BAN LOGIC

1
BAN LOGIC

• Amit Chetal
• Monica Desai
• November 14, 2001

2
Outline

1. Introduction
2. Formalism
3. Role of Time in BAN Logic
4. Idealization of Protocols
5. Goals of Authentication
6. Semantics

3
Outline

• Steps in Protocol Analysis
• Example of BAN Logic
• Needham Schroeder Protocol
• Flaws/Advantages of BAN logic
• Conclusion

4
Introduction

• There exists a variety of authentication
  protocols.
• -Various design decisions
• Protocols often depend on assumptions that are
  not clearly stated.

5
Introduction

• Problems with the design of the protocols
• Lack of assumptions
• Lack of formal descriptions
• Lack of clarity

6
Introduction

• BAN Logic(formulated by Burrows, Abadi, and
  Needham-1989) is based on an agreed set of
  deduction rules for formally reasoning about the
  authentication protocols and is often referred to
  as a logic of authentication.
•  
• It is a formal method for verifying that two
  principals(people, computer, services) are
  entitled to believe they are communicating with
  each other and not the intruders.

7
Introduction

• Main Purposes of BAN Logic
• BAN logic helps to prove whether or not a
  protocol does or does not meet its security
  goals.
• BAN logic helps make the protocols more efficient
  by eliminating messages, contents of message, or
  encryptions of messages. Despite eliminating
  them, the security goals still can be reached.
• BAN logic helps clarify the protocols
  assumptions by formally stating them.

8
Introduction

• BAN logic is based on a belief system
• BAN logic concentrates on the beliefs of
  trustworthy parties involved in the protocol and
  the evolution of these beliefs through
  communication processes.

9
Introduction

• The steps of BAN logic to analyze the original
  protocol
• are as follows
• 1) The protocol is transformed into some
  idealized form
• 2) Identify your initial assumptions in the
  language of BAN logic
• 3) Use the postulates and rules of the logic to
  deduce new predicates
• 4) Interpret the statements youve proved by the
  process? Have you met your goals?

10
Formalism

• Basic Notation
• Formalism built on a several sorts of objects
  principals, encryption keys, and
  formulas(statements)
• A, B, and S denote specific principals(people,
  computers, services)
• Kab, Kas, and Kbs denoted specific shared keys
• Kb, Ka, and Ks denote specific public keys
• Kb-1, Ka-1, and Ks-1 denote corresponding secret
  keys
• Na, Nb, Nc denote specific statements
• P, Q, and R range over principals
• X and Y range over statements
• K ranges over encryption keys

11
Formalism

• Basic Notation
• P ?X P believes X. P would be entitled to
  believe X. The principal P may act as though X
  is true.
• P ?X P sees X. P can read the contents of
  X(possibly after decryption, assuming P has
  the needed keys) and P can include X in
  messages to other principals.

12
Formalism

• Basic Notation
• P X P once said X P at some time sent a
  message including the statement X. It is not
  known when the message was sent(in the past or
  in the current run of the protocol) but P
  believed that X was true when it send the
  message.
• P ? X P controls X. P has jurisdiction over X.
  P is a trusted authority on the truth of X.
• (X) X is fresh. Using the logic, time is
  divided into two epoch, the past and the
  present. The present begins with the start of
  the current execution of the current protocol.
  X is fresh if it is not contained in any
  message sent in the past.

13
Formalism

• Basic Notation
• K
• P ? Q K is a shared key for P and Q. K is a
  secure key for communication between P and Q,
  and it will never be discovered by any
  principal except for P or Q, or a principal
  trusted by either P or Q.
• K
• ? P K is a public key for P. The matching
  secret key(the inverse of K, denoted by K-1 will
  never be discovered by any principal except P,
  or a principals trusted by P.

14
Formalism

• Basic Notation
• XK X encrypted under K. It represents the
  message X encrypted using the key K.

