ban logic a logic of authenticationsape/sse/ban.pdf · ban logic the ban logic was named after its...
TRANSCRIPT
BAN LogicA Logic of Authentication
Sape J. Mullender
Huygens Systems Research LaboratoryUniversiteit TwenteEnschede
1
BAN Logic
The BAN logic was named after its inventors, Mike Burrows,Mart́ın Abad́ı, and Roger Needham.
The logic is, as they stated, a logic of belief and action. Itcontains no logical inversions; therefore it cannot be used toprove a protocol flawed.
But when proof that a protocol is correct cannot be obtained,that protocol deserves to be treated with grave suspicion.
2
Notation
The logic reasons about beliefs. If Alice believes a propositionP , we write A j� P and say ‘A believes P ’.
Alice believes that KAT is a good key for communicating with
Trent. This is expressed as A j� AKAT ! T ; we say A believes
KAT is a good key for A and T .
Trent acts as authentication server or certification authorityin many of the protocols analyzed by BAN logic. If Alicebelieves that Trent can be trusted to create a ‘good key’ forcommunication with Bob, we write A j� T ) A K ! B; we say‘A believes T has jurisdiction over or speaks for good keys forA and B’.
3
Messages
When Alice receives a message (which, in our logic, alwayscontains a proposition), we write A / P and say A sees P .
Seeing is not believing unless you know who said it. Note that,in this logic, nobody says anything he or she does not believe.If Alice sent a message containing the statement P , we maywrite A j� P and say A once said P .
But, Alice may have said it so long ago that we can no longertrust the contents of her message. We need to know thatAlice’s statement is fresh. When a statement P is fresh wewrite #�P� and say P is fresh.
4
Notation Summary
P j� X P believes XP / X P sees XP j� X P once said X#�P� P is freshP ) X P has jurisdiction over XP K ! Q K is a good key for communicating between
P and QK! P P has K as a public key
PXz Q X is a secret known only to P and Q
hXiY X combined with (secret) Y
5
Axioms
We adopt the notation in the BAN papers: PQ means if P is truethen Q is true.
We assume that participants in protocols are good logicians:if Alice believes a proposition X and X
Y , then she believes Ytoo. This is true for the axioms also.
6
Message meaning rules
P j� P K ! Q;P / fXgKP j� Q j� X
P j� K! Q;P / fXgK�1
P j� Q j� X
P j� PYz Q;P / hXiY
P j� Q j� X
7
More Rules
P j� X;P j� YP j� �X; Y�
P j� �X; Y�P j� X
P j� Q j� �X; Y�P j� Q j� X
P j� Q j� �X; Y�P j� Q j� X
10
Analysis of Protocols
Most analyses start with assumptions such as
A j� AKAT ! T B j� B KBT ! T
A j� T ) A KAB ! B B j� T ) B KAB ! BA j� #�NA� B j� #�NB�
T j� AKAB ! B
and need to conclude withA j� A
KAB ! B B j� AKAB ! B
A j� B j� AKAB ! B B j� A j� A
KAB ! B
13
The Ottway-Rees Authentication Protocol
1. M;A;B; fNA;M;A; BgKAT
2. M;A;B; fNA;M;A; BgKAT ; fNB;M;A; BgKBT
3. M; fNA; KABgKAT ; fNB; KABgKBT
4. M; fNA; KABgKAT
14
Analysis — The Protocol
1. M;A;B; fNA;M;A; BgKATfNA; NCgKAS
2. M;A;B; fNA;M;A; BgKAT ; fNB;M;A; BgKBTfNA; NCgKAS ; fNB; NCgKBS
3. M; fNA; KABgKAT ; fNB; KABgKBTfNA; A
KAB ! B; B j� NCgKAT ;fNB; A
KAB ! B;A j� NCgKBT4. M; fNA; KABgKAT
fNA; AKAB ! B; B j� NCgKAT
15
Analysis — Assumptions
A j� AKAT ! T B j� B KBT ! T
T j� AKAT ! T T j� B KBT ! T
T j� AKAB ! B
A j� T ) A KAB ! B B j� T ) B KAB ! BA j� T ) B j� X B j� T ) A j� XA j� #�NA� B j� #�NB�A j� #�NC�
16
Analysis — Derivations
B / fNB; AKAB ! BgKBT ; B j� B KBT ! T
B j� T j� NB; AKAB ! B
B / fNB; AKAB ! BgKBT ; B j� #�NB�
B j� #�AKAB ! B�
B j� T j� AKAB ! B; B j� #�A
KAB ! B�B j� T j� A
KAB ! B
B j� T j� AKAB ! B; B j� T ) A KAB ! BB j� A
KAB ! B
17
Analysis — Conclusion
Similarly, we derive A j� AKAB ! B.
We can also deriveA j� B j� NC;
but we can only prove
B j� A j� NC:
NA is not needed, NC can be used instead.
18
the Needham-Schroeder Protocol
1. A;B;NA
2. fNA; B;KAB; fA;KABgKBTgKAT
3. fA;KABgKBT
4. fNBgKAB
5. fNB � 1gKAB
19
Needham-Schroeder Analysed
Assumptions:
T j� AKAB ! B
A j� AKAT ! T B j� B KBT ! T
T j� AKAT ! T T j� B KBT ! T
A j� T ) A KAB ! B B j� T ) B KAB ! BA j� T ) #�KAB�A j� #�NA� B j� #�NB�T j� #�KAB� B j� #�A K ! B�
20
Messages
1. A;B;NA
2. fNA; B;KAB; fA;KABgKBTgKATfNA; A
KAB ! B; #�AKAB ! B� ; fA KAB ! BgKBTgKAT
3. fA;KABgKBTfA KAB ! BgKBT
4. fNBgKABfNB; A
KAB ! BgKABfromB5. fNB � 1gKAB
fNB; AKAB ! BgKABfromA
21
Analysis
As in the Ottway-Rees protocol, we have the message for
Alice saying fNA; AKAB ! BgKAT , so we can prove in an identical
manner A j� AKAB ! B.
But Bob gets no message linking Trent’s statement AKAB ! B
to something he knows to be fresh. We cannot get beyond
B j� T j� AKAB ! B.
22
Needham-Schroeder Exposed
This exactly puts the finger on the weakness in the Needham-Schroeder protocol: Mallory could record Alice and Bob’s keyexchange and trick Bob into accepting the key in Message 3any time he chooses.
Mallory will be thwarted, however, when he cannot respond toBob’s Message 4.
But if he can afford to spend a year of CPU time cracking KAB,he can get Bob to accept and use a year-old key.
23