BAN LOGIC Amit Chetal Monica Desai November 14,

Outline 1.Introduction 2.Formalism 3.Role of Time in BAN Logic 4.Idealization of Protocols 5.Goals of Authentication 6.Semantics

Outline 7.Steps in Protocol Analysis 8.Example of BAN Logic: Needham – Schroeder Protocol 9.Flaws/Advantages of BAN logic 10.Conclusion

Introduction There exists a variety of authentication protocols. -Various design decisions Protocols often depend on assumptions that are not clearly stated.

Introduction Problems with the design of the protocols: 1.Lack of assumptions 2.Lack of formal descriptions 3.Lack of clarity

Introduction BAN Logic(formulated by Burrows, Abadi, and Needham-1989) is based on an agreed set of deduction rules for formally reasoning about the authentication protocols and is often referred to as a logic of authentication. It is a formal method for verifying that two principals(people, computer, services) are entitled to believe they are communicating with each other and not the intruders.

Introduction Main Purposes of BAN Logic BAN logic helps to prove whether or not a protocol does or does not meet its security goals. BAN logic helps make the protocols more efficient by eliminating messages, contents of message, or encryptions of messages. Despite eliminating them, the security goals still can be reached. BAN logic helps clarify the protocol’s assumptions by formally stating them.

Introduction BAN logic is based on a belief system: BAN logic concentrates on the beliefs of trustworthy parties involved in the protocol and the evolution of these beliefs through communication processes.

Introduction The steps of BAN logic to analyze the original protocol are as follows: 1)The protocol is transformed into some “idealized” form 2)Identify your initial assumptions in the language of BAN logic 3)Use the postulates and rules of the logic to deduce new predicates 4)Interpret the statements you’ve proved by the process? Have you met your goals?

Formalism Basic Notation Formalism built on a several sorts of objects: principals, encryption keys, and formulas(statements) A, B, and S denote specific principals(people, computers, services) K ab, K as, and K bs denoted specific shared keys K b, K a, and K s denote specific public keys K b -1, K a -1, and K s -1 denote corresponding secret keys N a, N b, N c denote specific statements P, Q, and R range over principals X and Y range over statements K ranges over encryption keys

Formalism Basic Notation P |  X: P believes X. P would be entitled to believe X. The principal P may act as though X is true. P  X: P sees X. P can read the contents of X(possibly after decryption, assuming P has the needed keys) and P can include X in messages to other principals.

Formalism Basic Notation P |~ X: P once said X: P at some time sent a message including the statement X. It is not known when the message was sent(in the past or in the current run of the protocol) but P believed that X was true when it send the message. P |  X: P controls X. P has jurisdiction over X. P is a trusted authority on the truth of X. #(X): X is fresh. Using the logic, time is divided into two epoch, the past and the present. The present begins with the start of the current execution of the current protocol. X is fresh if it is not contained in any message sent in the past.

Formalism Basic Notation K P  Q : K is a shared key for P and Q. K is a secure key for communication between P and Q, and it will never be discovered by any principal except for P or Q, or a principal trusted by either P or Q. K |  P: K is a public key for P. The matching secret key(the inverse of K, denoted by K -1 will never be discovered by any principal except P, or a principals trusted by P.

Formalism Basic Notation {X} K : X encrypted under K. It represents the message X encrypted using the key K.

Formalism Inference Rules More information about the meaning of logical constructs can be deduced from a collection of inference rules These rules help generate a set of beliefs to provide soundness to the protocol Messages can’t be deduced by those without the proper keys “,” means conjunction which is used to append or combine something and __________ means implies

Formalism An example of how a postulate is written is in the following fractional form To express that a statement Z follows from a conjunction of statements X and Y (X, Y) _________ Z

Formalism Types of Inference rules: Message meaning rule: Rule concerns the interpretation of messages. This rule helps to explain the origin of the messages. For shared keys, if P ≠ R, K P |  Q  P, P  {X} K ____________________________ P |  Q |~ X

Formalism Nonce-verification rule: This rule checks that a message is recent, and also checks if the sender still believes in it. P |  #(X), P |  Q |~ X ____________________________ P |  Q |  X

Formalism Jurisdiction rule: This rule states what it means for a principal to be the trusted authority on the truth of X. P |  Q  X, P |  Q |  X ________________________________ P |  X

