Download Presentation
## BAN LOGIC

- - - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - - -

**BAN LOGIC**Amit Chetal Monica Desai November 14, 2001**Outline**• Introduction • Formalism • Role of Time in BAN Logic • Idealization of Protocols • Goals of Authentication • Semantics**Outline**• Steps in Protocol Analysis • Example of BAN Logic: Needham – Schroeder Protocol • Flaws/Advantages of BAN logic • Conclusion**Introduction**• There exists a variety of authentication protocols. -Various design decisions • Protocols often depend on assumptions that are not clearly stated.**Introduction**Problems with the design of the protocols: • Lack of assumptions • Lack of formal descriptions • Lack of clarity**Introduction**BAN Logic(formulated by Burrows, Abadi, and Needham-1989) is based on an agreed set of deduction rules for formally reasoning about the authentication protocols and is often referred to as a logic of authentication. It is a formal method for verifying that two principals(people, computer, services) are entitled to believe they are communicating with each other and not the intruders.**Introduction**Main Purposes of BAN Logic • BAN logic helps to prove whether or not a protocol does or does not meet its security goals. • BAN logic helps make the protocols more efficient by eliminating messages, contents of message, or encryptions of messages. Despite eliminating them, the security goals still can be reached. • BAN logic helps clarify the protocol’s assumptions by formally stating them.**Introduction**BAN logic is based on a belief system: BAN logic concentrates on the beliefs of trustworthy parties involved in the protocol and the evolution of these beliefs through communication processes.**Introduction**The steps of BAN logic to analyze the original protocol are as follows: 1) The protocol is transformed into some “idealized” form 2) Identify your initial assumptions in the language of BAN logic 3) Use the postulates and rules of the logic to deduce new predicates 4) Interpret the statements you’ve proved by the process? Have you met your goals?**Formalism**Basic Notation • Formalism built on a several sorts of objects: principals, encryption keys, and formulas(statements) • A, B, and S denote specific principals(people, computers, services) • Kab, Kas, and Kbs denoted specific shared keys • Kb, Ka, and Ks denote specific public keys • Kb-1, Ka-1, and Ks-1 denote corresponding secret keys • Na, Nb, Nc denote specific statements • P, Q, and R range over principals • X and Y range over statements • K ranges over encryption keys**Formalism**Basic Notation P |X:P believes X. P would be entitled to believe X. The principal P may act as though X is true. P X:P sees X. P can read the contents of X(possibly after decryption, assuming P has the needed keys) and P can include X in messages to other principals.**Formalism**Basic Notation P |~ X:P once said X: P at some time sent a message including the statement X. It is not known when the message was sent(in the past or in the current run of the protocol) but P believed that X was true when it send the message. P | X:P controls X. P has jurisdiction over X. P is a trusted authority on the truth of X. #(X): X is fresh. Using the logic, time is divided into two epoch, the past and the present. The present begins with the start of the current execution of the current protocol. X is fresh if it is not contained in any message sent in the past.**Formalism**Basic Notation K P Q: K is a shared key for P and Q. K is a secure key for communication between P and Q, and it will never be discovered by any principal except for P or Q, or a principal trusted by either P or Q. K | P:K is a public key for P. The matching secret key(the inverse of K, denoted by K-1 will never be discovered by any principal except P, or a principals trusted by P.**Formalism**Basic Notation {X}K: X encrypted under K. It represents the message X encrypted using the key K.**Formalism**Inference Rules • More information about the meaning of logical constructs can be deduced from a collection of inference rules • These rules help generate a set of beliefs to provide soundness to the protocol • Messages can’t be deduced by those without the proper keys • “,” means conjunction which is used to append or combine something and __________ means implies**Formalism**• An example of how a postulate is written is in the following fractional form To express that a statement Z follows from a conjunction of statements X and Y (X, Y) _________ Z**Formalism**Types of Inference rules: • Message meaning rule: Rule concerns the interpretation of messages. This rule helps to explain the origin of the messages. For