logic are:

P believes X. The principal P may act as if X is true

P sees X.

P has received X in a message and can read and repeat X (send it on)

P once said X. P sent a message at some point including X. It is known that P

believed X when the message was sent

BAN Logic (3)P has jurisdiction over X P has delegated authority over statement X The message X is fresh X has not been sent before. This is usually assumed to be that

case for nonces

BAN Logic (4)P and Q may used shared key K to Communicate; K is assumed to be secure P and Q share the secret X

• An important example of X is a password

Message X encrypted under key K

Time (1)In the BAN logic, time is divided into the past and the present.

The present begins when the protocol starts running. All messages sent before this are in the past and the protocol should reject such messages.

The above formulas are manipulated using logical postulates.In the BAN logic means if P is true then Q is true.

The logical postulates include message-meaning rules which explain how to derive beliefs about the source of messages.

Time (2)For shared keys, the BAN logic postulates:

That is, if A believes that the key K is shared with B and sees a message X encrypted under K, then A believes that B once said X.

For this rule to be sound, we must guarantee that A did not send X herself; it is enough to remember that stands for a formula of the form

from Rfor some R and to require that

Time (3)The nonce verification rule expresses the check that a message is

recent, and therefore that the sender still believes in it:

This says that if A believes that X could have been created only recently and that B once said X, then A believes that B believes X. For the sake of simplicity, X must be plaintext.

Time (4)The jurisdiction rule states that if A believes that B has

jurisdiction over X and A believes that B believes X then A believes X.

Given the postulates proofs in logic can be constructed.

Protocol Idealization (1)A protocol is presented in steps where each step involves the

sending and the receiving of one message. A protocol step is normally written in standard protocol

engineering notation, for example, This means that A sends and B receives a message encrypted

with KBP (a shared key that can be taken to be Bob’s public key). The message consists of the name of A and a shared key KAB to be used by A and B for secure communication between them.

Protocol Idealization (2)In the BAN logic this protocol step would be written in an

idealized way as:

This means that A sends and B receives a message encrypted

with KBP and that the message includes a shared key KAB to be used by A and B for secure communication between them.

Protocol Idealization (3)The crucial point is that:The purpose of idealization is to omit the parts of the message

that do not contribute to the beliefs of the recipient.In this case the name of A is omitted because the protocol

engineering notation for the step implicitly assumes that B accepts that the message came from A when he receives it and that possession of the name of A does not change this.

Protocol Analysis using the BAN Logic (1)

In the BAN logic the analysis of a protocol is carried out in four stages:

1. Each step of the protocol is written in idealized form2. Assumptions about the initial state are written3. Logical formulas are attached to the idealized steps of the

protocol, as assertions about the state of the system after each step

4. The BAN logic postulates are applied to the assumptions and the assertions in order to determine the beliefs held by the parties in the protocol.


This procedure may be repeated as new assumptions are found to be necessary and as the idealized protocol is refined.

It is very important to realize that the idealized form of each message cannot be determined by looking merely at a single protocol step by itself. Only knowledge of the entire protocol can determine the essential logical contents of the message.

Typically, the assumptions include the statements about key possession and sharing, nonce generation and trust between the principals.


Specifically, idealized protocols are annotated with formulas which are then manipulated with the postulates. A protocol is a sequence of “send" statements of the form with

. An annotation for a protocol consists of a sequence of assertions

inserted before the first statement and after each statement; the assertions used are conjunctions of formulas of the BAN logic.

The first assertion contains the assumptions, while the last assertion contains the conclusions.

Representing the Needham-Schroeder Protocol using the BAN Logic (1)

First note that an idealized protocol in the BAN logic omits plain text messages because they can be forged, and so do not contribute anything useful to the authentication protocol. So step 1 of the Needham-Schroeder protocol is omitted. Recall that the subsequent steps are:

Message 2:

Message 3:

Message 4:

Message 5:


After receiving Message 3 B decrypts and then carries out a nonce handshake with A to check that A is ready to receive a message from him since Message 3 might have been a replay.

The use of in the last message is conventional. Almost any function of would do, as long as B can distinguish his message from A's thus, subtraction is used to indicate that the message is from A, rather than from B.


