Exploring the BAN Approach to Protocol Analysis*

Einar Snekkenes
Alcatel Telecom Norway AS
P.B 60, Bkern, 0508 Oslo 5
Norway

Abstract 0 Given a protocol, interpret each protocol step as

a function and identify terms and functions as-
The B A N ( B u m w s , Abadi and Needham) approach sumed to be known by the penetrator. Then i-
to analysis of cryptographic protocols tmnsforms a dentify the terms denoting protected information.
correctness requirement into a proof obligation of a A protocol is said t o be secure if the penetra-
formal belief logic. It is shown that the BAN protocol tor cannot combine the protocol step functions
annotation rules make paws due solely to protocol step and other terms and functions available to him
permutation undetectable by the BAN logic. This is to obtain a piece of protected information, see
illustrated by a shod etample. eg.[13, 16, 12, 15, 41. In general, this approach is
In a recently published critique of the BAN logic D. only applicable to constructive protocol descrip-
Nessett uses the B A N logic to prove ihe correctness tions.
of an insecure profocol. In the style of B A N logic we
define the concept of a terminating idealized protocol. 0 Express the protocol, assumptions and goals in
We then show that the protocol due to D. Nessett a formal logic. A proof of security 1s then
belongs i o the class of non-ierminaiing proiocols. translated into a proof in the formal logic see
eg.[3, 6, 18, 22, 21, 91. In some cases, this ap-
1 Introduction proach can give rise to non-constructive protocol
descriptions with the possibility of inconsistency.
Desi nin correct cryptographic protocols is hard,
[21,[4,[177give several examples of weak protocols. Again, considering the latter, there are two distinct
One can identify several classes of problems associated approaches:
with the closely related tasks of protocol design and
analysis: 0 Modal logics with few operators see eg.[18, 22, 91.
0 algorithm design:- design of the underlying cryp- 0 Logics with a fairly large number of operators.
to algorithms. see eg.[l, 2, 3, 6, 81.
0 parameter choice:- correct choice of algorithm Correctness proofs (relating to logical analysis in the
parameters such as block sizes and key lengths. above sense) are usually rather long. However, this
0 covert channel analysis:- detection of the possi- does not seem to be the case with the BAN family
bility for information flow through channels not
intended to be used for communication. k
of logics[l, 2, 3, 6, 8 Here, ,proofs are usually short
and simple. Never t e less, it has been shown in [3]
that the logic can facilitate the discovery of rather
0 logical analysis and design:- combining crypto subtle flaws. An objective of the work presented in
algorithms and other mechanisms such as random this paper is to explore some of the limitations of the
numbers and clocks into procedures to implement BAN approach. A discussion of the capabilities of the
security in distributed systems. BAN approach can also be found in [23].
First we give a brief summary of the BAN approach
In general, all of the above problems must be to the analysis of authentication protocols, then
solved before a secure distributed system can be we prove some properties of the BAN annotation
implemented. In this paper we will examine an rules. In particular, we prove that there is a very
approach [l,2,3,6,8] which focuses on problems from direct correspondence between annotated protocols
the last category. and BAN formula derivations. In section four we
There are two major approaches to logical analysis of exemplify a consequence of the theorem from section
protocols: three. In section five we consider a weakness of the
logic highlighted in [19] and introduce the notion of
*Research ~ponsorcdby The Royal Norwegian Council for a terminating idealized protocol extending the class
Scientific and Industrial Reeuvch (NTNF) under Grant NNIT of detectable protocol flaws. Finally we give some
0333.22222 concluding remarks.

171
CH2986-8/91/0000/0171$01.OO 0 1991 IEEE
2 Analysis of Authentication Proto- P has said X then you also ought to believe that P
cols believes X . This is stated as :
The general idea of the BAN approach[l, 2, 3, 6, 81
to protocol analysis is to translate protocol messages,
assumptions and goals to formulae of a belief logic. A more complete collection of postulates can be found
Assumptions a,messages Xi’s and the goal I’are then in [2].
written down in the following form:
2.2 Annotated Protocols
To prove properties about protocols one employs the
notion of an annotated protocol written:
Our analysis is complete if we mana e to construct a
purely formal proof of our protocol tescription. {A}Sli * - 9 {xi}, * . Sn,{GI
2.1 Formulae and Postulates where A , Si, Xi,G are called assumption, step, asser-
Below we give an indication of the semantics of some tion and goal respectively. Occasionally, assumptions
and goals are called assertions.
of the frequently used symbols, see [2] for details.
Assume P,Q are entity identifiers, K is a key and Below we give the annotation rules of [3] formalised
X is a formula then in [SI. The effect of a protocol step is that its message
becomes visible to the recipient:
P F X : P believes X and will continue to do so A1 I- {Y}Ui + Uj : X{Y,(Vj 0X)}
for the remainder of the protocol. Entities
are assumed not to discard beliefs during a “Matching” protocol annotations can be sequentially
protocol run’. composed:
PFX: The entity P has uttered the formula X
either in the current run or in some previous
run.
A2 -w
x
t- s1 ... Y
I...
,l- Y SI... z
I...

