APPLICATIONS OF BAN-LOGIC

JAN WESSELS
CMG FINANCE B.V.

APRIL 19, 2001

Chapter 1

Introduction

This document is meant to give an overview of the BAN-logic. The BAN-logic is

one of the methods for the analysis of cryptographic protocols. One of the goals is
to show how the BAN-logic is applied best. Allthough the BAN-logic can be easily
applied and gives a quick insight in the working of a protocol, attention has to be
paid that the analysis is made thoroughly. It should be avoided, that assumptions
are made quickly without writing them down.
The document first gives an overview of the BAN-logic, after which the Station -
to - Station protocol is used as an example. The protocol is analysed in a number
of ways.

1
Chapter 2

BAN Overview

Burrows, Abadi and Needham [BAN89] developed a logic for analysing authentica-
tion protocols. The logic is called BAN-logic. With the logic all public - and shared
key primitives are formalised and also the notion of a ‘fresh message’. This makes
it possible to formalise a challenge – response protocol.
BAN-logic can be used for answering the following questions:
• To what conclusions does this protocol come?
• What assumptions are needed for this protocol?
• Does the protocol uses unnecessary actions, which can be left out?
• Does the protocol encrypt anything which could be sent in plain, without
weakening the security?
The BAN logic makes it possible to reason in a simple way over cryptographic
protocols in a formal way. The basis for the logic is the belief of a party in the truth
of a formula. A formula does not necessarily be true in the general sense of truth.
It should be kept in mind that the BAN logic is meant for reasoning over crypto-
graphic protocols. A “verification” with BAN logic does not necessarily imply that
no attacks on the protocol are possible. A proof with the BAN logic is a good proof
of correctness, based on the assumptions. However, questions may arise over the
semantics of the logic and the logic does exclude possible attacks.
BAN logic has its purpose, because it can be used in the design of a cryptographic
protocol. The use of a formal language in the design process can exclude faults.

2
Chapter 3

Notation

This chapter describes the syntax of the BAN logic. Not all symbols are given here,
only the symbols used for the analysis. See for the other syntactical rules the article
of Burrows, Abadi and Needham [BAN89].
• P believes that X holds: P |≡ X. It means that P believes that in the current
run of the protocol that the formula X is true.
This does not mean that X is a general truth, it just shows what P believes.
• P sees the formula X: P / X. It can be said as: P holds X.
• P p⇒ X. The entity P has complete controll over the formula X. This can
be used when reasoning over Certificate Authorities.
• P has once said the formula X: P |∼ X. The past holds all earlier runs of the
protocol and earlier messages of the current run of the protocol.
• X is fresh: ](X) The formula X is recent. The formula has not been used
before; X is a nonce.
K
• P and Q share a secret key: P − ←−
→ Q. The secret key K is only usable in
the communication between P and Q, and is only known to P and Q. It is
implicit, that K is a secret between both parties.
K
• P has a public key K is denoted by: p−→ P . The secret key is denoted with
−1
K
• Encryption of X with key K is denoted in the standard way: {X}K
In order to use the logic, there is a need for introduction - and eliminationrules.

3
Chapter 4

Overview of Introduction and eliminationrules

In this chapter a short overview is given of the introduction, usage and elimina-
tion rules. The overview is not complete, but is sufficient for the analysis in this
document. The rules are also the most used rules.
k
• The rule for ←
−
→
− -introduction is:
A|≡ ](k), A|≡ B|≡ X
k
A|≡ A ←
−
→
−B

with X meaning the necessary ingredients for a key. The rule should be
applied carefully, as it may cause confusion.
Informally, the rule states that in order to believe a new session key, A has
to be believe the key is a new key and that A has to believe that B also
believes in the parts of the key, so that B is also able to make the key.
Formally it is required that A believes that B also takes part in the protocol,
but this hard to formalise. A predicate P (B) is necessary, which states that B
takes part in the protocol. This is hard to prove, so we accept the assumption
that when B believes parts of the key, B also is able to create the key.
• When an entity creates a random value, it believes that this value has not
been used before: The ]()-introduction rule is:

A creates random x
A|≡ ](x)

• Sending a message is formalised in the logic with: /-introduction :

Message n : A → B : X
B/X
• For shared keys there is a |∼-introduction rule:
K
P |≡ Q −
←
−
→ P, P / {X}K
P |≡ Q|∼ X

When P sees a message which is encrypted with the shared key of P and Q,
than P believes that Q has sent the message. As the secret key only is known
to P and Q, only P or Q are able to produce the message and P knows what
it has said.