shared keys, if P ≠ R, K P | Q P, P {X}K ____________________________ P | Q |~ X**Formalism**• Nonce-verification rule: This rule checks that a message is recent, and also checks if the sender still believes in it. P | #(X), P | Q |~ X ____________________________ P | Q | X**Formalism**• Jurisdiction rule: This rule states what it means for a principal to be the trusted authority on the truth of X. P | Q X, P | Q | X ________________________________ P| X**Formalism**• Belief Rule: The rule states that a principal believes a collection of statements if and only if it believes each of the statements individually. Example: A) P | X, P | Y B) P| (X, Y) _______________________________________ P| (X, Y) P| X C) P | Q | (X, Y) ____________________ P| Q | X**Formalism**• Saying rule: This rule says that a principal sees all the components of every message it sees, provided that the principal knows the necessary key K A) P (X, Y) B) P | Q P, P {X}K____________________ ______________________________ P X PX**Formalism**• Freshness Rule: This rule states that any message with a fresh component is also fresh. P | #(X) ____________________ P| #(X, Y)**The role of Time in BAN logic**• The logic has no notion of time to be associated with individual statements • Explicit use of time in the logic is avoided • Division of time into 2 epochs: past and present is all that is needed. • Timestamps are used in some authentication protocols but timestamps are not required to be made explicit in the logic, only freshness is required, so past and present are sufficient time divisions. Present • Begins at the start of the run of the protocol • Beliefs hold through the entirety of protocol run**The Role of Time in BAN Logic**Past • Beliefs not carried forward into the present • All messages sent before the present considered part of past.**Idealized Protocols**• Typically we see each protocol step as: P Q : message • What does this denote? Principal P sends the message and that principal Q receives the message. It is an informal notation • What is wrong with it? Often ambiguous, obscure in meaning, not appropriate for formal analysis • How to fix it? Transform each protocol into an idealized form Steps 1) Omit the parts of the message that do not contribute to the beliefs of the recipient 2) Omit clear text communication because it can be forged**Idealized Protocols**Example: What we normally see in literature: A B : {A, Kab}Kbs Idealized version: Kab A B : {A B}Kbs When message is sent to B it can be deduced that: Kab B {A B}kbs The receiving principle becomes aware of the message (sees the message) and can act upon it.**Goals of Authentication**• Authentication rests on communication protected by shared session key, so the goals of authentication may be reached between A and B if there is a K such that: K K A |AB B |AB • Some authentication protocols achieve this final goal: K K A |B|AB B |A |AB**Semantics**• Help provide meaning for some of the formulas • Essentially, in order to obtain new beliefs , principals are supposed to examine their current beliefs and apply the inference rules in order to obtain new beliefs • In order to see how new beliefs are brought about , we must look at state of the principal at each run of the protocol • In particular, we will look at the local and global state at each run of the protocol for the constructs of seeing and believing. • The state for the other constructs have a much more complicated definition of a state.**Semantics**Local states • These local state describe relations between the principals and the objects, and between the principals themselves (i.e. believing and seeing-messages) • Local state of a principal P for example is two sets of formulas, MP and BP. MP is the set of messages that the principal sees and BP is the set of beliefsof the principal. The closure properties of these formulas, directly correspond to the inference rules. For example, K If P Q BP and {X}K MP then X MP**Semantics**Global States • The global state is a tuple that contains all the local states of all the principals Example: A global state consists of a set containing the local states of 3 principles say A, B, and S. If s is a global state for these principles, then Sp is the local set of P in s and BP(s) and MP(s) are corresponding sets and beliefs and messages for P So for instance, P | X holds in a state s if X BP(s), and P X holds if X MP(s) • A set of formulas hold in a given state if each of its members holds.