All annotations except the assumption can be weak-

P CSX: The entity P has jurisdiction over the ened:
formula X and should be trusted with
respect to the formula X.
P 0X: The formula X is visible to P .
#(X):The formula X has not occurred as a We may always add extra assumptions:
subformula in any messages communicated
prior to the current run of the protocol. t- { X } S ...{ Y},Xt- X‘
A4 I- { X , X } S ...{Y}
P A Q:The key K can be used to obtain a secure
channel between A and B. 3 Formula and Annotations
5P :K is the public key belonging to P . K-’ In this section we explore some consequences of the
denoting P’s private key will only be dis- annotation rules. In particular, we prove that for all
covered by P or an entity trusted by P . assumptions, protocols and goals A , S,G :
{ X } K : The formula X encrypted with the key K.
If we from assumption X can construct a formal proof where S is defined below.
of Y1 (written X I- Y1) and from assumption X can Unfortunately the proof is rather long thus, we first
derive the formula Yz,then we can also construct a give a brief overview. The crux of the theorem is
formal proof of the list (Yl,Y2)from the assumption that any proof of a theorem of the form { A } S { G }
X thus, we have: exists if and only one can construct a proof of a
certain structure. That is, a proof P can always be
I1
x I- Y1, x I- Y2 transformed to some proof PI such that PI consists
x t- (Yl,YZ) of applications of A1 followed by applications of A2
followed by a single application of A3. The proof given
The semantics of the formulae are reflected in a below describes this transformation.
collection of postulates such as: If you believe that the
formula X has not occurred in any messages prior to Definition 1 A proof P of { A } S { G } is a finite
the curreni run of the protocol and you believe that sequence of applications of the rules A l l 42, A9,
A4 such that each premise of each annotatton rule
’This assumption dmplifia the logic, but has as a come application is the conclusion of some earlier rule
quence that the andyds technique is strictly not applicable to application and the consequence of the last rule
protocola which d i d beliefa during a run. application is { A } S { G } .

172

_. ~
Definition 2 Ifs denotes the proiocol, Let A denote some annotation rule (typically A l l A2
or A3). Then
A1 +B1 : Xi;
...
... stands for the annotation rule instance A' obtained
An* Bn : Xn by a simultaneous substitution of X I , .. .,Xn by
Y1,...,Yn in A. Due to the column width, substi-
then S denotes ihe formula tutions of the above form may sometimes have to be
broken across lines.
(B1 0 x 1 , OXi, OXn) The next lemma states that rather than first estab-
lishing { X } S { Y } and then weakening the assumption
Let IS1 stand for the number of protocol steps in S. usin A4 to obtain { X ' , X } S { Y } (assuming X I- XI),
we &ow that we could have constructed the proof
without A4. We simply "redon the proof adding X'
Definition 3 A proofP is minimal with respect to to each assertion. Finally we apply A3 to remove ex-
a proof P' iff P and P' prove ihe same theorem, P cess instances of XI.
is some projeciion of P' and P is isomorphic t o some
labeled connected graph. Lemma 3 The rule A4' is derivable from A l , A2,
A 8.
Informally, transforming a proof to a corresponding
minimal proof removes "unnecessaryn parts of the Assume P is some proof that I-
proof. Note that a minimal proof is not unique since { Y ) where P only contains applications of
we allow annotations referenced, say n times to be 1 , A2, A3. We give a procedure for transformin P
derived m times for any m 5 n. to P' such that P' is a proof that I- { X ,X ' } S . . .f Y }
If P is a proof, then P ( i ) denotes the i'th annotation and P' only contains instances of A l l A2, AX If AX
rule application of P . is an annotation rule, then let AXk be a particular
instance of AX as shown below. In 1 we extract the
old values of the variables and in 2 we construct a new
Lemma 1 For all proofs P', there is some proof P instance of the rule from old variable values and new
such that P is minimal with respect to P'. formulae.
For each instance
Proof : We give the outline of a procedure for
transforming an arbitrary proof to some correspond-
ing minimal proof. Assume P' proves T . Since P' is
a proof, it corresponds to some finite forest where at
least one of the trees in the forest, say a has the root of A1 in P use instead the instance
T. Finally, a can be linearised to some proof P such
that P is a projection of P'.
0
Similarly, for each instance of A2 in P
Lemma 2 I f P = P<P2'XP32 is a proof ofT, >
0 , A is the instance ofsome annotation rule and each
premise of A occurs in the conclusion of some rule
instance in P I , then P' = PlnKP2-P3 is also a proof use instead the instance
of T .

