BAN LOGIC - PowerPoint PPT Presentation

1 / 63
About This Presentation
Title:

BAN LOGIC

Description:

An example of how a postulate is written is in the following fractional form ... Applying this postulate to the previous assumption and derivation, we derive that: ... – PowerPoint PPT presentation

Number of Views:49
Avg rating:3.0/5.0
Slides: 64
Provided by: cse56
Learn more at: https://www.cse.psu.edu
Category:
Tags: ban | logic | postulate

less

Transcript and Presenter's Notes

Title: BAN LOGIC


1
BAN LOGIC
  • Amit Chetal
  • Monica Desai
  • November 14, 2001

2
Outline
  1. Introduction
  2. Formalism
  3. Role of Time in BAN Logic
  4. Idealization of Protocols
  5. Goals of Authentication
  6. Semantics

3
Outline
  • Steps in Protocol Analysis
  • Example of BAN Logic
  • Needham Schroeder Protocol
  • Flaws/Advantages of BAN logic
  • Conclusion

4
Introduction
  • There exists a variety of authentication
    protocols.
  • -Various design decisions
  • Protocols often depend on assumptions that are
    not clearly stated.

5
Introduction
  • Problems with the design of the protocols
  • Lack of assumptions
  • Lack of formal descriptions
  • Lack of clarity

6
Introduction
  • BAN Logic(formulated by Burrows, Abadi, and
    Needham-1989) is based on an agreed set of
    deduction rules for formally reasoning about the
    authentication protocols and is often referred to
    as a logic of authentication.
  •  
  • It is a formal method for verifying that two
    principals(people, computer, services) are
    entitled to believe they are communicating with
    each other and not the intruders.

7
Introduction
  • Main Purposes of BAN Logic
  • BAN logic helps to prove whether or not a
    protocol does or does not meet its security
    goals.
  • BAN logic helps make the protocols more efficient
    by eliminating messages, contents of message, or
    encryptions of messages. Despite eliminating
    them, the security goals still can be reached.
  • BAN logic helps clarify the protocols
    assumptions by formally stating them.

8
Introduction
  • BAN logic is based on a belief system
  • BAN logic concentrates on the beliefs of
    trustworthy parties involved in the protocol and
    the evolution of these beliefs through
    communication processes.

9
Introduction
  • The steps of BAN logic to analyze the original
    protocol
  • are as follows
  • 1) The protocol is transformed into some
    idealized form
  • 2) Identify your initial assumptions in the
    language of BAN logic
  • 3) Use the postulates and rules of the logic to
    deduce new predicates
  • 4) Interpret the statements youve proved by the
    process? Have you met your goals?

10
Formalism
  • Basic Notation
  • Formalism built on a several sorts of objects
    principals, encryption keys, and
    formulas(statements)
  • A, B, and S denote specific principals(people,
    computers, services)
  • Kab, Kas, and Kbs denoted specific shared keys
  • Kb, Ka, and Ks denote specific public keys
  • Kb-1, Ka-1, and Ks-1 denote corresponding secret
    keys
  • Na, Nb, Nc denote specific statements
  • P, Q, and R range over principals
  • X and Y range over statements
  • K ranges over encryption keys

11
Formalism
  • Basic Notation
  • P ?X P believes X. P would be entitled to
    believe X. The principal P may act as though X
    is true.
  • P ?X P sees X. P can read the contents of
    X(possibly after decryption, assuming P has
    the needed keys) and P can include X in
    messages to other principals.

12
Formalism
  • Basic Notation
  • P X P once said X P at some time sent a
    message including the statement X. It is not
    known when the message was sent(in the past or
    in the current run of the protocol) but P
    believed that X was true when it send the
    message.
  • P ? X P controls X. P has jurisdiction over X.
    P is a trusted authority on the truth of X.
  • (X) X is fresh. Using the logic, time is
    divided into two epoch, the past and the
    present. The present begins with the start of
    the current execution of the current protocol.
    X is fresh if it is not contained in any
    message sent in the past.

13
Formalism
  • Basic Notation
  • K
  • P ? Q K is a shared key for P and Q. K is a
    secure key for communication between P and Q,
    and it will never be discovered by any
    principal except for P or Q, or a principal
    trusted by either P or Q.
  • K
  • ? P K is a public key for P. The matching
    secret key(the inverse of K, denoted by K-1 will
    never be discovered by any principal except P,
    or a principals trusted by P.

