Download - BAN Logic A Logic of Authentication
![Page 1: BAN Logic A Logic of Authentication](https://reader035.vdocument.in/reader035/viewer/2022081505/56816861550346895ddeb146/html5/thumbnails/1.jpg)
BAN LogicA Logic of Authentication
Presentation byHeather Goldsby
Michelle Pirtle
(Mike Burrows, Marin Abadi, Roger Needham)Published 1989, SRC Research Report 39
![Page 2: BAN Logic A Logic of Authentication](https://reader035.vdocument.in/reader035/viewer/2022081505/56816861550346895ddeb146/html5/thumbnails/2.jpg)
OverviewProblemSolution – BAN LogicGoals of BANTermsSymbols, Notation, and SyntaxExample of BAN - Needham Schroder ProtocolImpact and Limitations of BANTool SupportKey Sources
![Page 3: BAN Logic A Logic of Authentication](https://reader035.vdocument.in/reader035/viewer/2022081505/56816861550346895ddeb146/html5/thumbnails/3.jpg)
What was the problem?Increased usage of computer networksA lack of trust during correspondenceNeed to know actual sender of messagesNeed to protect accuracy of sent
messages Prohibit interception of messages
![Page 4: BAN Logic A Logic of Authentication](https://reader035.vdocument.in/reader035/viewer/2022081505/56816861550346895ddeb146/html5/thumbnails/4.jpg)
SolutionBAN Logic A formalization of the description and analysis of
authentication protocols.Objective of BAN Logic? It is a logic of authentication
Describe knowledge & beliefs of involved parties in authentication in a formal manner
Formally analyze the changing knowledge and the beliefs of the parties at each step in the protocol.
Logic of authentication allows final protocol states to be made available
To provide TRUST among communicating parties
![Page 5: BAN Logic A Logic of Authentication](https://reader035.vdocument.in/reader035/viewer/2022081505/56816861550346895ddeb146/html5/thumbnails/5.jpg)
[Burrows,Abadi,Needham]
Goals of BANState what is accomplished by the protocolAllow reasoning about, and comparisons of, protocol assumptionsDraw attention to unnecessary actions that can be removed from a protocolHighlight any encrypted messages that could be sent in clear text
![Page 6: BAN Logic A Logic of Authentication](https://reader035.vdocument.in/reader035/viewer/2022081505/56816861550346895ddeb146/html5/thumbnails/6.jpg)
TermsIdealization: Used to show central information about beliefs of the recipient in a protocol step. E.g. Clear text parts are omitted in BAN
Nonces: unique number generated for the purpose of being fresh E.g. Timestamp, sequence number
Fresh: never been sent in a message before the current run of the protocol. Time: past - before protocol began present - any time after protocol began
![Page 7: BAN Logic A Logic of Authentication](https://reader035.vdocument.in/reader035/viewer/2022081505/56816861550346895ddeb146/html5/thumbnails/7.jpg)
Authentication Protocol SyntaxMessage = (source, destination, content)
Source: People / computers / services sending messages
E.g. Computer ADestination: People / computers / services receiving messages
E.g. Server SContent: The information being sent between a source and a destination
E.g. Message M; M = “Hello World”Belief: Things that can be believed by the source and destination but not transmitted.
E.g. Computer A believes that Server S just sent Message M.