Proof: Directly from definition 1

0 For each instance
We now define the rule A4' stating that the assump-
tion may always be strengthened. Below we show that
a proof of T containing instances of A4' can be re-
placed by a proof without instances of A4'. Since A4
is derivable from A4' it follows that we can restrict
our attention to proofs constructed solely by means
of A l l A2, A3. use instead the instance

A4'
~ ~~ ~

rdenotea the sequence concatenation operator.

noting that we can easily construct a roof that {X}S2{X‘,a. Since Y = X’,& it follows that
Xi, X I- (Xi, X’) whenever Xi I- Xi (by 115. 0 {X}S2{Y).
I-
Finally, we obtain a proof that
If we allow instances of A3 to be replaced by other A3
.
I- {X,X ’ } S .. {Y} instances, we can move instances of A2 “to the left”
of all A3 instances.
by appending IS1 applications of A3.
U Lemma6 I f P = P i z n < A 3 1 , ...,A3n1A21 >-P3 is
a proof of T = {A}S{G} and Plo is some A l , A 2
Corollary 1 The rule Ad is derivable from A l , A$ proof, then P’ = Pi; < A3,,A3,,A31,...,A3n >
A 9. ^P;<A3,> is a p r o o f o f T , wherePi2 issomeAl,A2
proof.
Corollary 2 An7 proof P of T can be transformed
i o some proof P of T such that P’ only contains Proof : We give a procedure for transforming P to
applications of A l l A%, A3. P’. From
Let A3, be the trivial instantiations of A3 92-< A31,. . .,A3,,A21 >nP3
we obtain
P12^< A&, . . .,A3,, A21 >^P3^< A3, >
When A3, is used later in the text, we will leave to by definition of proof (definition 1) and A3,. Again
the reader to work out the appropriate instantiation. from the definition of a proof, we may insert a copy
of A31,. ..,A3, after A21 in P obtaining
Lemma 4 If P is a proof of T , then there ezisis a
proof P‘ = PrPi of T such that Pi is a sequence
of applications of A1 and Pi is a proof without
applications of A l . Since A21 has only two premises, (a ain from the
definition of a proof) we may delete ab but at most
Proof : First append A3,, then apply lemma 1 two of the A3 applications preceding A21. From this
resulting in some minimal proof P”. Finally, all A1 we obtain
instances in P“ can be moved left, by at most !PI
applications of lemma 2.
cl since we can always insert one or two trivial A3
The “rule” A3 does in fact define a collection of rules. applications. We now have the following situation (or
Let A3’ be the instance of A3 which weakens the its symmetric brother) :
i’th assertion of A3 and A 9 , A3f, Ali denote some
arbitrary instantiation of A3’, A3’, A1 respectively.
Similarly, let A33,,j denote some A 9 instance which
A3i A3j
has w as its protocol assumption and where 8 is the
protocol being annotated. 1 1 (3)
A21
Recall that A3 weakens the non-assumptions of an
assertion, We now show that A3 can be used
to construct an annotation with a strengthened
assump tion. Moving A3j is easy, we simply modify the second

Lemma 5 If P is some A l , A 2 proof of the theorem

T = {X’}S2{Y} and X I- X’,then there is a proof
i
premise and consequently also parts of the conclu-
sion) of 21 to be the first premise of A3j. From the
second premise of A3j one can produce an A3 instance
A3jl having Z’ l- Z as its second premise. Thus, the
P’ = P r A 3 2 i , , 1 of {X}S2{Y} such ihai Pi is an proof segment (3) can be transformed to some seg-
A l , A 2 proof. ment
Proof: By induction on the length of S2 it is easy to < A3i,A211,A3jl>
show that Y = X’,& modulo formula permutation.
Thus we have established I- {X’}S2{X‘,sz). But
then there trivially exists another A l , A2 roof where If A3i does not weaken the goal of its premise
one can easily construct some proof segment <
X is substituted for X’,that is : l- { X f & { X , a . A21u,A3l1A3 >. Note that A2 is applicable
By a single application of A3Fh2 we obtain I- whenever we%ave some formula Y occurring as the
goal of one annotation and as the assumption of some Deftnition 4 A3t,,,,i denotes some arbitrary in-
assertion. stance i of A3' which has w as the assumption of the
The remaining cases are captured by the following annotated protocol (both i n premise and conclusion)
instantiations: and 8 is the list of protocol steps.