**Outline**• Steps in Protocol Analysis • Example of BAN Logic: Needham – Schroeder Protocol • Flaws/Advantages of BAN logic • Conclusion**Steps in Protocol Analysis**• Derive the idealized protocol from the original one • Write assumptions about the initial state • Use the postulates and rules of the logic to deduce new predicates • This is repeated through all the protocol messages • Determine if goals of authentication have been met**Protocol Analysis**Needham-Schroeder Protocol (with shared keys) • Original version without idealization Message 1 A S: A, B, NA Message 2 S A: {NA, B, KAB, {KAB, A}KBS} KAS Message 3 A B: {KAB, A}KBS Message 4 B A: {NB}KAB Message 5 A B: {NB – 1}KAB**Protocol Analysis**Needham-Schroeder Protocol (with shared keys) • Corresponding idealized protocol is as follows: Kab Kab Kab Message 2 S A: {NA, (AB), # (AB), {AB}Kbs} Kas Kab Message 3 A B: {AB}Kbs Kab Message 4 B A: {NB, (AB)}Kab from B Kab Message 5 A B: {NB, (AB)}Kab from A**Protocol Analysis**Needham-Schroeder Protocol (with shared keys) • Initial assumptions: Kas Kbs A |AS B |BS Kas Kbs S |AS S |BS Kab S |AB Kab Kab A | (S | AB) B | (S | AB) Kab A | (S | #(AB))**Protocol Analysis**Needham-Schroeder Protocol (with shared keys) • More assumptions(continued) A | #(Na) B | #(Nb) Kab Kab S | #(AB) B | #(AB) Kab NOTE: The assumption B | #(A B)meaning B believes in the freshness on the key is an assumption that the authors of the Needham-Schroeder protocol did not realize they were making.**Protocol Analysis**Needham-Schroeder Protocol (with shared keys) Now we can apply the logical postulate rules to each message with assumptions Recall message 2: Kab Kab Kab Message 2 S A: {Na, (A B), #(A B), {A B}Kbs}Kas**Protocol Analysis**Needham-Schroeder Protocol (with shared keys) 1) Recall the Assumption: Kas A |AS With this Assumption and message 2, now we can say: Kab Kab Kab A {Na, (A B), #(A B), {A B}Kbs}Kas**Protocol Analysis**Needham-Schroeder Protocol (with shared keys) Now apply the logical postulate, the Message-meaning rule Recall message-meaning rule is: K P | Q P, P {X}k ___________________________ P | Q |~ X Applying this postulate to the previous assumption and derivation, we derive that: Kab Kab Kab A | S |~ {Na, (A B), #(A B), {A B}Kbs}**Protocol Analysis**Needham-Schroeder Protocol (with shared keys) 2) Recall the Assumption: A | #(Na) Now we can apply the Freshness rule, recall that it is: P | #(X) ______________________ P | #(X, Y) Now we can derive that: Kab Kab Kab A | #{Na, (A B), #(A B), {A B}Kbs}**Protocol Analysis**Needham-Schroeder Protocol(with shared keys) 3) We can use a combination of the above derived rules together with Nonce-verification rule which is: P | #(X), P | Q |~ X _______________________________________ P | Q | X**Protocol Analysis**Needham-Schroeder Protocol (with shared keys) 3) We can use the above derived rules stating that: Kab Kab Kab A | #{Na, (A B), #(A B), {A B}Kbs} together with: Kab Kab Kab A | S |~ {Na, (A B), #(A B), {A B}Kbs} and the Nonce-verification to obtain: Kab Kab Kab A | S | {Na, (A B), #(A B), {A B}Kbs}**Protocol Analysis**Needham-Schroeder Protocol (with shared keys) 4) We can use the belief rule which is: P | Q | (X,Y) __________________________ P | Q | X**Protocol Analysis**Needham-Schroeder Protocol (with shared keys) We can use this belief rule combined with the above derived statement stating that:Kab Kab Kab A | S | {Na, (A B), #(A B), {A B}Kbs} to further derive that: Kab A | S | (A B) and that: Kab A | S | #(A B)**Protocol Analysis**Needham-Schroeder Protocol (with shared keys) 5) Recall the Assumptions: Kab Kab A | (S | A B) A | (S | #(A B) and the previous derivations stating that: Kab Kab A | S | (A B) A | S | #(A B) We can apply the jurisdiction postulate to these assumptions. Recall jurisdiction postulate: P | Q | X, P | Q | X ___________________________ P | X**Protocol Analysis**Needham-Schroeder Protocol (with shared keys) Applying the assumptions above to the postulates we finally get: Kab Kab A | (A B) and A | #(A B)**Protocol Analysis**Needham-Schroeder Protocol (with shared keys) Now we can apply the logical postulate rules to the next message with assumptions Recall message 3: Kab Message 3 A B: {A B}Kbs**Protocol Analysis**Needham-Schroeder Protocol (with shared keys) 1) Recall the Assumption: Kbs B | S B From this we can deduce that: Kab B {A B}Kbs We can now apply the message meaning rule which is K P | Q P, P {X}k ___________________________ P | Q |~ X**Protocol Analysis**Needham-Schroeder Protocol (with shared keys) And we can derive: Kab B | S |~ {A B}Kbs**Protocol Analysis**Needham-Schroeder Protocol (with shared keys) 2) Recall the Assumption: Kab B | #(A B) Also recall the derived formula from above stating: Kab B | S |~ {A B}Kbs We can apply the Nonce-verification rule which is: P | #(X), P | Q |~ X __________________________ P | Q | X