15
Formalism

• Inference Rules
• More information about the meaning of logical
  constructs can be deduced from a collection of
  inference rules
• These rules help generate a set of beliefs to
  provide soundness to the protocol
• Messages cant be deduced by those without the
  proper keys
• , means conjunction which is used to append or
  combine something and __________ means implies

16
Formalism

• An example of how a postulate is written is in
  the following fractional form
• To express that a statement Z follows from a
  conjunction of statements X and Y
• (X, Y)
• _________
• Z

17
Formalism

• Types of Inference rules
• Message meaning rule Rule concerns the
  interpretation of messages. This rule helps to
  explain the origin of the messages.
• For shared keys, if P ? R,
• K
• P ? Q ? P, P ?XK
• 
  ____________________________
• 
  P ? Q X

18
Formalism

• Nonce-verification rule This rule checks that a
  message is recent, and also checks if the sender
  still believes in it.
• P ? (X), P ? Q X
• 
  ____________________________
• 
  P ? Q ? X

19
Formalism

• Jurisdiction rule This rule states what it
  means for a principal to be the trusted authority
  on the truth of X.
• P ? Q ? X, P ? Q ? X
• 
  ________________________________
• P ?
  X

20
Formalism

• Belief Rule The rule states that a principal
  believes a collection of statements if and only
  if it believes each of the statements
  individually.
• Example
• A) P ? X, P ? Y B)
  P ? (X, Y)
• 
  ___________________
  ____________________
• 
  P ? (X, Y)
  P ? X
•  
• C) P ? Q ? (X, Y)
• 
  ____________________
  
• 
  P ? Q ? X

21
Formalism

• Saying rule This rule says that a principal
  sees all the components of every message it sees,
  provided that the principal knows the necessary
  key
•  
  K
• A) P ?(X, Y) B) P ?
  Q ? P, P ?XK
  ____________________
  ______________________________
  
• P ? X
  P ? X

22
Formalism

• Freshness Rule This rule states that any
  message with a fresh component is also fresh.
• P ? (X)
  
• 
  ____________________
  
• P ? (X, Y)

23
The role of Time in BAN logic

• The logic has no notion of time to be associated
  with individual statements
• Explicit use of time in the logic is avoided
• Division of time into 2 epochs past and present
  is all that is needed.
• Timestamps are used in some authentication
  protocols but timestamps are not required to be
  made explicit in the logic, only freshness is
  required, so past and present are sufficient time
  divisions.
• Present
• Begins at the start of the run of the protocol
• Beliefs hold through the entirety of protocol run

24
The Role of Time in BAN Logic

• Past
• Beliefs not carried forward into the present
• All messages sent before the present considered
  part of past.

25
Idealized Protocols

• Typically we see each protocol step as
• P ? Q message
• What does this denote?
• Principal P sends the message and that
  principal Q receives the message. It is an
  informal notation
• What is wrong with it?
• Often ambiguous, obscure in meaning, not
  appropriate for formal analysis
• How to fix it?
• Transform each protocol into an idealized form
• Steps
• 1) Omit the parts of the message that do not
• contribute to the beliefs of the recipient
• 2) Omit clear text communication because it
  can be forged

26
Idealized Protocols

• Example
• What we normally see in literature
• A ?? B A, KabKbs
• Idealized version
• Kab
• A ? B A ? BKbs
• When message is sent to B it can be deduced that
• Kab
• B ? A ? Bkbs
• The receiving principle becomes aware of the
  message (sees the message) and can act upon it.
•  

27
Goals of Authentication

• Authentication rests on communication protected
  by shared session key, so the goals of
  authentication may be reached between A and B if
  there is a K such that
• K K
• A ? A ? B B ? A ? B
• Some authentication protocols achieve this final
  goal
•   K K
• A ? B? A ? B B ? A ? A ? B

28
Semantics

• Help provide meaning for some of the formulas
• Essentially, in order to obtain new beliefs ,
  principals are supposed to examine their current
  beliefs and apply the inference rules in order to
  obtain new beliefs
• In order to see how new beliefs are brought
  about , we must look at state of the principal at
  each run of the protocol
• In particular, we will look at the local and
  global state at each run of the protocol for the
  constructs of seeing and believing.
• The state for the other constructs have a much
  more complicated definition of a state.