Formalism Belief Rule: The rule states that a principal believes a collection of statements if and only if it believes each of the statements individually. Example: A) P |  X, P |  Y B) P |  (X, Y) ___________________ ____________________ P |  (X, Y) P |  X C) P |  Q |  (X, Y) ____________________ P |  Q |  X

Formalism Saying rule: This rule says that a principal sees all the components of every message it sees, provided that the principal knows the necessary key K A) P  (X, Y) B) P |  Q  P, P  {X} K ____________________ ______________________________ P  X P  X

Formalism Freshness Rule: This rule states that any message with a fresh component is also fresh. P |  #(X) ____________________ P |  #(X, Y)

The role of Time in BAN logic The logic has no notion of time to be associated with individual statements Explicit use of time in the logic is avoided Division of time into 2 epochs: past and present is all that is needed. Timestamps are used in some authentication protocols but timestamps are not required to be made explicit in the logic, only freshness is required, so past and present are sufficient time divisions. Present Begins at the start of the run of the protocol Beliefs hold through the entirety of protocol run

The Role of Time in BAN Logic Past Beliefs not carried forward into the present All messages sent before the present considered part of past.

Idealized Protocols Typically we see each protocol step as: P  Q : message What does this denote? Principal P sends the message and that principal Q receives the message. It is an informal notation What is wrong with it? Often ambiguous, obscure in meaning, not appropriate for formal analysis How to fix it? Transform each protocol into an idealized form Steps 1) Omit the parts of the message that do not contribute to the beliefs of the recipient 2) Omit clear text communication because it can be forged

Idealized Protocols Example: What we normally see in literature: A  B : {A, K ab }K bs Idealized version: Kab A  B : {A  B}K bs When message is sent to B it can be deduced that: Kab B  {A  B}k bs The receiving principle becomes aware of the message (sees the message) and can act upon it.

Goals of Authentication Authentication rests on communication protected by shared session key, so the goals of authentication may be reached between A and B if there is a K such that: KK A |  A  B B |  A  B Some authentication protocols achieve this final goal: K K A |  B|  A  B B |  A |  A  B

Semantics Help provide meaning for some of the formulas Essentially, in order to obtain new beliefs, principals are supposed to examine their current beliefs and apply the inference rules in order to obtain new beliefs In order to see how new beliefs are brought about, we must look at state of the principal at each run of the protocol In particular, we will look at the local and global state at each run of the protocol for the constructs of seeing and believing. The state for the other constructs have a much more complicated definition of a state.

Semantics Local states These local state describe relations between the principals and the objects, and between the principals themselves (i.e. believing and seeing-messages) Local state of a principal P for example is two sets of formulas, M P and B P. M P is the set of messages that the principal sees and B P is the set of beliefs of the principal. The closure properties of these formulas, directly correspond to the inference rules. For example, K If P  Q  B P and {X} K  M P then X  M P

Semantics Global States The global state is a tuple that contains all the local states of all the principals Example: A global state consists of a set containing the local states of 3 principles say A, B, and S. If s is a global state for these principles, then S p is the local set of P in s and B P (s) and M P (s) are corresponding sets and beliefs and messages for P So for instance, P |  X holds in a state s if X  B P (s), and P  X holds if X  M P (s) A set of formulas hold in a given state if each of its members holds.

Outline 7.Steps in Protocol Analysis 8.Example of BAN Logic: Needham – Schroeder Protocol 9.Flaws/Advantages of BAN logic 10.Conclusion

Steps in Protocol Analysis  Derive the idealized protocol from the original one  Write assumptions about the initial state  Use the postulates and rules of the logic to deduce new predicates This is repeated through all the protocol messages Determine if goals of authentication have been met

Protocol Analysis Needham-Schroeder Protocol (with shared keys) Original version without idealization Message 1 A  S:A, B, N A Message 2 S  A:{N A, B, K AB, {K AB, A}K BS } K AS Message 3 A  B:{K AB, A}K BS Message 4 B  A:{N B }K AB Message 5 A  B:{N B – 1}K AB

Protocol Analysis Needham-Schroeder Protocol (with shared keys) Corresponding idealized protocol is as follows: Kab Kab Kab Message 2 S  A:{N A, (A  B), # (A  B), {A  B}K bs } K as Kab Message 3 A  B:{A  B}K bs Kab Message 4 B  A:{N B, (A  B)}K ab from B Kab Message 5 A  B:{N B, (A  B)}K ab from A