A31 Let A3: be the trivial A3' instance

.
I- { W y l . .{Xl 1 . . .{Xn) ,
A3: X1 I- 1 , . . .,Xn I- Xn
. .
I- {W}Sl.. {XI}..{Xj}. {Xn}

Lemma9 I f P = P i n < A 3 f , ...,/U:,> isaproof

To summarise, from the assumptions, we have estab- of T, then there is some proof P' = PI- < A3:+1 >
lished:
of T.
1. The existence of some Al,A2 proof that I-
{X} Sl{Y'1. Proof : Obviously, F < A3: > also is a proof
of T. Using lemma 1, we obtain some minimal prof
2. Y ' I - Y P" = Pr
< A3',', ... ,A3: > of T. Assume the
formulae are labeled as follows: let the formula X i , j
3. The existence of some Al,A2 proof that I-
belong to the i'th formula derivation of the j'th A3"
{Y}S',{Z)* instance. Then we have a collection of derivations
By applying lemma 5 to 2 and 3 above, we obtain Xi,j I- Xi,jli = 1.. .m,j = 1.. .n
some proof P{~A3$~~s:,1of { Y ' } S i { Z } . Since we
have shown above how an A3 instance feeding the where Xjj+l = Since formula derivations are
second premise of A21 can be moved to the right, we transitive , we obtain
conclude that
Xi,l I- Xi,,
P{,^< >^P3^<A3, >
A21l,A3,,A3ylA31,...,A3n
Thus, the sequence of A3"s can be replaced by the
is a proof of T. A3' instance
0

Lemma 7 If P is a proof of T = { X } S { Y } , then

there is a minimal proof P' = Pl^P<P3 of T such that
P I , Pa, Ps consist solely of applications of Al, A2, A3
respectively. noting that Wj = Wn,S1,j = S1,jl and the conclusion
of P{(lP{l)) occurs as the first premise of A3',' since
Proof : By applying lemma 4, we obtain a proof P'' is minimal.
0
P1^P' where PI is some A1 proof and P' does not
contain any a plications of Al. Then, the desired
result follows Ey applying lemma 6 at most once for Lemma 10 If there etists a proof P of A P =
each application of A2 in Pt. {A}S{G}, then there also exists a proof P' of
I-?
U A P such that P' = PrPrPi where Pi,P&Pi are
Recall that A3 weakens one assertion at the time. One proofs constructed using on$ A l l A2, A3* respectively.
application of A3' (defined below) may weaken all Furihennore, Pi contains etactly one application of
non-assump t ion assertions. A3'.

Proof : By lemma 7 we obtain a proof P'' =

P1^P2-P3 such that PI,9,P3 consists solely of ap-
plications of A l l A2, A3. Then, A3 occurrences are
transformed to A3' occurrences by lemma 8. Finally,
by lemma 9, we can reduce P3 to length one.
Lemma 8 A3 and A3' are mutually derivable. 0

Proof : First A3 from A3'. For all Xj I- Xj where Lemma 11 If P = Pl^PZ is a proof of T =
i # j in A3' choose Xj = Xj,then A3' from A3, {Xo}Si{Xi}. . .{Xn-I}Sn{Xn} where Pi, P 2 consists
apply A3 n times. of applications of Al,A2 respectively, then Xn =
0 XOl&l...l&.