The above steps in idealized form are:Message 2:

Message 3:

Message 4: from BMessage 5: from A


The # statement about KAB in Message 2 is present because A believes that KAB is fresh.

The statements about KAB in Messages 4, and 5 are present because the messages were sent assure B that the key is fresh and to assure each principal that the other believes the key is good. The from statements are included to distinguish Messages 4 and 5.

Analyzing the Protocol (1)To fully understand the protocol the all the initial assumptions

made must be understood, BAN logic helps achieve this.After a little thought the following initial assumptions should be

obvious:

TAA AK TBB BK

TAT AK TBT BK

BAT ABK

Analyzing the Protocol (2)After a little thought the following initial assumptions should be

obvious:

BATA ABK BATB ABK

BATA ABK #

ANA # BNB #

BAT ABK #

Analyzing the Protocol (3)A logical proof of the protocol will now be attempted.First A sends a plaintext message including a nonce. In Message

2 Trent repeats the nonce in a reply which also contains KAB. A can decrypt Message 2 so:

Since A knows NA is fresh the nonce verification postulate can be applied to give:

BATA ABK

BATA ABK #

Analyzing the Protocol (4)The jurisdiction postulate gives:

Also:

BAA ABK

BAA ABK #

Analyzing the Protocol (5)So A can send this to B. At this point, B decrypts the message

and the appropriate message-meaning postulate gives:

However, it is impossible to proceed unless the assumption is made that:

This highlights the weakness of the protocol because B has nothing to tell him the message is fresh. In effect this is an initial assumption of the protocol that was overlooked by its creators.

Limitations of Formal Verification (1)

Formal methods can be useful in finding flaws in protocols.However, the idealization of protocol messages in BAN logic is

not straightforward and can be a source of disagreement. – This is serious issue, since analysis using BAN logic is only as good as

the informal protocol idealization upon which it rests.

The 3GPP (Third Generation Partnership Project) used BAN logic to verify 3GPP AKA (Authentication and Key Agreement) and it is vulnerable to a base station in the middle attack.


Using BAN logic requires practice and Burrows et al. (1989) provide lots of examples to explore.

BAN logic is not the only formal system for reasoning about security and authentication.

Lampson et al. (1992) developed a theory of authentication and trust based on the concept of a minimal trusted computing base (TCB), in which the trustworthiness of each resource that is not included in the TCB can be derived formally.

A formal system called Security Logic (SL) was developed by Glasgow et al. (1992) for reasoning about security policies.


In this context, security policies concern secrecy and integrity in a distributed system. – Secrecy is formally translated into propositions about principals and

what they have permission to know– Integrity is translated into propositions about what these principals

are required to know.

Passwords: The bigger picture (1)When you logon the University network you enter a password in

a box labelled password.– PIN numbers are also passwords whether used in connection with

your bank card or mobile phone.

When ringing up a building society about a mortgage application you will be asked several security questions including typically your mother’s maiden name or postcode. – The ease with which such information can be found has resulted in a

significant problem with identity theft, combating this is a major driving force behind the use of identity cards.

Passwords: The bigger picture (2)Passwords are a huge issue for security engineering as they are

the basis on which most network security resides.

For example, when rarely visited web sites request a password, users commonly reuse a password they use regularly typically in connection with their work to be sure they can remember the password when they need to. – This means not only can outsiders attack corporate networks but

insiders of other systems.

Passwords: The bigger picture (3)According to:H. J. Kim, “Biometrics, is it a viable proposition for identity authentication and

access control,” Computers & Security, vol. 14, pp. 205–214, 1995

Passwords are only one way of authentication people to processors.

In general, there are three types of identity authentication tasks:

• Identity authentication for something known, such as a password;

• Identity authentication for something possessed, such as a smart card;

• Identity authentication for some personal characteristics, such as fingerprints.

Applied Psychology Issues (1)There are broadly three concerns with passwords: – Will the user disclose the password to another person

intentionally, accidentally, or because they were deceived?– Will the user be able to regularly enter the password

correctly?– Will users be able to remember their passwords or will

they have to record them somewhere or choose easily guessed passwords?