4
• For public keys there is a |∼-introduction rule for public keys:
K
P |≡p−→ Q, P / {X}K −1
P |≡ Q|∼ X

The rule is almost the same as the previous rule.. K −1 is the secret part of
the public key of Q. When P sees a message which is encrypted with the
secret key of Q, than it can only be sent by Q.
• |∼-elimination rule:
P |≡ ](X), P |≡ Q|∼ X
P |≡ Q|≡ X
When P believes that X is a recent (fresh) message, and P believes that it
was said by Q, than P believes that Q still believes the message X.
It is mainly used with requests for keys from a Certificate authority, where
not only the authority of the server is important but also the validity of the
key. The server (CA) has to believe the validity of the key.
• Jurisdiction or control: p⇒-elimination :

P |≡ Q p⇒ X, P |≡ Q|≡ X
P |≡ X

P believes that the principal Q jurisdiction has over the formula X. This
means that Q is trusted to make statements over X.
• Introduction of multipart messages ‘,’-introduction :

P |≡ X, P |≡ Y
P |≡ (X, Y )

A composite message can be made when a principal believes in both parts.

This can be generalised to more than two parts.
• Elimination of multipart messages or ‘,’-elimination :

P |≡ Q|∼ (X, Y ) P |≡ Q|≡ (X, Y )

P |≡ Q|∼ X P |≡ Q|≡ X

P |≡ (X, Y ) P / (X, Y )
P |≡ X P /X
• Usage /
K K K
P |≡p−→ P, P / {X}K P |≡ Q −
←
−
→ P, P / {X}K P |≡p−→ Q, P / {X}K −1
P /X P /X P /X
These rules shows how principals handle encrypted messages.
• Freshness promotion of multipart messages or Promotion ]()

P |≡ ](X) P |≡ ](X)
P |≡ ]((X, Y )) P |≡ ](αX )

When a value is found to be recent by an entity, than the entity also believes
that the message, in which the value is used, is also recent.

5
• A key is used both used in a communication between two entities:
K K
→ R0
P |≡ R ←
−
− → R0
P |≡ Q|≡ R −
←
−
K K
P |≡ R0 ←
−
−
→R P |≡ Q|≡ R0 −
←
−
→R

• Introduction of sessionkeys:

A|≡ ](k), A|≡ B|≡ X

k
A|≡ A ←
−
→
−B

in which with X the necessary elements for a key is meant.

• The introduction rule for random values:
A chooses random x
A|≡ ](x)

• The rule for sees: /-introduction :

Message n : A → B : X
B/X

6
Chapter 5

Station-to-Station protocol

In this chapter the Station-to-Station protocol is presented and analysed with the
BAN-logic.
First the protocl is presented, after which is modelled in the message-format used in
the BAN-logic. The analysis is started with an overview of the goals of the protocol
together with the assumptions. The analysis of the protocol is then given.

5.1 Protocol overview

The Station-to-Station protocol [MvOV97, p. 532] is a variation on the Diffie-
Hellman protocol for key exchange. First, the following variant will be used:

Let ρ be a prime, α a generator Zρ∗ , the tuple (ρ,α) publicly known, SigA (M)
is the signature of station A on message M. The protocol is:
1. A sends A to B.
2. B chooses a random y, calculates Y = αy mod ρ, sends Y .
3. A chooses a random x, calculates X = αx mod ρ, calculates SA =
SigA (X, Y ), sends A, X, SA .
4. B calculates SB = SigB (Y ), sends B, Y, SB .
A calculates k’ = Y x mod ρ
B calculates k = X y mod ρ
It holds that k = X y = (αx )y mod ρ = (αy )x mod ρ = Y x = k 0 .