175
Proof: We first establish that all annotations occur- 4.1 An Example
ring in P are of the form {Xi}Si+l{Xi+l}. ..Sj{Xj} Consider a realtime monitoring application employ-
for some i ,j where Xi+l = Xi, si+l. ing a master computer M , and a collection of micro-
If Ali is the instance annotating Sj, then Ali = .
processor controlled sensors S I , . . ,s,. Several times
{Xi-l}Si{Xi} = {Xi-l}Si{Xi-l,%} since all A1 each day M requires information from the sensors.
instances are of the form {A}Sj (A, Sj}. Otherwise, For security reasons, sensor responses have to be giv-
en a timely digital signature such that M can be sure
no A l , A2 proof of {Xo} . . .{X,,} canxe constructed. that the response correctly reflects the sensors state.
Let P2(k) denote the k’th ste of Pa. By induction Consider the protocol PR1 stated below.
on k it is easy to show that goth premises and the
conclusion of 4 ( k ) are of the form
1. M -+ Si : Questionif
2. Si -+ M : {(Rsij,Questioni,j,Answeri,j)},-*
{Xi}si+l.. .Sj{Xj} Si
3. M + Si : { R ~ ~ j } , ; i
for some i , j . But then T also is of the form
{Xi}Si+l.. .Sj{Xj} for i = 1 , j = n. First M sends a numbered request to Si. Then Si
Finally, by induction we have that Xi = Xo,&, . . ., responds by sending a nonce (Rsi,j) together with the
so x, =XI),$,...,s,. question and answer pair, all signed with Si’s private
0 key. Finally, M sends Rsi,j (signed with M’s private
key) to Si.
Theorem 1 For all assumpfions, protocols and goals To prevent replay, M keeps track of those Rs,,j’s
A, S, G: (nonces) previously received. The last message tells Si
that M received message 2. Thus, making the usual
t- {A)S{G) iff AS I- G cryptographic assumptions we have3
Mb#(Rsi,j)
1
Proof : We first show if t- {A S{G} then A , S t- G.
Assume there is a proof P o {A}S{G}, then by
lemma 10 there is some minimal proof P’ = P,^p,^p,
a1 :
a2 : M b h Si
~3 : MESi 4 (Questioni,j, Answerif)
such that lP31 = 1 and PI,Pa, P3 contains solely
applications of A l , A2, A3’ respectively. But then by
lemma 11 PlAP2is a proof that t- {A}S{A,S}. Since At the end of the protocol, M should believe the
by lemma 10 we know the structure of 4,it follows question, answer pair.
that A, S I- G.
What remains is to show is that if A , S I- G fhen r: Mb(Questionij, Answerj,j)
I- {A}S{G}. By IS1 applications of A1 and IS1 - 1
applications of A2, we obtain a proof that Let o = al,a2,o3 then one can construct a purely
formal proof that
t- {A}S{A,Sl
t- {a}PRi{r}
By applying A3 once, using the assumptions A , S I- G,
we immediately obtain Unfortunately, in spite of the existence of a formal
proof, the protocol does not quite work as expected.
Consider the threat where a process C is inserted
t- {AlS{G} between M and Si. Then C may interact with Si
several times, obtaining a collection of formulae
0 { (Rsi,j, Questionij, Answeri,j))ksi, j = 1,. ..,n
This theorem applies to any reasonable extension of
BAN. This is enough information for C to violate the
security5 of the system since he has a choice of
responses he can make.
4 The Permutation Problem
3a1 : M believes that R s i , j is fresh. a1 : M believes that
In this section we first give an example illustrating Ki is a good public key for Si and that Si’s private key will
that the BAN approach cannot detect flaws caused never be discovered by any principal except Si or a principal
solely by step permutations. We then give a theorem trusted by Si. a3 : M believes that Si is competent to provide
to the effect that this applies to any protocol. By correct question and answer pairs.
means of an example we also show that it is likely ‘If the assumptiomai,a4,a3 don’t hold, some of the BAN
that any proposed zero knowledge [5, 7] extension inference rules will fail to be applicable resulting in a possible
to BAN will fail in detecting serious flaws in such failure of the god of the protocol.
authentication protocols. 5We use the term recvrity in a broad sense.

176
By a slight modification of the message orderin (in- 1 . Choose k random numbers S I , ...,Sk in 2,.
terchange messages 2 and 3 and letting M decik the
2. Choose each I j (randomly and independently) as
6
value of each I& * this new and more dependable)
protocol PR2 wid essentially ave the same idealiza-
tion as P R I . Furthermore, we may construct a purely
f l / q ( m o d n).
formal proof that I- { ~ Y } P R ~ { I ' } . 3. Publish I = 1 1 , .. .,I k and keep S = S I , .. .,Sk
secret.
4.1.1 A Generalisation where n is the product of two primes of the form 4n+3.
The actual authentication protocol (FFS)is:
The step permutation problem is in fact applicable to
any protocol. Repeat 1 - 4 t times:

Theorem 2 If P R , P R are protocols identical mod- l.A +B :X = f R 2 ( m o d n)

ulo step permutation where P R is correct with respect 2.B + A .
:E l , . . ,EL
t o assumption A and goal G and PR' is demonstrably 3.A + B : Y = R - n E j = l I j ( m o dn)
insecure, then PR' can be proven correct. 4. B verifies that X = f Y 2 . IIEj=lIj(mod n)

Proof: Using theorem 1 we transform the erroneous

protocol to its corresponding sequent of the annota-
6
where R is a random number chosen by A one number
for each round and ( E l , . . .,Ek)is a ran om boolean
b'
vector chosen y B (one vector for each round).
tion logic. Let D1, D2 be sequents corresponding to
secure and correct protocols respectively. Then we Assume that we can express the required assumptions
have that D1, D2 are mutually derivable since the for- in some extension of BAN as the formula a,the goal
mula logic allows formulae to be permuted (lists are as I' and let FFS' be the idealization of FFS. We
interpreted as conjunctions). Since D2 is assumed to then would expect
hold, so will D1.
0 I- {a}FFS'{I'}
Since this proof does not de end on any properties to be a theorem.
of the BAN belief logic gxcept for lists being Consider the protocol P R being identical to FFS
permutable), theorem 2 will also holds for arbitrarily except that step 1 and 2 are interchanged.
extended collections of formula derivation rules.
Repeat 1 - 4 t times:
From theorem 2 and the example above, we note that
extreme care has to be taken when making freshness l . B ---* A : E l , . . .,Ek
assumptions. In particular, we may disallow an entity 2.A+ B : X =fR2(modn)
to assume the freshness of a formula it did not itself 3 . A - B : Y =R*nEj=lIj(mOdn)
generate.
4. B verifies that X = f Y 2 . IIE,,lIj(mod n)
There are at least two ways one may attempt to avoid
the consequences of theorem 2: If PR' is the idealization of PR, it follows from
theorem 2 that
0 use a belief logic where lists of formulae cannot
be permuted and thus are not interpreted as I- {cr}FFS'{I'} iff I- {a}PR'{I'}
conjunctions (at least not in the usual sense) and
hence invalidating theorem 1. From B's point of view, PR cannot be distinguished
from the protocol PR1:
0 find a different collection of annotation rules.
Repeat 1 - 4 t times:
It may be claimed that it is not particularly hard to
detect the error exemplified above, never the less it is 1. B + A : El,.. . Eh .
somewhat discomforting to know that no such error in
any potentially long and complicated authentication
protocol can be detected if one adopts the annotation 4. B verifies that X = f Y 2 IIEji=lIj(modn)
rules A l , A2, A3, A4!
where A chooses Y randomly and calculates X .
4.2 Zero Knowledge Protocols
Here, B's check will always succeed thus, the protocol
Here we show that it is unlikely that there exists an will not be well suited as an authentication protocol.
extension to BAN suitable for the analysis of zero To summarise, we have shown that an extended
knowledge protocols. The zero knowled e protocol BAN approach facilitates a proof that a good zero
below is taken from (51, Similar exampfa can be knowledge protocol achieves its goals if and only
constructed for other zero knowledge protocols [20]. if a significantly flawed protocol can be proven to
Assume A wants to prove to B that he is in fact A . achieve the same goals. Thus, a BAN analysis of zero
For key generation A will do the following: knowledge protocols will provide little extra comfort.