Applied Psychology Issues (2)When an attacker obtains a password directly from its user by

deceit the attack is known as social engineering. If a password is too random its user will not easily remember it

and if it is too long it can be too time consuming to enter, in some stressful situations this can be a safety critical issue.

Note: Firing codes for US nuclear weapons are no longer than 12 digits.

Design Errors (1)Designing systems so passwords are memorable is dangerous.

Asking for mother’s maiden name is a classic example of what not to do. – This information is easily obtained from public records.

Also this makes a cultural assumption and such assumptions should be avoided whenever possible.

Design Errors (2)Do not use your bank PIN for anything else.

– If you do and your card is stolen and the thief manages to access your account you will probably not be able to recover any of the stolen money from the bank.

Where a bank allows its customers to choose their own PIN it is believed about one third of customers use a birth date.

Operational IssuesA classic mistake for system administrators to make is not

resetting default passwords supplied with some systems.

System Issues (1)To understand what is required of a password system it is

necessary to understand how it can be attacked. Attacks on passwords can be broadly classified as:

– A targeted attack on one account: The attacker tries to obtain a particular user’s password.

– Attempt to penetrate any account on a system: The attacker tries to steal any password for the system. For example, by a dictionary attack.

– Attempt to penetrate any account on any system: This is when an attacker is seeking access to any system within a given domain.

– Service denial attack: An attacker may want to prevent a specific user from using the system.

System Issues (2)Additional factors have to be considered when designing

countermeasures against attacks on passwords.

Attacks will be looked at in more detail later on.

Who are the Potential Attackers?Does the system need to protect its users from each other?Multilateral security is a major topic in this module. It includes

ensuring possession of one password will not allow other passwords to be stolen.

In some cases a user who chooses an easily guessed password has harmed only them self, in others where multilateral security has not been applied this is not the case.

Intrusion DetectionAn important consideration is how a password system interacts

with an intrusion detection system. If you enter three bad PIN numbers into a cash machine your card is frozen or not returned. However, in some cases such an approach leaves a system open to denial of service attacks.

Training UsersUsers can be trained and to some extent controlled.

– They can be required to choose a good password and disciplined if they do not.

– However, this is not appropriate where the system is offering a service to the public.

It is good practice for a system administrator to periodically run a password cracking program to identify weak passwords so they can be changed or removed.

Technical Protection of PasswordsPassword entry needs to be protected. Other people should not

be able to see the password entered, e.g. when Chip and PIN is used.

The machine you logon to may be malicious. Windows NT uses to the secure attention sequence ctrl-alt-del to

ensure the user sees a genuine password prompt. – A facility that assures the user they are talking to the genuine system

is called a trusted path.

Attacks on Password Storage (1)If a system logs failed password attempts the log may contain a

large number of genuine passwords because of users getting the username and password sequence wrong.

A plain text file of passwords must not be kept on the system. – Normally, when a password is entered it is passed through a one-way

function and the result checked to see if it matches a stored value. • The one-way function may be a hash algorithm or an encryption

algorithm.

Attacks on Password Storage (2)Some systems that use an encrypted password file make it

widely readable.– Unix used to make the encrypted password file world readable. – An attacker could steal this file and perform a dictionary attack by

passing each entry in the dictionary through the appropriate one way function and seeing if they obtain a match.

Absolute LimitsThere are often absolute limits imposed on passwords by the

underlying operating system. Unix systems used to limit the length of a password to eight

characters. This gives 968 possible passwords which is about 252 and the

average effort for a search is about half that.A well organised group of attackers can break any encrypted

password in a standard Unix password file.

State-of-the-Art (1)Chwei-Shyong Tsai, Cheng-Chi Lee, and Min-Shiang Hwang,

“Password Authentication Schemes: Current “Status and Key Issues”, International Journal of Network Security, Vol.3, No.2, PP.101–115, Sept. 2006 (http://ijns.nchu.edu.tw/)

Surveys current password-authentication-related schemes and classifies them in terms of several crucial criteria. They conclude that:

“Most of the existing schemes are vulnerable to various attacks and fail to serve all the purposes an ideal password authentication scheme should.”