14
Formalism
  • Basic Notation
  • XK X encrypted under K. It represents the
    message X encrypted using the key K.

15
Formalism
  • Inference Rules
  • More information about the meaning of logical
    constructs can be deduced from a collection of
    inference rules
  • These rules help generate a set of beliefs to
    provide soundness to the protocol
  • Messages cant be deduced by those without the
    proper keys
  • , means conjunction which is used to append or
    combine something and __________ means implies

16
Formalism
  • An example of how a postulate is written is in
    the following fractional form
  • To express that a statement Z follows from a
    conjunction of statements X and Y
  • (X, Y)
  • _________
  • Z

17
Formalism
  • Types of Inference rules
  • Message meaning rule Rule concerns the
    interpretation of messages. This rule helps to
    explain the origin of the messages.
  • For shared keys, if P ? R,
  • K
  • P ? Q ? P, P ?XK

  • ____________________________

  • P ? Q X

18
Formalism
  • Nonce-verification rule This rule checks that a
    message is recent, and also checks if the sender
    still believes in it.
  • P ? (X), P ? Q X

  • ____________________________

  • P ? Q ? X

19
Formalism
  • Jurisdiction rule This rule states what it
    means for a principal to be the trusted authority
    on the truth of X.
  • P ? Q ? X, P ? Q ? X

  • ________________________________
  • P ?
    X

20
Formalism
  • Belief Rule The rule states that a principal
    believes a collection of statements if and only
    if it believes each of the statements
    individually.
  • Example
  • A) P ? X, P ? Y B)
    P ? (X, Y)

  • ___________________
    ____________________

  • P ? (X, Y)
    P ? X
  •  
  • C) P ? Q ? (X, Y)

  • ____________________

  • P ? Q ? X

21
Formalism
  • Saying rule This rule says that a principal
    sees all the components of every message it sees,
    provided that the principal knows the necessary
    key
  •  
    K
  • A) P ?(X, Y) B) P ?
    Q ? P, P ?XK
    ____________________
    ______________________________
  • P ? X
    P ? X

22
Formalism
  • Freshness Rule This rule states that any
    message with a fresh component is also fresh.
  • P ? (X)

  • ____________________
  • P ? (X, Y)

23
The role of Time in BAN logic
  • The logic has no notion of time to be associated
    with individual statements
  • Explicit use of time in the logic is avoided
  • Division of time into 2 epochs past and present
    is all that is needed.
  • Timestamps are used in some authentication
    protocols but timestamps are not required to be
    made explicit in the logic, only freshness is
    required, so past and present are sufficient time
    divisions.
  • Present
  • Begins at the start of the run of the protocol
  • Beliefs hold through the entirety of protocol run

24
The Role of Time in BAN Logic
  • Past
  • Beliefs not carried forward into the present
  • All messages sent before the present considered
    part of past.

25
Idealized Protocols
  • Typically we see each protocol step as
  • P ? Q message
  • What does this denote?
  • Principal P sends the message and that
    principal Q receives the message. It is an
    informal notation
  • What is wrong with it?
  • Often ambiguous, obscure in meaning, not
    appropriate for formal analysis
  • How to fix it?
  • Transform each protocol into an idealized form
  • Steps
  • 1) Omit the parts of the message that do not
  • contribute to the beliefs of the recipient
  • 2) Omit clear text communication because it
    can be forged

26
Idealized Protocols
  • Example
  • What we normally see in literature
  • A ?? B A, KabKbs
  • Idealized version
  • Kab
  • A ? B A ? BKbs
  • When message is sent to B it can be deduced that
  • Kab
  • B ? A ? Bkbs
  • The receiving principle becomes aware of the
    message (sees the message) and can act upon it.
  •  

27
Goals of Authentication
  • Authentication rests on communication protected
    by shared session key, so the goals of
    authentication may be reached between A and B if
    there is a K such that
  • K K
  • A ? A ? B B ? A ? B
  • Some authentication protocols achieve this final
    goal
  •   K K
  • A ? B? A ? B B ? A ? A ? B

28
Semantics
  • Help provide meaning for some of the formulas
  • Essentially, in order to obtain new beliefs ,
    principals are supposed to examine their current
    beliefs and apply the inference rules in order to
    obtain new beliefs
  • In order to see how new beliefs are brought
    about , we must look at state of the principal at
    each run of the protocol
  • In particular, we will look at the local and
    global state at each run of the protocol for the
    constructs of seeing and believing.
  • The state for the other constructs have a much
    more complicated definition of a state.