In the standard notation the protocol can presented as:

Message 1 A → B: A
Message 2 B → A: Y
Message 3 A → B: A, X, SigA (X, Y )
Message 4 B → A: B, Y, SigB (Y )

5.2 Goals
The goal of the Station-to-Station protocol is to come to the exchange of a shared
secret key between two entities with twoway explicit authentication. The means

7
that a k is agreed upon between the entities A and B, both “believe” in k. Next to
this, both entities have to believe that the other entity also believes in the key.
In the BAN-logic the goals can be presented as:
k
1. A|≡ A −
←
→
−B
k
2. B|≡ A ←
−
→
−B
k
3. A|≡ B|≡ A −
←
→
−B
k
4. B|≡ A|≡ A −
←
→
−A
These goals can be divided in two groups. First (subgoals 1 and 2) both parties
believe thenselves that the key k is a good key for communication between A and
B. Secondly, (subgoals 3 and 4) both entities also believe that other entity believes
in the key.

5.2.1 Subgoals
Normally the goals will deduced from the assumption. In this case, first a number
of subgoals is presented. With these subgoals the goals can be reached:
1. A|≡ NA
2. A|≡ B|≡ αNA
3. A|≡ αNB
4. A|≡ B|≡ NB
5. B|≡ NB
6. B|≡ A|≡ αNB
7. B|≡ αNA
8. B|≡ A|≡ NA
Subgoals 1 and 3 lead to goal 11 . In the same way, from the subgoals 2 and 4 lead
to goal 4. For B, the goal 2 can be deduced from subgoals 5 and 7. Goal 3 can be
based on subgoals 6 and 82 .

5.3 Assumptions
In the protocol a part of the message is signed with the private key of the send.
In order to read the message, it is necessary to verify it with the public key. It is
assumed that all entities (allready) hold the key material. When of the entities does
not have the public key of the other entity, it should be retrieved from the CA.
KA
1. A|≡p−−→ A
KB
2. A|≡p−−→ B
KA
3. B|≡p−−→ A
KB
4. B|≡p−−→ B
5. A|≡ B p⇒ αNB
6. B|≡ A p⇒ αNA
These are the necessary assumptions.
1. It holds: A|≡ (αNB )NA ≡ A|≡ k.
2. The presenation here is somewhat simplified. There are no rules for dealing with fresh com-
positions that lead to a sessionkey. A key K should only be known to A and B and not outsiders.
In the end (see chapter 8 it is shown that outsiders only arrive at αNA and αNB .

8
5.4 Verificatie
The rules 1 to 6 are the assumptions. When the assumption are correct, then also
the conclusions are correct.
K A
1. A|≡p−−→ A assumption
KB
2. B|≡p−−→ B assumption
K B
3. A|≡p−−→ B assumption
KA
4. B|≡p−−→ A assumption
5. B|≡ A p⇒ αNA assumption
6. A|≡ B p⇒ αNB assumption

Message 1: A → B: A

B chooses random NB

(7. B|≡ NB subdoel 5; implicit)

8. B|≡ ](NB ) random introduction

Message 2: B → A: αNB

9. A / αNB intro /

A chooses random NA

(10. A|≡ NA subgoal 1; implicit)

11. A|≡ ](NA ) random introduction

Message 3: A → B: A, αNA , {αNA , αNB }k−1

A

12. B / A, αNA , {αNA , αNB }K −1 intro /

A
13. B|≡ A|∼ (αNA , αNB ) 12, 4, intro |∼
14. B|≡ ](αNA , αNB ) 8, ]()-promotion
15. B|≡ A|≡ (αNA , αNB ) 14, 13, |∼-elimination
16. B|≡ A|≡ αNA 15, decomposition
17. B|≡ A|≡ NA 16 (subgoal 8; see remark)
18. B|≡ αNA 5, 16, jurisdiction (subgoal
7)
19. B|≡ A|≡ αNB 15, (subgoal 6)

Message 4: B → A: B, {αNA }K −1
B

20. A / B, {αNA }K−1

B intro /
NA
21. A|≡ B|∼ α 20, 3, intro |∼
22. A|≡ ](αNA ) 11, ]()-promotion
23. A|≡ B|≡ αNA 22, 21, | ∼-elimination
(subgoal 2)

A calculates sessionkey k = (αNB )NA

9
 24. A|≡ ](k) 9, 11, ]()-promotion,
arithmetic
(25. A|≡ B|≡ NB 9 (subgoal 4))
k k
26. A|≡ A ←
−
→
−B 24, 25, −
←
→
− -intro
k
27. A|≡ B|≡ A −
←
→
−B subgoals 2 and 4