State-of-the-Art (2)An ideal password authentication scheme has to withstand the

following attacks:SR1. Denial of Service AttacksAn attacker can update false verification information of a legal

user for the next login phase. Afterwards, the legal user will not be able to login successfully anymore.

SR2. Forgery Attacks (Impersonation Attacks)An attacker attempts to modify intercepted communications to

masquerade the legal user and login to the system.

State-of-the-Art (3)SR3. Forward SecrecyIt ensures that the previously generated passwords in the system

are secure even if the system’s secret key has been revealed in public by accident or is stolen.

SR4. Mutual AuthenticationThe user and the server can authenticate each other. Not only can the server verify the legal users, but the users can

also verify the legal server. – Mutual authentication can help withstand the server spoofing attack

where an attacker pretends to be the server to manipulate sensitive data of the legal users.

State-of-the-Art (4)SR5. Parallel Session AttacksWithout knowing a user’s password, an attacker can masquerade

as the legal user by creating a valid login message out of some eavesdropped communication between the user and the server.

SR6. Password Guessing AttacksMost passwords have such low entropy that they are vulnerable

to password guessing attacks, where an attacker intercepts authentication messages and stores them locally and then uses a guessed password and seeks verify the correctness of their guess using these authentication messages.

State-of-the-Art (5)SR7. Replay AttacksHaving intercepted previous communications, an attacker can

replay the intercepted messages to impersonate the legal user to login to the system.

SR8. Smart Card Loss AttacksWhen the smart card is lost or stolen, unauthorized

State-of-the-Art (6)An ideal password authentication scheme should with-stand all

of the above attacks, and achieve the following goals:

1. The passwords or verification tables are not stored in the system.

2. The passwords can be chosen and changed freely by the users.

3. The passwords cannot be revealed by the administrator of the server.



4 The passwords are not transmitted in plain text over the network.

5 The length of a password must be appropriate for memorization.

6 The scheme must be efficient and practical.



7 Any unauthorized login can be quickly detected when a user inputs a wrong password.

8 A session key is established during the password authentication process to provide confidentiality of communication.



9 The ID should be dynamically changed for each login session to avoid partial information leakage about the user’s login message.

10 The proposed scheme is still secure even if the secret key of the server is leaked out or stolen.

Many existing password-authentication schemes use a password with something possessed like a smart card to identify a user.

Future Directions (1)To achieve an ideal password authentication scheme it is

anticipated that in addition to something possessed a biometric such as an iris pattern will be used.

Significantly, most current password authentication schemes are designed for a single-server environment.

Some recent schemes work with multi-server architectures, where users can register at the register centre only once and access resources from different servers efficiently. • Kerberos is such a scheme but all the servers have to be on the same

network.

Future Directions (2)It is anticipated that significant effort will go into enhancing such

schemes in the coming years.

Note: For the purposes of authenticating the identity of one computing device to another, cryptographic protocols are more difficult to circumvent than passwords.

ReferencesBurrows, M., Abadi, M. and Needham, R. (1989) “A Logic of Authentication”,

Tech. Report 39, Palo Alto CA: Digital Equipment Corporation Systems Research Center.

Coulouris, G,. Dollimore, J. and Kindberg, T. (1994) Archive material from Edition 2 of Distributed Systems: Concepts and Design, http://www.cdk3.net/security/Ed2/BANLogic.pdf

Glasgow, J., MacEwan, G. and Pananageden, P. (1992) “A Logic for Reasoning about Security”, ACM Trans. Computer Systems, vol.10, no. 3. pp. 265-310.

Lampson, B.W., Abadi, M., Burrows, M. and Wobber, E. (1992) “Authentication in Distributed Systems: Theory and Practice”, ACM Trans. on Computer Systems, vol. 10, no. 4, pp. 265–310. http://www.acsac.org/2005/papers/Bell.pdf

http://www.cdk3.net/security/Ed2/BANLogic.pdf

home work• Burrows et al. (1989) - lots of examples to explore.• Third Generation Partnership Project) used BAN logic to verify

3GPP AKA (Authentication and Key Agreement) – how?• TCB• SL

Documents

EE5552 Network Security and Encryption block 2 Dr. T.J. Owens CMath, FIMA, MIEEE Dr T. Itagaki MIET, MIEEE, MAES