29
Semantics
  • Local states
  • These local state describe relations between the
    principals and the objects, and between the
    principals themselves (i.e. believing and
    seeing-messages)
  • Local state of a principal P for example is two
    sets of formulas, MP and BP. MP is the set of
    messages that the principal sees and BP is the
    set of beliefs of the principal. The closure
    properties of these formulas, directly correspond
    to the inference rules. For example,
  • K
  • If P ? Q ? BP and XK ? MP then X ? MP

30
Semantics
  • Global States
  • The global state is a tuple that contains all the
    local states of all the principals
  • Example A global state consists of a set
    containing the local states of 3 principles say
    A, B, and S .
  • If s is a global state for these principles,
    then 
  • Sp is the local set of P in s and BP(s) and
    MP(s) are corresponding sets and beliefs and
    messages for P
  • So for instance, P ? X holds in a state s if X
    ? BP(s), and P ? X holds if X ? MP(s)
  • A set of formulas hold in a given state if each
    of its members holds.

31
Outline
  • Steps in Protocol Analysis
  • Example of BAN Logic
  • Needham Schroeder Protocol
  • Flaws/Advantages of BAN logic
  • Conclusion

32
Steps in Protocol Analysis
  • Derive the idealized protocol from the original
    one
  • Write assumptions about the initial state
  • Use the postulates and rules of the logic to
    deduce new predicates
  • This is repeated through all the protocol
    messages
  • Determine if goals of authentication have been met

33
Protocol Analysis
  • Needham-Schroeder Protocol
  • (with shared keys)
  • Original version without idealization
  • Message 1 A ? S A, B, NA
  • Message 2 S ? A NA, B, KAB, KAB, AKBS KAS
  • Message 3 A ? B KAB, AKBS
  • Message 4 B ? A NBKAB
  • Message 5 A ? B NB 1KAB

34
Protocol Analysis
  • Needham-Schroeder Protocol (with shared keys)
  • Corresponding idealized protocol is as follows
  • Kab Kab
    Kab
  • Message 2 S ? A NA, (A ? B), (A ? B), A ?
    BKbs Kas
  • Kab
  • Message 3 A ? B A ? BKbs
  • Kab
  • Message 4 B ? A NB, (A ? B)Kab from B
  • Kab
  • Message 5 A ? B NB, (A ? B)Kab from A

35
Protocol Analysis
  • Needham-Schroeder Protocol (with shared keys)
  • Initial assumptions
  • Kas Kbs
  • A ? A ? S B ? B ? S
  • Kas
    Kbs
  • S ? A ? S S ? B ? S
  • Kab
  • S ? A ? B
  • Kab Kab
  • A ? (S ? A ? B) B ? (S ? A ? B)
  • Kab
  • A ? (S ? (A ? B))

36
Protocol Analysis
  • Needham-Schroeder Protocol (with shared keys)
  • More assumptions(continued)
  • A ? (Na) B ? (Nb)
  • Kab
    Kab
  • S ? (A ? B) B ? (A ? B)
  • Kab
  • NOTE The assumption B ? (A ? B) meaning B
    believes in the
  • freshness on the key is an assumption that the
    authors of the Needham-Schroeder protocol did
    not realize they were making.

37
Protocol Analysis
  • Needham-Schroeder Protocol (with shared keys)
  • Now we can apply the logical postulate rules to
    each message with assumptions
  • Recall message 2
  • Kab Kab Kab
  • Message 2 S ? A Na, (A ? B), (A ? B), A ?
    BKbsKas

38
Protocol Analysis
  • Needham-Schroeder Protocol (with shared keys)
  • 1) Recall the Assumption
  • Kas
  • A ? A ? S
  • With this Assumption and message 2, now we can
    say
  • Kab Kab Kab
  • A ? Na, (A ? B), (A ? B), A ? BKbsKas