29
Semantics

• Local states
• These local state describe relations between the
  principals and the objects, and between the
  principals themselves (i.e. believing and
  seeing-messages)
• Local state of a principal P for example is two
  sets of formulas, MP and BP. MP is the set of
  messages that the principal sees and BP is the
  set of beliefs of the principal. The closure
  properties of these formulas, directly correspond
  to the inference rules. For example,
• K
• If P ? Q ? BP and XK ? MP then X ? MP

30
Semantics

• Global States
• The global state is a tuple that contains all the
  local states of all the principals
• Example A global state consists of a set
  containing the local states of 3 principles say
  A, B, and S .
• If s is a global state for these principles,
  then 
• Sp is the local set of P in s and BP(s) and
  MP(s) are corresponding sets and beliefs and
  messages for P
• So for instance, P ? X holds in a state s if X
  ? BP(s), and P ? X holds if X ? MP(s)
• A set of formulas hold in a given state if each
  of its members holds.

31
Outline

• Steps in Protocol Analysis
• Example of BAN Logic
• Needham Schroeder Protocol
• Flaws/Advantages of BAN logic
• Conclusion

32
Steps in Protocol Analysis

• Derive the idealized protocol from the original
  one
• Write assumptions about the initial state
• Use the postulates and rules of the logic to
  deduce new predicates
• This is repeated through all the protocol
  messages
• Determine if goals of authentication have been met

33
Protocol Analysis

• Needham-Schroeder Protocol
• (with shared keys)
• Original version without idealization
• Message 1 A ? S A, B, NA
• Message 2 S ? A NA, B, KAB, KAB, AKBS KAS
• Message 3 A ? B KAB, AKBS
• Message 4 B ? A NBKAB
• Message 5 A ? B NB 1KAB

34
Protocol Analysis

• Needham-Schroeder Protocol (with shared keys)
• Corresponding idealized protocol is as follows
• Kab Kab
  Kab
• Message 2 S ? A NA, (A ? B), (A ? B), A ?
  BKbs Kas
• Kab
• Message 3 A ? B A ? BKbs
• Kab
• Message 4 B ? A NB, (A ? B)Kab from B
• Kab
• Message 5 A ? B NB, (A ? B)Kab from A

35
Protocol Analysis

• Needham-Schroeder Protocol (with shared keys)
• Initial assumptions
• Kas Kbs
  
• A ? A ? S B ? B ? S
• Kas
  Kbs
• S ? A ? S S ? B ? S
• Kab
• S ? A ? B
• Kab Kab
• A ? (S ? A ? B) B ? (S ? A ? B)
• Kab
• A ? (S ? (A ? B))

36
Protocol Analysis

• Needham-Schroeder Protocol (with shared keys)
• More assumptions(continued)
• A ? (Na) B ? (Nb)
• Kab
  Kab
• S ? (A ? B) B ? (A ? B)
• Kab
• NOTE The assumption B ? (A ? B) meaning B
  believes in the
• freshness on the key is an assumption that the
  authors of the Needham-Schroeder protocol did
  not realize they were making.

37
Protocol Analysis

• Needham-Schroeder Protocol (with shared keys)
• Now we can apply the logical postulate rules to
  each message with assumptions
• Recall message 2
  
• Kab Kab Kab
• Message 2 S ? A Na, (A ? B), (A ? B), A ?
  BKbsKas

38
Protocol Analysis

• Needham-Schroeder Protocol (with shared keys)
• 1) Recall the Assumption
• Kas
• A ? A ? S
• With this Assumption and message 2, now we can
  say
• Kab Kab Kab
• A ? Na, (A ? B), (A ? B), A ? BKbsKas

39
Protocol Analysis

• Needham-Schroeder Protocol (with shared keys)
• Now apply the logical postulate, the
  Message-meaning rule
• Recall message-meaning rule is
• K
• P ? Q ? P, P ? Xk
• ___________________________
• P ? Q X
• Applying this postulate to the previous
  assumption and derivation, we derive that
• Kab Kab
  Kab
• A ? S Na, (A ? B), (A ? B), A ? BKbs

