Burrows-Abadi-Needham logic

Burrows-Abadi-Needham logic

Burrows-Abadi-Needham logic (also known as the BAN logic) is a set of rules for defining and analyzing information exchange protocols. Specifically, BAN logic helps its users determine whether exchanged information is trustworthy, secured against eavesdropping, or both. BAN logic starts with the assumption that all information exchanges happen on mediums vulnerable to tampering and public monitoring. This has evolved into the popular security mantra, "Don't trust the network."

A typical BAN logic sequence includes three steps: [ [http://www.cs.utexas.edu/users/dahlin/Classes/UGOS/readings/BAN.pdf UT Austin CS course material on BAN logic (PDF)] ]
# Verification of message origin
# Verification of message freshness
# Verification of the origin's trustworthiness

BAN logic uses postulates and definitions – like all axiomatic systems – to analyze authentication protocols. Use of the BAN logic often accompanies a security protocol notation formulation of a protocol and is sometimes given in papers.

Language type and alternatives

BAN logic, and logics in the same family, are decidable: there exists an algorithm taking BAN hypotheses and a purported conclusion, and that answers whether or not the conclusion is derivable from the hypotheses. The proposed algorithms use a variant of magic sets (Monniaux, 1999).

BAN logic inspired many other similar formalisms, such as GNY logic. Some of these try to repair one weakness of BAN logic: the lack of a good semantics with a clear meaning in terms of knowledge and possible universes.

Basic rules

The definitions and their implications are below ("P" and "Q" are network agents, "X" is a message,and "K" is an encryption key):

*"P" believes "X": "P" acts as if "X" is true, and may assert "X" in other messages.
*"P" has jurisdiction over "X": "P"'s beliefs about "X" should be trusted.
*"P" said "X": At one time, "P" transmitted (and believed) message "X", although "P" might no longer believe "X".
*"P" sees "X": "P" receives message "X", and can read and repeat "X".
*{"X"}"K": "X" is encrypted with key "K".
*fresh("X"): "X" has not previously been sent in any message.
*key("K", "P"<->"Q"): "P" and "Q" may communicate with shared key "K"

The meaning of these definitions is captured in a series of postulates:

* If "P" believes key("K", "P"<->"Q"), and "P" sees {"X"}"K", then "P" believes ("Q" said "X")
* If "P" believes ("Q" said "X") and "P" believes fresh("X"), then "P" believes ("Q" believes "X").

"P" must believe that "X" is fresh here. If "X" is not known to be fresh, then it might be an obsolete message, replayed by an attacker.

* If "P" believes ("Q" has jurisdiction over "X") and "P" believes ("Q" believes "X"), then "P" believes "X"

* There are several other technical postulates having to do with composition of messages. For example, if "P" believes that "Q" said <"X", "Y">, the concatenation of "X" and "Y", then "P" also believes that "Q" said "X", and "P" also believes that "Q" said "Y".

Using this notation, the assumptions behind an authentication protocolcan be formalized. Using the postulates, one can prove that certainagents believe that they can communicate using certain keys. If theproof fails, the point of failure usually suggests an attack whichcompromises the protocol.

BAN logic analysis of the Wide Mouth Frog protocol

A very simple protocol &mdash; the Wide Mouth Frog protocol &mdash; allows two agents, A and B, to establish secure communications, using a trusted authentication server, S, and synchronized clocks all around. Using standard notation the protocol can be specified as follows:

A ightarrow S: A,{T_A, K_{AB}, B}_{K_{AS

S ightarrow B: {T_S, K_{AB}, A}_{K_{BS

Agents A and B are equipped with keys "K""as" and "K""bs", respectively, for communicating securely with S. So we have assumptions:

: "A" believes key("K""as", "A"<->"S"): "S" believes key("K""as", "A"<->"S"): "B" believes key("K""bs", "B"<->"S"): "S" believes key("K""bs", "B"<->"S")

Agent "A" wants to initiate a secure conversation with "B". It therefore invents a key, "K""ab", which it will use to communicate with "B". "A" believes that this key is secure, since it made up the key itself:

: "A" believes key("K""ab", "A"<->"B")

"B" is willing to accept this key, as long as it is sure that it came from "A":

: "B" believes ("A" has jurisdiction over key("K", "A"<->"B"))

Moreover, "B" is willing to trust "S" to accurately relay keys from "A":

: "B" believes ("S" has jurisdiction over ("A" believes key("K", "A"<->"B")))

That is, if "B" believes that "S" believes that "A" wants to use a particular key to communicate with "B", then "B" will trust "S" and believe it also.

The goal is to have

: "B" believes key("K""ab", "A"<->"B")

"A" reads the clock, obtaining the current time "t", and sends the following message:

: 1 "A"->"S": {"t", key("K""ab", "A"<->"B")}"Kas"

That is, it sends its chosen session key and the current time to "S", encrypted with its private authentication server key "K""as".

Since "S" believes that key("K""as", "A"<->"S"), and "S" sees {"t", key("K""ab", "A"<->"B")}"K""as", then "S" concludes that "A" actually said {"t", key("K""ab", "A"<->"B")}. (In particular, "S" believes that the message was not manufactured out of whole cloth by some attacker.)

Since the clocks are synchronized, we can assume

: "S" believes fresh("t")

Since "S" believes fresh("t") and "S" believes "A" said {"t", key("K""ab", "A"<->"B")}, "S" believes that "A" actually "believes" that key("K""ab", "A"<->"B"). (In particular, "S" believes that the message was not replayed by some attacker who captured it at some time in the past.)