![Page 8: BAN Logic A Logic of Authentication](https://reader035.vdocument.in/reader035/viewer/2022081505/56816861550346895ddeb146/html5/thumbnails/8.jpg)
BAN Logic Transformation Process
1. Transform message into idealized logical formula
• Skip the message parts that do not contribute to the receiver’s beliefs
2. State assumptions about original message3. Make annotated idealized protocols for each
protocol statement with assertions4. Apply logical rules to assumptions and
assertions5. Deduce beliefs held at the end of protocol
![Page 9: BAN Logic A Logic of Authentication](https://reader035.vdocument.in/reader035/viewer/2022081505/56816861550346895ddeb146/html5/thumbnails/9.jpg)
SymbolsPrincipals: P Q R Specific Principals: A B S
Encryption Key: K Specific Shared Keys: Kab Kas Kbs
Specific Public Keys: Ka Kb Ks
Specific Secret Keys: Ka-1 Kb
-1 Ks-1
Statements/Formulas: X Y Specific Statements
Nonces: Na Nb Ns
![Page 10: BAN Logic A Logic of Authentication](https://reader035.vdocument.in/reader035/viewer/2022081505/56816861550346895ddeb146/html5/thumbnails/10.jpg)
NotationP | X P believes XP ⊲ X P sees XP |~ X P once said XP | X P has jurisdiction over X#(X) The formula X is freshP←K→Q P and Q may use the shared
key K to communicate
![Page 11: BAN Logic A Logic of Authentication](https://reader035.vdocument.in/reader035/viewer/2022081505/56816861550346895ddeb146/html5/thumbnails/11.jpg)
Notation (cont.)KP P has K as a public keyP X Q Formula X is a secret known
only to P and Q, andpossibly to principles trusted by P
and Q{X}K The formula X is encrypted
under the key K
![Page 12: BAN Logic A Logic of Authentication](https://reader035.vdocument.in/reader035/viewer/2022081505/56816861550346895ddeb146/html5/thumbnails/12.jpg)
Example: Needham Schroder Protocol
with shared keysWhat does the Needham Schroder Protocol do? Distributes a secret session key between two principals in a
network
How the Needham Schroder Protocol works during a threat The protocol assumes the secret key shared with the server
is intercepted by the intruder and the intruder can read/modify anything passed on the network
The protocol also assumes intruders have the ability to block messages from reaching their destinations and insert malicious messages
![Page 13: BAN Logic A Logic of Authentication](https://reader035.vdocument.in/reader035/viewer/2022081505/56816861550346895ddeb146/html5/thumbnails/13.jpg)
[Burrows, Abadi, Needham]
Figure of Example: Needham Schroder Protocol
with shared keys
A
S
B
Message 1:AS: A, B, Na
Message 2:SA: {Na, B, Kab, {Kab, A}Kbs} Kas
Message 3: AB: {Kab, A}Kbs
Message 4: BA: {Nb}Kab
Message 5: AB: {N b-1} Kab
![Page 14: BAN Logic A Logic of Authentication](https://reader035.vdocument.in/reader035/viewer/2022081505/56816861550346895ddeb146/html5/thumbnails/14.jpg)
Example (cont.)Message 1: AS: A, B, Na A makes contact with server S stating A wants a key to talk with B, Na is fresh
Message 2: SA: {Na, B, Kab, {Kab, A}Kbs} Kas
A message from Server S to principle A consisting of a nonce, key Kab, a statement about the freshness of Kab and an encrypted version of Kab to be sent to principle B.
Message 3: AB: {Kab, A}Kbs
A message from Principle A to Principle B informing B of the key Kab encoded with the shared key of Principle B and Server S.
Message 4: BA: {Nb}Kab
A message from principle B to principle A containing a nonce and Kab, A & B’s shared key.
Message 5: AB: {N b-1} Kab
A message from principle A to principle B consisting of a nonce and Kab.
![Page 15: BAN Logic A Logic of Authentication](https://reader035.vdocument.in/reader035/viewer/2022081505/56816861550346895ddeb146/html5/thumbnails/15.jpg)
[Burrows, Abadi, Needham]
Example (cont.)
Message 2: SA: {Na, (A←Kab→B), #(A←Kab→B), {A←Kab→B}Kbs} Kas
Message from S to A encrypted with key Kas
Na – A’s nonce indicating freshness of message (A←Kab→B) – key Kab shared between A and B #(A←Kab→B) – nonce indicating key Kab is fresh {A←Kab→B}Kbs – key Kab encrypted with key Kbs
Message 3: AB: {A←Kab→B}Kbs
Message from A to B encrypted with key Kbs
(A←Kab→B) – key Kab shared between A and B
Step 1: Transform message into idealized logical formula(Message 1 is skipped.)