40
Protocol Analysis

• Needham-Schroeder Protocol (with shared keys)
• 2) Recall the Assumption
• A ? (Na)
• Now we can apply the Freshness rule, recall that
  it is
• P ? (X)
• ______________________
• P ? (X, Y)
• Now we can derive that
• Kab Kab Kab
• A ? Na, (A ? B), (A ? B), A ?BKbs

41
Protocol Analysis

• Needham-Schroeder Protocol (with shared keys)
• 3) We can use a combination of the above derived
  rules
• together with Nonce-verification rule
  which is
• P ? (X), P ? Q X
• _______________________________________
• P ? Q ? X

42
Protocol Analysis

• Needham-Schroeder Protocol (with shared keys)
• 3) We can use the above derived rules stating
  that
• Kab Kab Kab
• A ? Na, (A ? B), (A ? B), A ? BKbs
• together with
• Kab Kab Kab
• A ? S Na, (A ? B), (A ? B), A ? BKbs
• and the Nonce-verification to obtain
• Kab Kab Kab
• A ? S ? Na, (A ? B), (A ? B), A ? BKbs

43
Protocol Analysis

• Needham-Schroeder Protocol (with shared keys)
• 4) We can use the belief rule which is
• P ? Q ? (X,Y)
• 
  __________________________
• P ? Q ? X

44
Protocol Analysis

• Needham-Schroeder Protocol (with shared keys)
• We can use this belief rule combined with the
  above derived statement stating that
  Kab Kab Kab A ? S ?
  Na, (A ? B), (A ? B), A ? BKbs
• to further derive that
• Kab
• A ? S ? (A ? B)
• and that
• Kab
• A ? S ? (A ? B)

45
Protocol Analysis

• Needham-Schroeder Protocol (with shared keys)
• 5) Recall the Assumptions
• Kab Kab
• A ? (S ? A ? B) A ? (S ? (A ? B)
• and the previous derivations stating that
• Kab Kab
• A ? S ? (A ? B) A ? S ? (A ? B)
• We can apply the jurisdiction postulate to these
  assumptions.
• Recall jurisdiction postulate
• P ? Q ? X, P ? Q ? X
• ___________________________
• P ? X

46
Protocol Analysis

• Needham-Schroeder Protocol (with shared keys)
• Applying the assumptions above to the postulates
  we finally get
• Kab Kab
• A ? (A ? B) and A ? (A ? B)

47
Protocol Analysis

• Needham-Schroeder Protocol (with shared keys)
• Now we can apply the logical postulate rules to
  the next message with assumptions
• Recall message 3
• Kab
• Message 3 A ? B A ?BKbs

48
Protocol Analysis

• Needham-Schroeder Protocol (with shared keys)
• 1) Recall the Assumption
• Kbs
• B ? S ? B
• From this we can deduce that
• Kab
• B ? A ? BKbs
• We can now apply the message meaning rule which
  is
• K
• P ? Q ?P, P ? Xk
• ___________________________
• P ? Q X

49
Protocol Analysis

• Needham-Schroeder Protocol (with shared keys)
• And we can derive
• Kab
• B ? S A ? BKbs

50
Protocol Analysis

• Needham-Schroeder Protocol (with shared keys)
• 2) Recall the Assumption
• Kab
• B ? (A ? B)
• Also recall the derived formula from above
  stating
• Kab
• B ? S A ? BKbs
• We can apply the Nonce-verification rule which
  is
• P ? (X), P ? Q X
• __________________________
• P ? Q ? X

51
Protocol Analysis

• Needham-Schroeder Protocol (with shared keys)
• And we can derive
• Kab
• B ? S ? A ? B

52
Protocol Analysis

• Needham-Schroeder Protocol (with shared keys)
• 3)Recall the Assumption
• Kab
• B ? (S ? A ? B)
• Also recall the derived formula above stating
• Kab
• B ? S ? A ? B
• We can apply the jurisdiction rule which is
• P ? Q ? X, P ? Q ? X
• ____________________________________
• P ? X