in
5 The Termination Problem where A , S is in some sense inconsistent. From
theorem 1 it follows that { A } S { G } is provable.
Now we turn t o a slightly different problem, highlight- However, the solution to the above problems is well
ed in [19]. Consider the idealized protocol P: known: a statement or protocol siep S terminates
after finite iime only if FALSE is not a derivable
M1 A+B assertion succeeding S.
We now present a partial solution to the above
M2 B 4 A problem. Let F denote some formula of BAN logic,
P , Q be entity identifiers and K be a key. Then we
Let a = 01,. . . , a 5 denote the assumptions of the have
protocol where:
Definition 5 Let A : Formula Formula where
a1 :
a2 :
P A Q
when K is a symmetric k e y
as : when K is a public key
a4 : F when K" is a private key
cy5 :

P 0A ( F )
Let r = I'll.. .,r4 denote the goals of the protocol
where:
rl : A~A~*B
r2 : B F A E A ~ B
r3 : B ~ A - B 6
Informally, A F) projects out the parts of F observ-
able without aving access to private or symmetric
keys.
r4 : A E B E A&
K B
Definition 6 When X is a subformula of Y we write
Then it is easy to show that I- { a } P { r }is derivable in x 5Y.
the BAN lo ic presented in[2]. It is noted in [19] that
in spite of &e existence of a "BAN security proof", We now introduce the termination rules T1 and T2.
the protocol P is obviously insecure6. Intuitively, TI corresponds to the requirement that
In the remainder of this section we take the view only the owner of the session key K and trusted
that the above problem occurs since BAN logic only entities should be able to derive formulae in which
considers partial correctness. K occurs non-encrypted.
Consider the annotation rule of the assignment Rule T1 states that if from the assumption that P
statement believes a can derive that P believes that some
{P,X}X := e { P } (where Q is not known to be trusted wrt. the key 18
can observe K and that P believes that K is a good
stated in [lo]. Since we have key, then we can derive Ifrom a.

k (Y < 5 A FALSE) j X > 5 P b a I- PEQ @ F , a I- PEP1

K
P2

-
~1 c--)

then by the right consequence rule a tL

K
provided PI A P2 5 A ( F ) , P Q 4 PI P2
is not derivable from a anC P Q # P I ,P2

where 0 E {b, 0, 4, k}.

we can easily establish
All entities are assumed to know the derivation rules
I- {Y < 5 A FALSE}X := 2{X >5) thus, we have the rationality rule[8]:

Clearly, the program is correct with respect to its XI-Y

specification, but still something is wrong. T2 T
Similarly, in the world of belief logic, it is possible to
find some proof of If S is an idealized protocol where IS1 = n then let
ASI-G m E N such that m > 2n. When 1 k , l 5 m,
1 5 i 5 n we define
6Anybody with the access to A's public key will be able to
deduce the symmetric key K A Bshared by A snd B . Al' :I- {X}& + pi : X j { X , PI 0 X i , . .,Pm 0 X i }

178
reflecting the assumption that sent messages are Proof : From theorem 3 it suffices to show
visible to some arbitrary large finite collection of cu,
Ml+m,M2" I-L.
entities. Assume
a,Ml". M2" (4)
Let S" denote the protocol S modified such that
all messages are observable by at least all parties From 4
participating in the protocol.
C 0 {N*,A B}K~-I for C # A , B (5)
Definition 7 Let From definition 5
*m
: Idealized protocol + Idealized protocol
A((NA,A Ka } ( N A , AK
B } K ~ - I= a
B) (6)
where: From the assumptions in 4
Sm= S When (SI= O
(Pi + Pj : Xi;S)" = (Pi + PI : X i ; A F A KABB (7)
From T2,4,5