B calculates sessiekey k 0 = (αNA )NB

28. B|≡ ](k) 12, 8, ]()-promotion,

arithmetic
k0 k
29. B|≡ A −
←
−
→B 28, 16, −
←
→
− -intro (subgoals
5 and 7 )
k0
30. B|≡ A|≡ A ←
−
−
→B subgoals 6 and 8

Remark: it is questionable that from line 16, line 17 can be deduced. It can be
stated that (as B does not know the value of NA ):

B|≡ ∃XZ : (B|≡ X ∧ αX mod ρ = αNA mod ρ)

To see where what has been derived, first an overview of the subgoals is given:
1 A|≡ NA line 10
2 A|≡ B|≡ αNA line 23
3 A|≡ αNB
4 A|≡ B|≡ NB (line 25)
5 B|≡ NB line 7
6 B|≡ A|≡ αNB line 19
7 B|≡ αNA line 18
8 B|≡ A|≡ NA line 17
When the deduction is controlled, it can be seen that six of the eight subgoals
can be derived. At this moment goal 1 cannot be derived, because the protocol is
asymetric. The value αNB is sent only once and then also plain. On our meta-level,
we know that NB can be sent plain without difficulties.
There is, however, another problem in the protocol, what is not shown in the anal-
ysis: who is the real sender. It is not sure that the messages from A and B really
come from A and B. In the next chapter an adapted version will be analysed.

10
Chapter 6

Adapted version

In the previous chapter has become clear, that because of ommisions the protocol
may become flawed. The development of beliefs in the analysis stops and with it
the analysis. In this chapter an adapted version of the Station-to-Station protocol is
analysed. In the messages three and four certificates are used and these certificates
are explicitly bound to the sender and this run of the protocol by the use of the
parameters αNA and αNB .
The chapter first describes the adapted protocol, after which the goals are given
and the assumptions analysed. The chapter ends with the analysis of the protocol.

6.1 Description of the protocol

The Station-to-Station protocol [MvOV97, p. 532] is a variatoin on the Diffie-
Hellman protocol for key exchange. The adapted version is:
Let ρ be a prime, α a generator Zρ∗ , the tuple (ρ,α) publicly known, Cert(A)
the certificate for station A, SigA (X) the signature of station A on message X.
The protocol runs as:
1. A sends A to B (as an invitation for key exchange).
2. B chooses a random y, calculates Y = αy mod ρ, sends Y .
3. A chooses a random x, calculates X = αx mod ρ and SA =
SigA (Cert(A), X, Y ), sends SigA Cert(A), X, SA .
4. B calculates SB = SigB (Cert(B), Y ), sends Cert(B), Y, SB .
A calculates k’ = Y x mod ρ
B calculates k = X y mod ρ
It holds k = X y = (αx )y mod ρ = (αy )x mod ρ = Y x = k 0 .

In the standard notation the protcol is denoted as:

Message 1 A → B: A
Message 2 B → A: Y
Message 3 A → B: Cert(A), X, SigA (Cert(A), X, Y )
Message 4 B → A: Cert(B), Y, SigB (Cert(B), Y )

11
6.2 Goals
It is the goal of the Station-to-Station protocol to come to the exchage of a shared
secret key between two parties with mutual explicit authentication. This means in
short that a key k is agreed upon and in which both entities A and B “believe”.
The goals are:
k
1. A|≡ A ←
−
→
−B
k
2. B|≡ A −
←
→
−B
k
3. A|≡ B|≡ A ←
−
→
−B
k
4. B|≡ A|≡ B −←
→−A
The goals are the same as in the previous chapter. The subgoals, which we want to
derive, are the same. See for an overview section 5.2.1 on page 8.

6.3 Assumptions
In the protocol a number of times a certificate is sent. In order to verify these
certificates of A and B, the other entity needs to have the public key. Next to this
must the messages, enciphered with the private key, also be deciphered.
In a practical situation these assumptions are reasonble. If one of the parties does
not possess the certificates, than a mechanism should be available for retrieval of
the certificate.
KA
1. A|≡p−−→ A
K B
2. A|≡p−−→ B
K A
3. B|≡p−−→ A
K B
4. B|≡p−−→ B
5. A p⇒ αNA
6. B p⇒ αNB

6.4 Verification
−1
The key KCA is the key of the Certification Authority, who in this analysis (im-
plicit)guarantees the correctness of the certificates.