"S" then forwards the key to "B":

: 2 "S"->"B": {"t", "A", "A" believes key("K""ab", "A"<->"B")}"Kbs"

Because message 2 is encrypted with "K""bs", and "B"believes key("K""bs", "B"<->"S"), "B" now believes that "S"said {"t", "A", "A" believes key("K""ab", "A"<->"B")}.Because the clocks are synchronized, "B" believes fresh("t"), and sofresh("A" believes key("K""ab", "A"<->"B")). Because "B"believes that "S"'s statement is fresh, "B" believes that "S" believes that("A" believes key("K""ab", "A"<->"B")). Because "B"believes that "S" is authoritative about what "A" believes, "B" believesthat ("A" believes key("K""ab", "A"<->"B")). Because "B"believes that "A" is authoritative about session keys between "A" and "B", "B"believes key("K""ab", "A"<->"B"). "B" can now contact "A"directly, using "K""ab" as a secret session key.

Now let's suppose that we abandon the assumption that the clocks aresynchronized. In that case, "S" gets message 1 from "A" with {"t",key("K""ab", "A"<->"B")}, but it can no longer concludethat t is fresh. It knows that "A" sent this message at "some" timein the past (because it is encrypted with "K""as")but not that this is a recent message, so "S" doesn't believe that "A"necessarily wants to continue to use the key"K""ab". This points directly at an attack on theprotocol: An attacker who can capture messages can guess one of theold session keys "K""ab". (This might take a longtime.) The attacker then replays the old {"t",key("K""ab", "A"<->"B")} message, sending it to "S". Ifthe clocks aren't synchronized (perhaps as part of the same attack), "S" mightbelieve this old message and request that "B" use the old, compromised keyover again.

The original "Logic of Authentication" paper (linked below) contains this example and many others, including analyses of the Kerberos handshake protocol, and two versions of the Andrew RPC handshake (one of which is defective).

Notes and references

* David Monniaux, Decision Procedures for the Analysis of Cryptographic Protocols by Logics of Belief, in Proceedings of The 12th Computer Security Foundations Workshop, 1999. [http://citeseer.ist.psu.edu/monniaux99decision.html (Online)] .

External links

* [http://citeseer.ist.psu.edu/burrows90logic.html A Logic of Authentication] ( [http://www.cs.sfu.ca/~vaughan/teaching/401/papers/burrows90.pdf mirror 1] , [http://ftp.digital.com/pub/DEC/SRC/research-reports/abstracts/src-rr-039.html mirror 2] ), the original paper by Burrows, Abadi, and Needham.
*Source: [http://web.archive.org/web/20050902032746/http://www.pasta.cs.uit.no/thesis/html/ronnya/node31.html The Burrows-Abadi-Needham logic]
* [http://www.cs.utexas.edu/users/dahlin/Classes/UGOS/readings/BAN.pdf BAN logic in context, from UT Austin CS (PDF)]

Wikimedia Foundation. 2010.

Look at other dictionaries:

  • Burrows-Abadi-Needham-Logik — Die Burrows Abadi Needham Logik (auch bekannt unter BAN Logik) ist eine 1989 von Michael Burrows, Martín Abadi, Roger Needham publizierte Modallogik, mit der kryptographische Protokolle zum Informationsaustausch definiert und auf Schwachstellen… …   Deutsch Wikipedia

  • Martín Abadi — (born 1963)[1] is an argentinian computer scientist, currently working at the University of California, Santa Cruz and Microsoft Research. He earned his Ph.D. from Stanford University in 1987 as a student of Zohar Manna. He is well known for his… …   Wikipedia

  • Roger Needham — Infobox Scientist name = Roger Needham caption = Roger Needham in 1999 birth date = birth date|1935|2|9|df=y birth place = death date = death date and age|2003|3|1|1935|2|9|df=y death place = Willingham, Cambridgeshire residence = United Kingdom… …   Wikipedia

  • Логика Бэрроуза — Логика Бэрроуза  Абади  Нидхэма (англ. Burrows Abadi Needham logic) или BAN логика (англ. BAN logic)  это формальная логическая модель для анализа знания и доверия, широко используемая при анализе протоколов… …   Википедия

  • Логика Бэрроуза-Абади-Нидхэма — (англ. Burrows Abadi Needham logic) или БАН логика (англ. BAN logic)  набор правил, используемый для определения и анализа протоколов обмена информацией. В частности, БАН логика помогает своим пользователям, определить является ли… …   Википедия

  • BAN-логика — Логика Burrows Abadi Needham, более известная как BAN логика (англ. BAN logic)  набор правил, используемый для определения и анализа протоколов обмена информацией. В частности BAN логика помогает своим пользователям, определить является ли… …   Википедия

  • List of mathematics articles (B) — NOTOC B B spline B* algebra B* search algorithm B,C,K,W system BA model Ba space Babuška Lax Milgram theorem Baby Monster group Baby step giant step Babylonian mathematics Babylonian numerals Bach tensor Bach s algorithm Bachmann–Howard ordinal… …   Wikipedia

  • List of mathematical proofs — A list of articles with mathematical proofs:Theorems of which articles are primarily devoted to proving them: See also: *Bertrand s postulate and a proof *Estimation of covariance matrices *Fermat s little theorem and some proofs *Gödel s… …   Wikipedia

  • List of computing topics — Originally, the word computing was synonymous with counting and calculating, and the science and technology of mathematical calculations. Today, computing means using computers and other computing machines. It includes their operation and usage,… …   Wikipedia

  • BAN — may refer to:*Balinese language (ISO 639 alpha 3, ban ) *Bangladesh at the Olympics (IOC country code) *Base Area Network (United States Air Force) *Basel Action Network * Biblioteka Akademii Nauk , the Library of the Russian Academy of Sciences… …   Wikipedia