![Page 16: BAN Logic A Logic of Authentication](https://reader035.vdocument.in/reader035/viewer/2022081505/56816861550346895ddeb146/html5/thumbnails/16.jpg)
[Burrows, Abadi, Needham]
Example (cont.)
Message 4: BA: {Nb, (A←Kab→B)}Kab
Message from B to A encrypted with key Kab
Nb - B’s nonce indicating freshness (A←Kab→B) – key Kab shared between A and B
Message 5: AB: {N b, (A←Kab→B)} Kab
Message from A to B encrypted with key Kab
Nb - B’s nonce indicating freshness (A←Kab→B) – key Kab shared between A and B
Step 1: Transform message into idealized logical formula
![Page 17: BAN Logic A Logic of Authentication](https://reader035.vdocument.in/reader035/viewer/2022081505/56816861550346895ddeb146/html5/thumbnails/17.jpg)
[Burrows, Abadi, Needham]
Example (cont.)
A | A←Kas→S A believes Kas is a shared
key between A and S
S | A←Kas→S S believes Kas is a shared
key between A and S
S | A←Kab→B S believes Kab is a shared
key between A and B
B | B←Kbs→S B believes Kbs is a shared
key between B and S
S | S←Kbs→B S believes Kbs is a shared
key between S and B
A | (S | A←K→B) A believes S has
jurisdiction over the shared key between A and B
These are all beliefs within the protocol
Step 2: State assumptions about original message
![Page 18: BAN Logic A Logic of Authentication](https://reader035.vdocument.in/reader035/viewer/2022081505/56816861550346895ddeb146/html5/thumbnails/18.jpg)
Example (cont.)
B | (S | A←K→B) B believes S has
jurisdiction over the shared key between A and B
A | #(Na) A believes statement Na is
fresh
B | #(Nb) B believes statement Nb is
fresh
A | (S | #(A←K→B)) A believes S has
jurisdiction over the freshness of the shared key between A and B
S | #(A←Kab→B) S believes key Kab is
fresh
B | # (A←Kab→B) B believes key Kab is
fresh
Step 2: State assumptions about original message
![Page 19: BAN Logic A Logic of Authentication](https://reader035.vdocument.in/reader035/viewer/2022081505/56816861550346895ddeb146/html5/thumbnails/19.jpg)
[Burrows, Abadi, Needham]
Example (cont.)
Message 2: SA: {Na, (A←Kab→B), #(A←Kab→B), {A←Kab→B}Kbs} Kas
Message 2 with Annotations A ⊲ {Na, (A←Kab→B), #(A←Kab→B), {A←Kab→B} Kbs } Kas
A sees a message encrypted with key Kas
Na – A’s nonce indicating freshness of message (A←Kab→B) – key Kab shared between A and B #(A←Kab→B) – nonce indicating key Kab is fresh {A←Kab→B}Kbs – key Kab encrypted with key Kbs
Step 3: Make annotated idealized protocols for each protocol statement with assertions
![Page 20: BAN Logic A Logic of Authentication](https://reader035.vdocument.in/reader035/viewer/2022081505/56816861550346895ddeb146/html5/thumbnails/20.jpg)
Example (cont.)Nonce-Verification rule Checks that a message is recent, thus the sender still believes the message. P | #(X), P | Q |~ X
P| Q | X If P believes message X is fresh and P believes Q once said X then P believes Q
believes X
Implement Nonce Verification Rule on annotated message 2: A ⊲ {Na, (A←Kab→B), #(A←Kab→B), {A←Kab→B} Kbs } Kas
Infer: A | #(A←Kab→B), A | S |~ (A←Kab→B)
A| S | (A←Kab→B) If A believes message (A←Kab→B) is fresh and A believes S once said (A←Kab→B)
then A believes S believes (A←Kab→B)
Step 4: Apply logical rules to assumptions and assertions
![Page 21: BAN Logic A Logic of Authentication](https://reader035.vdocument.in/reader035/viewer/2022081505/56816861550346895ddeb146/html5/thumbnails/21.jpg)
Example (cont.)Jurisdiction rule States that if a principal has control over a statement and believes the
statement other principals should believe the statement P | Q | X, P | Q | X
P| X If P believes Q has jurisdiction over message X and P believes Q believes
X then P believes X
Implement Jurisdiction Rule: Result of Nonce Verification Rule: A | S | (A←Kab→B) Assumption: A | S | (A←K→B)
Infer: A | S | (A←Kab→B), A | S | (A←Kab→B)
A | (A←Kab→B) If A believes S has jurisdiction over the shared key between A and B, and A
believes that S believes Kab is the shared key between A and B, then A believes key Kab is the shared key between A and B.