K A
1. A|≡p−−→ A assumption
K B
2. B|≡p−−→ B assumption
KB
3. A|≡p−−→ B assumption
KA
4. B|≡p−−→ A assumption
5. B|≡ A p⇒ αNA assumption
6. A|≡ B p⇒ αNB assumption

Message 1: A → B: A
B chooses random NB

(7. B|≡ NB subgoal 5, implicit)

12
 8. B|≡ ](NB ) random introduction

Message 2: B → A: αNB

9. A / αNB intro /

A chooses random NA

(10. A|≡ NA subgoal 1, implicit)

11. A|≡ ](NA ) random introduction

Message 3: A → B: {{(A, KA )}K −1 , αNA , αNB }K −1

CA A

12. B / {{(A, KA )}K −1 , αNA , αNB }K −1 intro /

CA A
13. B|≡ A|∼ ({(A, KA )}K −1 , αNA , αNB ) 12, 4, |∼-intro
CA
14. B|≡ ]({(A, KA }K −1 , αNA , αNB )) 8, ]()-promotion
CA
15. B|≡ A|≡ ({(A, KA )}K −1 , αNA , αNB ) 14, 13, |∼-elimination
CA
16. B|≡ A|≡ αNA 15, decomposition
17. B|≡ A|≡ NA 16 (see remark blz 5.4;
subgoal 8)
18. B|≡ αNA 5, 16, jurisdiction (subgoal
7)
19. B|≡ A|≡ αNB 15, (subgoal 6)

Message 4: B → A: {{(B, KB )}K −1 , αNA }K −1

CA B

20. A / {{(B, KB )}K −1 , αNA }K −1 intro /

CA B
21. A|≡ B|∼ ({(B, KB )}K −1 , αNA ) 20, 3, intro |∼
CA
22. A|≡ ]({(B, KB )}K −1 , αNA ) 11, ]()-promotion
CA
23. A|≡ B|≡ ({(B, KB )}K −1 , αNA ) 22, 21, |∼-elimination
CA
24. A|≡ B|≡ αNA 23, ‘,’-usage (subgoal 2 )

A calculates sessionkey k = (αNB )NA

25. A|≡ ](k) 9, 11, ]()-promotion

(26. A|≡ B|≡ NB 9 (subgoal 4) )
k k
27. A|≡ A ←
−
→
−B 25, 26, −
←
→
− -intro

k
28. A|≡ B|≡ A ←−
→
−B subgoals 2 and 4
B calculates sessionkey k 0 = (αNA )NB

29. B|≡ ](k) 12, 8, ]()-promotion

k0 k
30. B|≡ A −
←
−
→B 29, 15, −
←
→
− -intro (subgoals
5 and 7)
k0
31. B|≡ A|≡ A ←
−
−
→B subgoals 6 and 8

Just as in the previous analysis the subgoals are presented here:

13
 1 A|≡ NA line 10
2 A|≡ B|≡ αNA line 24
3 A|≡ αNB
4 A|≡ B|≡ NB (line 26)
5 B|≡ NB line 7
6 B|≡ A|≡ αNB line 19
7 B|≡ αNA line 18
8 B|≡ A|≡ NA line 17
The broad outline of the analysis is the same as in section 5.4 (page 9). Also,
subgoal 3 could not be proved. Goals 2, 3 and 4 can be proved, but for goal 1 the
difficulties remain. For the BAN analysis the protocol could be “repaired” in the
second message with the sending of {{B, KB }K −1 , αNB }K −1 instead of αNB . This
CA B
results in an unnecessary addition of the protocol.
Also another problem appears: we have added certificates and the use of certificates
to the messages, but it has no real effect on the analysis. Outside the analysis, on
the “meta-level” we know that this works. In order to use certificates in the BAN
logic, the logic has to be extended.

14
Chapter 7

Extension of the BAN logic

In chapte 6 the Station-to-Station protocol is repaired by the use of certificates.

Alas, this is not shown by the analysis. In its standard form, the BAN logic is not
able to handle certificates. However, the logic can be extended. This is done in this
chapter, based on the article of Gaarder and Snekkes [GS91]. They have analysed
with these extensions the X.509 standard.
The structure of this chapter is somewhat different than the previous two. The
protocol is not shown here just as the goals. The chapter starts with the extentions
of the protocol, after which the assumptions are given. The chapter ends (again)
with the analysis.