39
Protocol Analysis
  • Needham-Schroeder Protocol (with shared keys)
  • Now apply the logical postulate, the
    Message-meaning rule
  • Recall message-meaning rule is
  • K
  • P ? Q ? P, P ? Xk
  • ___________________________
  • P ? Q X
  • Applying this postulate to the previous
    assumption and derivation, we derive that
  • Kab Kab
    Kab
  • A ? S Na, (A ? B), (A ? B), A ? BKbs

40
Protocol Analysis
  • Needham-Schroeder Protocol (with shared keys)
  • 2) Recall the Assumption
  • A ? (Na)
  • Now we can apply the Freshness rule, recall that
    it is
  • P ? (X)
  • ______________________
  • P ? (X, Y)
  • Now we can derive that
  • Kab Kab Kab
  • A ? Na, (A ? B), (A ? B), A ?BKbs

41
Protocol Analysis
  • Needham-Schroeder Protocol (with shared keys)
  • 3) We can use a combination of the above derived
    rules
  • together with Nonce-verification rule
    which is
  • P ? (X), P ? Q X
  • _______________________________________
  • P ? Q ? X

42
Protocol Analysis
  • Needham-Schroeder Protocol (with shared keys)
  • 3) We can use the above derived rules stating
    that
  • Kab Kab Kab
  • A ? Na, (A ? B), (A ? B), A ? BKbs
  • together with
  • Kab Kab Kab
  • A ? S Na, (A ? B), (A ? B), A ? BKbs
  • and the Nonce-verification to obtain
  • Kab Kab Kab
  • A ? S ? Na, (A ? B), (A ? B), A ? BKbs

43
Protocol Analysis
  • Needham-Schroeder Protocol (with shared keys)
  • 4) We can use the belief rule which is
  • P ? Q ? (X,Y)

  • __________________________
  • P ? Q ? X

44
Protocol Analysis
  • Needham-Schroeder Protocol (with shared keys)
  • We can use this belief rule combined with the
    above derived statement stating that
    Kab Kab Kab A ? S ?
    Na, (A ? B), (A ? B), A ? BKbs
  • to further derive that
  • Kab
  • A ? S ? (A ? B)
  • and that
  • Kab
  • A ? S ? (A ? B)

45
Protocol Analysis
  • Needham-Schroeder Protocol (with shared keys)
  • 5) Recall the Assumptions
  • Kab Kab
  • A ? (S ? A ? B) A ? (S ? (A ? B)
  • and the previous derivations stating that
  • Kab Kab
  • A ? S ? (A ? B) A ? S ? (A ? B)
  • We can apply the jurisdiction postulate to these
    assumptions.
  • Recall jurisdiction postulate
  • P ? Q ? X, P ? Q ? X
  • ___________________________
  • P ? X

46
Protocol Analysis
  • Needham-Schroeder Protocol (with shared keys)
  • Applying the assumptions above to the postulates
    we finally get
  • Kab Kab
  • A ? (A ? B) and A ? (A ? B)

47
Protocol Analysis
  • Needham-Schroeder Protocol (with shared keys)
  • Now we can apply the logical postulate rules to
    the next message with assumptions
  • Recall message 3
  • Kab
  • Message 3 A ? B A ?BKbs

48
Protocol Analysis
  • Needham-Schroeder Protocol (with shared keys)
  • 1) Recall the Assumption
  • Kbs
  • B ? S ? B
  • From this we can deduce that
  • Kab
  • B ? A ? BKbs
  • We can now apply the message meaning rule which
    is
  • K
  • P ? Q ?P, P ? Xk
  • ___________________________
  • P ? Q X

49
Protocol Analysis
  • Needham-Schroeder Protocol (with shared keys)
  • And we can derive
  • Kab
  • B ? S A ? BKbs

50
Protocol Analysis
  • Needham-Schroeder Protocol (with shared keys)
  • 2) Recall the Assumption
  • Kab
  • B ? (A ? B)
  • Also recall the derived formula from above
    stating
  • Kab
  • B ? S A ? BKbs
  • We can apply the Nonce-verification rule which
    is
  • P ? (X), P ? Q X
  • __________________________
  • P ? Q ? X

51
Protocol Analysis
  • Needham-Schroeder Protocol (with shared keys)
  • And we can derive
  • Kab
  • B ? S ? A ? B

52
Protocol Analysis
  • Needham-Schroeder Protocol (with shared keys)
  • 3)Recall the Assumption
  • Kab
  • B ? (S ? A ? B)
  • Also recall the derived formula above stating
  • Kab
  • B ? S ? A ? B
  • We can apply the jurisdiction rule which is
  • P ? Q ? X, P ? Q ? X
  • ____________________________________
  • P ? X

