BAN LogicA Logic of Authentication

Sape J. Mullender

Huygens Systems Research LaboratoryUniversiteit TwenteEnschede

1

BAN Logic

The BAN logic was named after its inventors, Mike Burrows,Mart́ın Abad́ı, and Roger Needham.

The logic is, as they stated, a logic of belief and action. Itcontains no logical inversions; therefore it cannot be used toprove a protocol flawed.

But when proof that a protocol is correct cannot be obtained,that protocol deserves to be treated with grave suspicion.

2

Notation

The logic reasons about beliefs. If Alice believes a propositionP , we write A j� P and say ‘A believes P ’.

Alice believes that KAT is a good key for communicating with

Trent. This is expressed as A j� AKAT ! T ; we say A believes

KAT is a good key for A and T .

Trent acts as authentication server or certification authorityin many of the protocols analyzed by BAN logic. If Alicebelieves that Trent can be trusted to create a ‘good key’ forcommunication with Bob, we write A j� T ) A K ! B; we say‘A believes T has jurisdiction over or speaks for good keys forA and B’.

3

Messages

When Alice receives a message (which, in our logic, alwayscontains a proposition), we write A / P and say A sees P .

Seeing is not believing unless you know who said it. Note that,in this logic, nobody says anything he or she does not believe.If Alice sent a message containing the statement P , we maywrite A j� P and say A once said P .

But, Alice may have said it so long ago that we can no longertrust the contents of her message. We need to know thatAlice’s statement is fresh. When a statement P is fresh wewrite #�P� and say P is fresh.

4

Notation Summary

P j� X P believes XP / X P sees XP j� X P once said X#�P� P is freshP ) X P has jurisdiction over XP K ! Q K is a good key for communicating between

P and QK! P P has K as a public key

PXz Q X is a secret known only to P and Q

hXiY X combined with (secret) Y

5

Axioms

We adopt the notation in the BAN papers: PQ means if P is truethen Q is true.

We assume that participants in protocols are good logicians:if Alice believes a proposition X and X

Y , then she believes Ytoo. This is true for the axioms also.

6

Message meaning rules

P j� P K ! Q;P / fXgKP j� Q j� X

P j� K! Q;P / fXgK�1

P j� Q j� X

P j� PYz Q;P / hXiY

P j� Q j� X

7

Nonce Verification

P j� #�X� ; P j� Q j� XP j� Q j� X

8

Jurisdiction Rule

P j� Q ) X;P j� Q j� XP j� X

9

More Rules

P j� X;P j� YP j� �X; Y�

P j� �X; Y�P j� X

P j� Q j� �X; Y�P j� Q j� X

P j� Q j� �X; Y�P j� Q j� X

10

And More

P / �X;Y�P / X

P / hXiY�P / X

P j� P K ! Q;P / fXgKP / X

11

And More

P j� K! P; P / fXgKP / X

P j� K! Q;P / fXgK�1

P / X

P j� #�X�A j� #��X; Y��

12

Analysis of Protocols

Most analyses start with assumptions such as

A j� AKAT ! T B j� B KBT ! T

A j� T ) A KAB ! B B j� T ) B KAB ! BA j� #�NA� B j� #�NB�

T j� AKAB ! B

and need to conclude withA j� A

KAB ! B B j� AKAB ! B

A j� B j� AKAB ! B B j� A j� A

KAB ! B

13

The Ottway-Rees Authentication Protocol

1. M;A;B; fNA;M;A; BgKAT

2. M;A;B; fNA;M;A; BgKAT ; fNB;M;A; BgKBT

3. M; fNA; KABgKAT ; fNB; KABgKBT

4. M; fNA; KABgKAT

14

Analysis — The Protocol

1. M;A;B; fNA;M;A; BgKATfNA; NCgKAS

2. M;A;B; fNA;M;A; BgKAT ; fNB;M;A; BgKBTfNA; NCgKAS ; fNB; NCgKBS

3. M; fNA; KABgKAT ; fNB; KABgKBTfNA; A

KAB ! B; B j� NCgKAT ;fNB; A

KAB ! B;A j� NCgKBT4. M; fNA; KABgKAT

fNA; AKAB ! B; B j� NCgKAT

15

Analysis — Assumptions

A j� AKAT ! T B j� B KBT ! T

T j� AKAT ! T T j� B KBT ! T

T j� AKAB ! B

A j� T ) A KAB ! B B j� T ) B KAB ! BA j� T ) B j� X B j� T ) A j� XA j� #�NA� B j� #�NB�A j� #�NC�

16

Analysis — Derivations

B / fNB; AKAB ! BgKBT ; B j� B KBT ! T

B j� T j� NB; AKAB ! B

B / fNB; AKAB ! BgKBT ; B j� #�NB�

B j� #�AKAB ! B�

B j� T j� AKAB ! B; B j� #�A

KAB ! B�B j� T j� A

KAB ! B

B j� T j� AKAB ! B; B j� T ) A KAB ! BB j� A

KAB ! B

17

Analysis — Conclusion

Similarly, we derive A j� AKAB ! B.

We can also deriveA j� B j� NC;

but we can only prove

B j� A j� NC:

NA is not needed, NC can be used instead.

18

the Needham-Schroeder Protocol

1. A;B;NA

2. fNA; B;KAB; fA;KABgKBTgKAT

3. fA;KABgKBT

4. fNBgKAB

5. fNB � 1gKAB

19

Needham-Schroeder Analysed

Assumptions:

T j� AKAB ! B

A j� AKAT ! T B j� B KBT ! T

T j� AKAT ! T T j� B KBT ! T

A j� T ) A KAB ! B B j� T ) B KAB ! BA j� T ) #�KAB�A j� #�NA� B j� #�NB�T j� #�KAB� B j� #�A K ! B�

20

Messages

1. A;B;NA

2. fNA; B;KAB; fA;KABgKBTgKATfNA; A

KAB ! B; #�AKAB ! B� ; fA KAB ! BgKBTgKAT

3. fA;KABgKBTfA KAB ! BgKBT

4. fNBgKABfNB; A

KAB ! BgKABfromB5. fNB � 1gKAB

fNB; AKAB ! BgKABfromA

21

Analysis

As in the Ottway-Rees protocol, we have the message for

Alice saying fNA; AKAB ! BgKAT , so we can prove in an identical

manner A j� AKAB ! B.

But Bob gets no message linking Trent’s statement AKAB ! B

to something he knows to be fresh. We cannot get beyond

B j� T j� AKAB ! B.

22

Needham-Schroeder Exposed

This exactly puts the finger on the weakness in the Needham-Schroeder protocol: Mallory could record Alice and Bob’s keyexchange and trick Bob into accepting the key in Message 3any time he chooses.

Mallory will be thwarted, however, when he cannot respond toBob’s Message 4.

But if he can afford to spend a year of CPU time cracking KAB,he can get Bob to accept and use a year-old key.

23