53
Protocol Analysis

• Needham-Schroeder Protocol (with shared keys)
• And we can derive
• Kab
• B ? A ? B
• Now we can apply the logical postulate rules to
  the next message with assumptions
• Recall message 4
• Kab
• Message 4 B ? A Nb, (A ? B)Kab

54
Protocol Analysis

• Needham-Schroeder Protocol (with shared keys)
• 1) We can then say that
• Kab
• A ? Nb, (A ? B) Kab
• We can use the saying rule, which is
• P ? (X,Y)
• _________________
• P ? X
• We can then derive that Kab
• A ? (A ? B) Kab

55
Protocol Analysis

• Needham-Schroeder Protocol (with shared keys)
• 2) Recall a previous result we obtained
• Kab
• A ? (B ? A)
• Also recall the result that we just obtained
  the previous step Kab
• A ? (A ? B)Kab
• We can apply the message meaning rule
  
• K
• P ? Q ? P, P ? Xk
• ___________________________
• P ? Q X

56
Protocol Analysis

• Needham-Schroeder Protocol (with shared keys)
• Finally, we can deduce that
• Kab
• A ? B (A ? B)

57
Protocol Analysis

• Needham-Schroeder Protocol (with shared keys)
• 3) Recall a previous result we obtained
• Kab
• A ? (A ? B)
• Also recall the result that we just obtained
  the previous step Kab
  
• A ? B (A ? B)
• We can apply the nonce-verification rule
  
• P ? (X), P ? Q X
• ______________________________________
  _
• P ? Q ? X

58
Protocol Analysis

• Needham-Schroeder Protocol (with shared keys)
• We then obtain
• Kab
• A ? B? (A ? B)
• In similar manner, we can also derive that
• Kab
• B ? A? (A ? B)

59
Conclusions of Analysis

• Needham-Schroeder Protocol (with shared keys)
• We have achieved this The goals of the
  Needham-Schroeder protocol are that A and B each
  believe that they share a secret key Kab and that
  moreover they each believe that the other
  believes it
• K K B ? A ? B (msg 3) A ?
  A ? B (msg 2)
• We also achieve this final goal
• K K
• A ? B ? A ? B (msg 4) B ? A ? A ? B (msg 4)
• Our analysis achieves these results, since we
  have derived these goals

60
Conclusions of Analysis

• Needham-Schroeder Protocol (with shared keys)
• This authentication protocol has an extra
  assumption, which is that B assumes the key B
  receives from A is fresh. So Needham-Schroeder
  protocol had this flaw in it.

61
Flaws with BAN Logic

• BAN logic is a belief system and it is much
  different from a knowledge system. Knowledge
  systems have an axiom of the following form If
  you know p, then p is true. However, belief
  systems do not have this axiom, since a belief in
  p says nothing about the truth or falsity of p.
• Assumption that all principals taking part in a
  protocol are honest, in the sense that each
  principal believes in the truth of each message
  it sends. However, honesty is not a logical
  assumption to make.

62
Advantages of BAN Logic

• Huge success for formal methods in cryptography,
  useful tool
• BAN Logic successful in uncovering implicit
  assumptions and weaknesses in a number of
  protocols
• Vehicle for extensive research in the areas for
  basis and development of other logic systems
• BANs strengths lie in its simplicity of its
  logic and its ease of use

63
Conclusion

• BAN Logic is one of earliest successful attempts
  at formally reasoning about authentication
  protocols.
• BAN logic involves idealizing a protocol,
  identifying initial assumptions, using logical
  postulates to deduce new predicates and
  determining if the goals of authentication have
  been met.
• BAN logic can be used to analyze existing
  protocols and bring out their flaws.
• As we saw in the Needham Schroeder protocol,
  BAN logic helped to uncover an extra assumption
  that the authors themselves did not realize.
• BAN logic has its flaws, but overall it is a
  welcome success for formal methods in
  cryptography.