53
Protocol Analysis
  • Needham-Schroeder Protocol (with shared keys)
  • And we can derive
  • Kab
  • B ? A ? B
  • Now we can apply the logical postulate rules to
    the next message with assumptions
  • Recall message 4
  • Kab
  • Message 4 B ? A Nb, (A ? B)Kab

54
Protocol Analysis
  • Needham-Schroeder Protocol (with shared keys)
  • 1) We can then say that
  • Kab
  • A ? Nb, (A ? B) Kab
  • We can use the saying rule, which is
  • P ? (X,Y)
  • _________________
  • P ? X
  • We can then derive that Kab
  • A ? (A ? B) Kab

55
Protocol Analysis
  • Needham-Schroeder Protocol (with shared keys)
  • 2) Recall a previous result we obtained
  • Kab
  • A ? (B ? A)
  • Also recall the result that we just obtained
    the previous step Kab
  • A ? (A ? B)Kab
  • We can apply the message meaning rule
  • K
  • P ? Q ? P, P ? Xk
  • ___________________________
  • P ? Q X

56
Protocol Analysis
  • Needham-Schroeder Protocol (with shared keys)
  • Finally, we can deduce that
  • Kab
  • A ? B (A ? B)

57
Protocol Analysis
  • Needham-Schroeder Protocol (with shared keys)
  • 3) Recall a previous result we obtained
  • Kab
  • A ? (A ? B)
  • Also recall the result that we just obtained
    the previous step Kab
  • A ? B (A ? B)
  • We can apply the nonce-verification rule
  • P ? (X), P ? Q X
  • ______________________________________
    _
  • P ? Q ? X

58
Protocol Analysis
  • Needham-Schroeder Protocol (with shared keys)
  • We then obtain
  • Kab
  • A ? B? (A ? B)
  • In similar manner, we can also derive that
  • Kab
  • B ? A? (A ? B)

59
Conclusions of Analysis
  • Needham-Schroeder Protocol (with shared keys)
  • We have achieved this The goals of the
    Needham-Schroeder protocol are that A and B each
    believe that they share a secret key Kab and that
    moreover they each believe that the other
    believes it
  • K K B ? A ? B (msg 3) A ?
    A ? B (msg 2)
  • We also achieve this final goal
  • K K
  • A ? B ? A ? B (msg 4) B ? A ? A ? B (msg 4)
  • Our analysis achieves these results, since we
    have derived these goals

60
Conclusions of Analysis
  • Needham-Schroeder Protocol (with shared keys)
  • This authentication protocol has an extra
    assumption, which is that B assumes the key B
    receives from A is fresh. So Needham-Schroeder
    protocol had this flaw in it.

61
Flaws with BAN Logic
  • BAN logic is a belief system and it is much
    different from a knowledge system. Knowledge
    systems have an axiom of the following form If
    you know p, then p is true. However, belief
    systems do not have this axiom, since a belief in
    p says nothing about the truth or falsity of p.
  • Assumption that all principals taking part in a
    protocol are honest, in the sense that each
    principal believes in the truth of each message
    it sends. However, honesty is not a logical
    assumption to make.

62
Advantages of BAN Logic
  • Huge success for formal methods in cryptography,
    useful tool
  • BAN Logic successful in uncovering implicit
    assumptions and weaknesses in a number of
    protocols
  • Vehicle for extensive research in the areas for
    basis and development of other logic systems
  • BANs strengths lie in its simplicity of its
    logic and its ease of use

63
Conclusion
  • BAN Logic is one of earliest successful attempts
    at formally reasoning about authentication
    protocols.
  • BAN logic involves idealizing a protocol,
    identifying initial assumptions, using logical
    postulates to deduce new predicates and
    determining if the goals of authentication have
    been met.
  • BAN logic can be used to analyze existing
    protocols and bring out their flaws.
  • As we saw in the Needham Schroeder protocol,
    BAN logic helped to uncover an extra assumption
    that the authors themselves did not realize.
  • BAN logic has its flaws, but overall it is a
    welcome success for formal methods in
    cryptography.
Write a Comment
User Comments (0)
About PowerShow.com