A b ( & ,M1. M2) F A b C 0 { N A ,A Ka

B } K ~ - (I8 )
Note that *m distributes over protocols. That is, we
have From the assumption a we see that A does not believe
in the competence of other processes (i.e. we do not
9"=S~*m;...;S"+m have a F A b P 4 F for for any P, F). Without the
where n = IS1 use of the jurisdiction rule[2, 31
Let B A N denote the collection of postulates from [3] PbQ +x,PkQbX
(ie. the inference rules of the belief logic), BAN' PFX
be B A N extended with T1, T2, let A' denote the
system consisting of Al', A2, A 3 , A4 and let A denote the communicated messages will a t most result in
the system consisting of A l , A2, A3, A4. A b P F F for some P , F. Then the jurisdiction rule
We now show that a slightly modified theorem 1 for cannot become applicable thus, A F C 4 F for any F
the new system (A') of annotation rules. is not derivable.

Theorem 3 For any finite protocol S , IS1 = n where

AECFA Ka
B is not derivable (9)
m E N,m > 2n we have: From definition 6
FBANWAJ {4s{r}iff a , S m k B A N r7
8 A -
KAB
B 5 ( N A , A KAE! B )
From T1, 8, 7,lO and 9 we finally obtain
(10)

Proof: See the appendix.

0
I (11)
Definition 8 A protocol P with assumptions a is Thus, we have shown that I is derivable so the
said to terminate : ~ ) L B A N ' " A{' ( r } P { L } s . protocol does not terminate.
0

Note that if P terminates with assumption a , one can 6 Conclusion

always find an a' such that P does not terminate with
respect to (a,a').The above rules will not in general One reason for some of the problems with the BAN
allow formal (i.e. purely syntactic) termination proofs approach appears to be that cryptographic protocols
to be constructed. are viewed at a very high level of abstraction. In
some cases, this may be acceptable or even desirable
We now show that the protocol proposed in[19] does provided the BAN user is aware of the limitations of
not terminate. the technique.
In [23] it is explained why the BAN approach is not
Claim 1 The protocol M1;M2 does not terminate suited for the analysis of protocol security. (231 focuses
with assumption a (M 1,M2, a as defined above). on the derivation of formulae from sets of formulae and
in particular limitations of BAN which other lo ics
' l - ~F : F is derivable in the system L (eg. KPL [22]) may remove. We have shown tfat
* ) L B A N ' ~ A ' F : F is not derivable in the system BAN'UA'. the step permutation problem relies on the annotation

179
rules Al(Al’), A2, A3, A4 and is almost independent [7] S. Goldwasser, S . Micali, and C. Rackoff. Knowl-
of the logic. However, the step permutation problem edge complexity of interactive proof system-
can be reatly reduced by only allowing the first s. SIAM Journal of Computing, 18(1):186-208,
sender o f a nonce n t o assume the freshness of n. 1989.
We have suggested that an apparent flaw in the BAN
logic[l9] is due to BAN 1oe;icbeing restricted to partial [8] L. Gong, R. Needham, and R.Yahalom. Reason-
correctness and not termmation. By introducing an ing about belief in cryptographic protocols. In
extra termination proof obligation, we have indicated Proceedings of the IEEE Computer Society Sym-
how the BAN logic can be used to detect a broader posium on Security and Privacy, pages 234-248,
class of security flaws. Employing the notion of 1990.
termination, it has been shown that the protocol due
to D.Nessett does not terminate. [9] Joseph Y. Halpern and Michael 0. Rabin. A logic
to reason about likehood. Ariifical Intelligence,
Work suggests that termination proofs are more com- 32(3):379-405, July 1987.
plicated than the usual BAN correctness proofs.
Thus, when combining the complexity of BAN cor- [lo] C.A.R. Hoare. An axiomatic basis for computer
rectness and termination proofs with other a proach- programming. CACM,12(10):576-580,1969.
es to protocol analysis, see eg.[15, 11, 14, 12rit is by
no means obvious that the BAN approach is simpler. [ll] Tad0 Kasami, Saburo Yamamura, and Kenichi
However, in practice it may well be the case that se- Mori. A key management scheme for end-to-
curity flaws manifest themselves as partial correctneas end encryption and a formal verification of its
flaws giving the BAN approach a very attractive flaw
detection over effort ratio. -
security. Systems- Comput. Conirols, 13(3):59-
69, 1982.
Acknowledgements [12] Richard A. Kemmerer. Analyzing encryption
I would like to thank Klaus Gaarder for several helpful protocols using formal verification techniques.
comments and K t e Presttun for his encouragement IEEE Journal on Selected areas in Communica-
and continued support. Comments by the anonymous tions, 7(4):448-457, May 1989.
referees helped in improving the presentation.
[13] Dennis Longley. Expert systems applied to the
analysis of key management schemes. Computers
References and Security, 6(1):54-67, February 1987.
Michael Burrows, Martin Abadi, and Fbger
Needham. Authentication: A practical study [14] Wen-Pai Lu and Malur K. Sundareshan. Secure
in belief and action. Technical Report 138, communication in internet environments: A hier-
University of Cambridge Computer Laboratory, archical key management scheme for end-to-end
1988. encryption. IEEE Tkansactions on communica-
tions, 37(10):1014-23, October 1989.
Michael Burrows, Martin Abadi, and Roger
Needham. A logic of authentication. Technical [15] Catherine Meadows. Using narrowing in the anal-
Report 39, Digital Systems Research Center, ysis of key management protocols. In Proceedings
1989. of the IEEE Computer Society Symposium on Se-
curity and Privacy, pages 138-147, 1989.
Michael Burrows, Martin Abadi, and Ro er
Needham. A logic of authentication. A8M [16] J.K. Millen, S.C. Clark, and S.B. Freedman.
Zhnsactions on Computer Systems, 8( 1):1&36, The interrogator: Protocol security analysis.
February 1990. IEEE Tkansactions on Sofiware Engineering,
Paul-Chen Cheng and Virgil D. Gligor. On
13(2):186-208, February 1987.
the formal specification and verification of a
multiparty session protocol. In Proceedings of the [17] J.H. Moore. Protocol failures in crypto systems.
IEEE Computer Society Symposium on Security Proceedings of the IEEE, 76(5):594-602, May
and Privacy, pages 216-233,1990. 1988.