Protocol Analysis Needham-Schroeder Protocol (with shared keys) Initial assumptions: Kas Kbs A |  A  S B |  B  S Kas Kbs S |  A  S S |  B  S Kab S |  A  B Kab Kab A |  (S |  A  B) B |  (S |  A  B) Kab A |  (S |  #(A  B))

Protocol Analysis Needham-Schroeder Protocol (with shared keys) More assumptions(continued) A |  #(N a )B |  #(N b ) Kab Kab S |  #(A  B)B |  #(A  B) Kab NOTE: The assumption B |  #(A  B) meaning B believes in the freshness on the key is an assumption that the authors of the Needham-Schroeder protocol did not realize they were making.

Protocol Analysis Needham-Schroeder Protocol (with shared keys) Now we can apply the logical postulate rules to each message with assumptions Recall message 2: Kab Kab Kab Message 2 S  A: {N a, (A  B), #(A  B), {A  B}K bs }K as

Protocol Analysis Needham-Schroeder Protocol (with shared keys) 1) Recall the Assumption: Kas A |  A  S With this Assumption and message 2, now we can say: Kab Kab Kab A  {N a, (A  B), #(A  B), {A  B}K bs }K as

Protocol Analysis Needham-Schroeder Protocol (with shared keys) Now apply the logical postulate, the Message-meaning rule Recall message-meaning rule is: K P |  Q  P, P  {X} k ___________________________ P |  Q |~ X Applying this postulate to the previous assumption and derivation, we derive that: Kab Kab Kab A |  S |~ {N a, (A  B), #(A  B), {A  B}K bs }

Protocol Analysis Needham-Schroeder Protocol (with shared keys) 2) Recall the Assumption: A |  #(N a ) Now we can apply the Freshness rule, recall that it is: P |  #(X) ______________________ P |  #(X, Y) Now we can derive that: K ab K ab K ab A |  #{N a, (A  B), #(A  B), {A  B}K bs }

Protocol Analysis Needham-Schroeder Protocol (with shared keys) 3)We can use a combination of the above derived rules together with Nonce-verification rule which is: P |  #(X), P |  Q |~ X _______________________________________ P |  Q |  X

Protocol Analysis Needham-Schroeder Protocol (with shared keys) 3) We can use the above derived rules stating that : K ab K ab K ab A |  #{N a, (A  B), #(A  B), {A  B}K bs } together with: K ab K ab K ab A |  S |~ {N a, (A  B), #(A  B), {A  B}K bs } and the Nonce-verification to obtain: K ab K ab K ab A |  S |  {N a, (A  B), #(A  B), {A  B}K bs }

Protocol Analysis Needham-Schroeder Protocol (with shared keys) 4) We can use the belief rule which is: P |  Q |  (X,Y) __________________________ P |  Q |  X

Protocol Analysis Needham-Schroeder Protocol (with shared keys) We can use this belief rule combined with the above derived statement stating that: K ab K ab K ab A |  S |  {N a, (A  B), #(A  B), {A  B}K bs } to further derive that: K ab A |  S |  (A  B) and that: K ab A |  S |  #(A  B)

Protocol Analysis Needham-Schroeder Protocol (with shared keys) 5 ) Recall the Assumptions: K ab K ab A |  (S |  A  B)A |  (S |  #(A  B) and the previous derivations stating that: K ab K ab A |  S |  (A  B)A |  S |  #(A  B) We can apply the jurisdiction postulate to these assumptions. Recall jurisdiction postulate: P |  Q |  X,P |  Q |  X ___________________________ P |  X

Protocol Analysis Needham-Schroeder Protocol (with shared keys) Applying the assumptions above to the postulates we finally get: K ab K ab A |  (A  B)andA |  #(A  B)

Protocol Analysis Needham-Schroeder Protocol (with shared keys) Now we can apply the logical postulate rules to the next message with assumptions Recall message 3: Kab Message 3A  B: {A  B}K bs

Protocol Analysis Needham-Schroeder Protocol (with shared keys) 1) Recall the Assumption: Kbs B |  S  B From this we can deduce that: Kab B  {A  B}K bs We can now apply the message meaning rule which is K P |  Q  P, P  {X} k ___________________________ P |  Q |~ X