Step 4: Apply logical rules to assumptions and assertions
![Page 22: BAN Logic A Logic of Authentication](https://reader035.vdocument.in/reader035/viewer/2022081505/56816861550346895ddeb146/html5/thumbnails/22.jpg)
[Burrows, Abadi, Needham]
Example – Final BeliefsA | A←Kab→B A believes Kab is a shared key between A and B
B | A←Kab→B B believes Kab is a shared key between A and B
A | B | A←Kab→B A believes that B believes Kab is a shared key
between A and B
B | A | A←Kab→B B believes that A believes Kab is a shared key
between A and B
Step 5: Deduce beliefs held at the end of protocol
![Page 23: BAN Logic A Logic of Authentication](https://reader035.vdocument.in/reader035/viewer/2022081505/56816861550346895ddeb146/html5/thumbnails/23.jpg)
The Impact of BANFirst protocol specification language to use formal verification to model authenticationBAN introduced a simple and powerful notationBAN logic postulates (ie. Nonce-verification rule) are straight forward to apply for deriving BAN beliefsBAN logic is the foundation of other protocol specification languages that are more expressive E.g. GNY
![Page 24: BAN Logic A Logic of Authentication](https://reader035.vdocument.in/reader035/viewer/2022081505/56816861550346895ddeb146/html5/thumbnails/24.jpg)
Limitations of BANConversion to idealized formLack of ability to state something a principle does not know I.e. private information is not guaranteed to remain private Example given by Nessett:
Assume principles A and B communicate with public keys A B : {NasKab} Ka-1
B A : {Nb} Kab
In idealized form: A B : {Nas, A←Kab→B} Ka-1
A sends B a message containing secret key Kab encrypted under A’s private key. The public key is well known making the secret key public knowledge.
B A : {A←Kab→B} Kab
Message from B to A with the believed shared key Kab
Result: The originally secret key Kab is known and the message between B and A can be read and forged
![Page 25: BAN Logic A Logic of Authentication](https://reader035.vdocument.in/reader035/viewer/2022081505/56816861550346895ddeb146/html5/thumbnails/25.jpg)
LimitationsBAN does not catch all protocol flaws False-positives can result
A principal’s beliefs cannot be changed at later stages of the protocol No division of time in protocol run
Provides a proof of trust on part of principles, but not a proof of security Final beliefs can be believed only if all original
assumptions hold trueBAN does not account for improper encryption
![Page 26: BAN Logic A Logic of Authentication](https://reader035.vdocument.in/reader035/viewer/2022081505/56816861550346895ddeb146/html5/thumbnails/26.jpg)
[Santhoshi, Shreyas]
Tool SupportSPEAR Model analyzer for BAN Logic Developed for security protocols
Aspects of protocol development SPEAR supports: Protocol specification –
Stating possessions Define interactions with external functions and generated source
code Define BAN logic beliefs
Security analysis – detect possible attacks Code generation – generates Java code Meta execution and performance evaluation – testing the
generated Java code on a safe platform
![Page 27: BAN Logic A Logic of Authentication](https://reader035.vdocument.in/reader035/viewer/2022081505/56816861550346895ddeb146/html5/thumbnails/27.jpg)
SPEAR (cont.)Possessions types Asymmetric key – use for asymmetric encryption using
private and public key pair Symmetric key – used for symmetric encryption using the
same key to encrypt and decrypt a message Delimited data – inserts delimiters into sent messages Entity information – used to send identifying information Fixed length data – only allows data of a fixed size Variable length data – allows data of unknown size, such