U. Feige, A.Fiat, and A. Shamir. Zero-knowledge [18] L.E. Moser. A logic of knowledge and belief
proofs of identity. Journal of Cryptology, 1(2):77- for re-ning about computer security. In Pro-
94, 1988. ceedings of the Computer Security Foundations
Workshop II, pages 57-63. IEEE Computer Soci-
K. Gaarder and E. Snekkenes. On the formal ety Press, 1989.
analysis of PKCS authentication protocols. In
-
Advances in Crypiology Auscrypt’90, Lecture [19] Dan M. Nessett. A Critique of the Burrows,
Notes in Computer Science, pages 106 - 121. Abadi and Needham Logic. Operating System
Springer, 1990. no. 453. Review, 24(2), April 1990.

180
[20] Jean-Jacques Quisquater and Louis Claude Guil- We then show that if a,S+" I-BANJ r then I-BAN'UA~
lou. Des procddb d'authentification bas& sur {a)S{I'). First construct I-BAN'UA' {a)S{p, S*m)
une publication de problbmes complexes et per-
sonnali& dont les solutions maintenues secretes
constituent autant d'accr/'editations. In Proceed-
by IS1 applications of All and IS
of A2. From the premise and 3
~nB A N W A{a)S*m{r).
~
d- 1 applications
it follows that
ings of SECURICOM, pages 149 -158,1989. U

[21] P. Venkat Rangan. An axiomatic basis for trust in

distributed systems. In Proceedings of the IEEE Lemma 12 For any idealized protocol S, assumption
Computer Society Symposium on Security and a, goal r, m > 2 p l l
Privacy, pages 204-211, 1988.
If I - B A N W A ~ {a)s{r)then I-BANUA {a)S*m{rl.
[22] Paul Syverson. Formal semantics for logics of
cryptographic protocols. In Proceedings of the Proof : Assume P' is a proof of I - B A N ' U A ~
Computer Security Foundations Workshop III. { a } S { r ) , then we can construct a proof P of
IEEE Computer Society Press, 1990. I-BAN'UA {a)S*m{I')as follows: For each instance
[23] Paul Syverson. The use of logic in the analysis of Al' in P' we simply substitute m instances of A1
of cryptographic protocols. In Proceedings of the followed by m - 1 instances of A2. Thus, for the i'th
IEEE Computer Society Symposium on Security instance A'lj of All in P' we have a A l , A2 proof of
and Privacy, 1991. {ai}Si+m{ri} in P. By propagating through the
rest of P' we obtain the proof P of the form:
A Proof of Theorem 3 {a)~;m{. ..I;. .. s ; m . . .{r)
Theorem 3 For any finite protocol S I IS1 = n where But since *m distributes over sequences of steps
m E N, m > 2n we have: it follows that we have constructed a proof of
"
{a}s*m { r 1.
I - B A N U A ~ {Q}S{r) iff 0, s'" I-BAN' r U

Proof : First we show that if I-BAN~UA; {a)S{I')

then a, BAN' l". This follows immediately from
lemma 12 (see below) and theorem 1.

181