Protocol Analysis Needham-Schroeder Protocol (with shared keys) And we can derive: Kab B |  S |~ {A  B}K bs

Protocol Analysis Needham-Schroeder Protocol (with shared keys) 2) Recall the Assumption: Kab B |  #(A  B) Also recall the derived formula from above stating: Kab B |  S |~ {A  B}K bs We can apply the Nonce-verification rule which is: P |  #(X), P |  Q |~ X __________________________ P |  Q |  X

Protocol Analysis Needham-Schroeder Protocol (with shared keys) And we can derive: Kab B |  S |  {A  B}

Protocol Analysis Needham-Schroeder Protocol (with shared keys) 3)Recall the Assumption: Kab B |  (S |  A  B) Also recall the derived formula above stating: Kab B |  S |  {A  B} We can apply the jurisdiction rule which is: P |  Q |  X,P |  Q |  X ____________________________________ P |  X

Protocol Analysis Needham-Schroeder Protocol (with shared keys) And we can derive: Kab B |  {A  B} Now we can apply the logical postulate rules to the next message with assumptions Recall message 4: Kab Message 4B  A: {N b, (A  B)} K ab

Protocol Analysis Needham-Schroeder Protocol (with shared keys) 1) We can then say that: Kab A  {N b, (A  B)} K ab We can use the saying rule, which is: P  (X,Y) _________________ P  X We can then derive that: Kab A  {(A  B)} K ab

Protocol Analysis Needham-Schroeder Protocol (with shared keys) 2) Recall a previous result we obtained: Kab A |  (B  A) Also recall the result that we just obtained the previous step: Kab A  {(A  B)}K ab We can apply the message meaning rule: K P |  Q  P, P  {X} k ___________________________ P |  Q |~ X

Protocol Analysis Needham-Schroeder Protocol (with shared keys) Finally, we can deduce that: Kab A |  B |~ (A  B)

Protocol Analysis Needham-Schroeder Protocol (with shared keys) 3) Recall a previous result we obtained: Kab A |  #(A  B) Also recall the result that we just obtained the previous step: Kab A |  B |~ (A  B) We can apply the nonce-verification rule: P |  #(X), P |  Q |~ X _______________________________________ P |  Q |  X

Protocol Analysis Needham-Schroeder Protocol (with shared keys) We then obtain: Kab A |  B|  (A  B) In similar manner, we can also derive that: Kab B |  A|  (A  B)

Conclusions of Analysis Needham-Schroeder Protocol (with shared keys) We have achieved this: The goals of the Needham-Schroeder protocol are that A and B each believe that they share a secret key Kab and that moreover they each believe that the other believes it K K B |  A  B (msg 3) A |  A  B (msg 2) We also achieve this final goal: K K A |  B |  A  B (msg 4) B |  A |  A  B (msg 4) Our analysis achieves these results, since we have derived these goals

Conclusions of Analysis Needham-Schroeder Protocol (with shared keys) This authentication protocol has an extra assumption, which is that B assumes the key B receives from A is fresh. So Needham-Schroeder protocol had this flaw in it.

Flaws with BAN Logic BAN logic is a belief system and it is much different from a knowledge system. Knowledge systems have an axiom of the following form “If you know p, then p is true.” However, belief systems do not have this axiom, since a belief in p says nothing about the truth or falsity of p. Assumption that all principals taking part in a protocol are honest, in the sense that each principal believes in the truth of each message it sends. However, honesty is not a logical assumption to make.

Advantages of BAN Logic Huge success for formal methods in cryptography, useful tool BAN Logic successful in uncovering implicit assumptions and weaknesses in a number of protocols Vehicle for extensive research in the areas for basis and development of other logic systems BAN’s strengths lie in its simplicity of its logic and its ease of use

Conclusion BAN Logic is one of earliest successful attempts at formally reasoning about authentication protocols. BAN logic involves idealizing a protocol, identifying initial assumptions, using logical postulates to deduce new predicates and determining if the goals of authentication have been met. BAN logic can be used to analyze existing protocols and bring out their flaws. As we saw in the Needham Schroeder protocol, BAN logic helped to uncover an extra assumption that the authors themselves did not realize. BAN logic has its flaws, but overall it is a welcome success for formal methods in cryptography.