as messages
The possessions are then initialized by the entities
![Page 28: BAN Logic A Logic of Authentication](https://reader035.vdocument.in/reader035/viewer/2022081505/56816861550346895ddeb146/html5/thumbnails/28.jpg)
[Santhoshi, Shreyas]
SPEAR (cont.)Steps for protocol specification Use Protocol-Set Protocol Name option to set the
protocol’s name Not needed for BAN but possible with SPEAR
Declare possessions used in protocol Generate needed macros for protocol
Not needed for BAN but possible with SPEAR State initial BAN beliefs
Done only if BAN analysis is desired Define entities (principals) involved in protocol Initialize possessions required by each entity
throughout the duration of the protocol Add messages and statement blocks to the
protocol for running functions at protocol stages (This is modeling the system)
![Page 29: BAN Logic A Logic of Authentication](https://reader035.vdocument.in/reader035/viewer/2022081505/56816861550346895ddeb146/html5/thumbnails/29.jpg)
![Page 30: BAN Logic A Logic of Authentication](https://reader035.vdocument.in/reader035/viewer/2022081505/56816861550346895ddeb146/html5/thumbnails/30.jpg)
[Shanthoshi, Shreyas]
Limitations of SPEARSPEAR is not perfect Shanthoshi and Shreyas found a bug in the belief
derivation logic of SPEAR
Variations between SPEAR and BAN slightly different syntax
BAN: A believes K is fresh SPEAR: A believes fresh(K)
Shared symmetric keys in initial beliefs are not always allowed
Shanthoshi and Shreyas implemented the shared symmetric keys as public keys to obtain desired results
![Page 31: BAN Logic A Logic of Authentication](https://reader035.vdocument.in/reader035/viewer/2022081505/56816861550346895ddeb146/html5/thumbnails/31.jpg)
BAN Logic Online SourcesThe original paper: “A Logic of Authentication” by Burrows, Abadi & Needham
http://citeseer.nj.nec.com/burrows90logic.htmlOverviews of BAN Logic: “A Logic of Authentication by Burrows, Abadi and Needham”
by Kyntajahttp://www.tml.hut.fi/Opinnot/Tik-110.501/1995/ban.html
The BAN Logic of Authentication by Bottinghttp://www.csci.csusb.edu/dick/samples/BAN.html
A Semantics for BAN Logic by Bleekerhttp://dimacs.rutgers.edu/Workshops/Security/program2/bleeker/
Lecture on BAN by Wing http://www-2.cs.cmu.edu/afs/cs/academic/class/15827-f98/www/Slides/lecture4/quick_index.html
Limitations of BAN Logic On a Limitation of BAN by C. Boyd & W. Mao
http://citeseer.nj.nec.com/boyd93limitation.html
![Page 32: BAN Logic A Logic of Authentication](https://reader035.vdocument.in/reader035/viewer/2022081505/56816861550346895ddeb146/html5/thumbnails/32.jpg)
Tool Support for BAN Logic “Automated BAN Analysis of Authentication Protocols” by Santhoshi
D.B. and Doshi Shreyas http://www.ics.uci.edu/~sdoshi/w01/AutomatedBANAnalysis.pdf
“SPEAR: a Security Protocol Engineering & Analysis Resource” http://dimacs.rutgers.edu/Workshops/Security/program2/hutch/spear.html
Obtain a copy of SPEAR from: http://www.cs.uct.ac.za/Research/DNA/SPEAR/
“Evaluating Cryptographic Protocols” by A. Yasinsac & W. Wulf http://citeseer.nj.nec.com/yasinsac93evaluating.html
Comparison of Cryptographic Protocol Analyses “Three Systems for Cryptographic Protocol Analysis” by Kemmerer,
Meadows, & Millen http://www-2.cs.cmu.edu/afs/cs/academic/class/17654-f01/www/refs/KMM.pdf
Industrial Use of BAN “On BAN logics for Industrial Security Protocols” by Agray, van der
Hoek, and de Vink http://www.cs.uu.nl/groups/IS/archive/wiebe/agray.pdf
BAN Logic Online Sources