7.1 Extension of the BAN logic

Gaarder and Snekkenes define in their article [GS91] two extensions. Firstly, the
BAN logic is extended with axioms and rules for Public Key Cryptographic Systems
(PKCS). With these extensions, derivations can be made directly. Secondly, the
notion of “time” is extended in the logic. Certificates only have a limited life span,
which has to be expressed in the analysis.
In the current analysis only the extensions for Public Key Crypto Systems are used,
so only these extensions are given here.
PK(K, U ) The entity U has the good key K associated. A unique key exits,
which corresponds with K.
Π(U ) The entity U has a good private key. The value of this key is only
known to U .
σ(X, U ) The formula X is signed with the private that belongs to U .
Two extra inference rules are defined:
Ui |≡ PK(pj , Uj ), Ui |≡ Π(U ), uj / σ(X, XJ )
once-said for PKCS
Ui |≡ Uj |∼ X
Ui / σ(X, Uj )
Ui / X reading of signed messages

7.2 Assumptions
In the protocol a number of times a certificate is sent. In order to verify these
certificates of A and B, the other entity needs to have the public key. Next to this

15
must the messages, enciphered with the private key, also be deciphered.
In a practical situation these assumptions are reasonble. If one of the parties does
not possess the certificates, than a mechanism should be available for retrieval of
the certificate.
1. A|≡ PK(KB , B)
2. B|≡ PK(KA , A)
3. B|≡ Π(A)
4. A|≡ Π(B)
5. A p⇒ αNA
6. B p⇒ αNB

7.3 Verification
1. B|≡ PK(KB , B) assumption
2. A|≡ PK(KB , B) assumption
3. B|≡ Π(A) assumption
4. B|≡ Π(B) assumption
5. B|≡ A p⇒ αNA assumption
6. A|≡ B p⇒ αNB assumption

Message 1: A → B: A
B chooses random NB

(7. B|≡ NB subgoal 5, implicit)

8. B|≡ ](NB ) random introduction

Message 2: B → A: {{(B, KB )}K −1 , αNB }K −1

CA B

9. A / σ({{(B, KB )}K −1 , αNB }K −1 B intro /

CA B
10. A|≡ B|∼ αNB ,) 9, 2 , intro |∼for PKCS
A chooses random NA

(11. A|≡ NA subgoal 1, implicit)

12. A|≡ ](NA ) random introduction

Message 3: A → B: {{(A, KA )}K −1 , αNA , αNB }K −1

CA A

13. B / σ({{(A, KA )}K −1 , αNA , αNB }K −1 , A) intro /

CA A
14. B|≡ A|∼ ({(A, KA )}K −1 , αNA , αNB ) 13, 3, intro |∼(PKCS)
CA
15. B|≡ ]({(A, KA )}K −1 , αNA , αNB ) 8, ]()-promotion
CA
16. B|≡ A|≡ ({(A, KA )}K −1 , αNA , αNB ) 15, 14, |∼-elimination
CA
17. B|≡ A|≡ αNA 16
18. B|≡ A|≡ NA 17 (see remark on 10; sub-
goal 8
19. B|≡ αNA 5, 17, jurisdiction (subgoal
7)
20. B|≡ A|≡ αNA 16, (subgoal 6)

16
 Message 4: B → A: {{(B, KB )}K −1 , αNA }K −1
CA B

21. A / σ({{(B, KB )}K −1 , αNA }K −1 , B) intro /

CA B
22. A|≡ B|∼ ({(B, KB )}K −1 , αNA ) 21, 2, 3, intro |∼
CA
23. A|≡ ]({(B, KB )}K −1 , αNA ) 12, ]()-promotion
CA
24. A|≡ B|≡ ({(B, KB )}K −1 , αNA ) 23, 22, |∼-elimination
CA
25. A|≡ B|≡ αNA 24, ‘,’-gebruik (subgoal 2 )

A calculates sessionkey k = (αNB )NA

26. A|≡ ](k) 9, 12, ]()-promotion

27. A|≡ B|≡ NB 9 (subgoal 4)
k k
28. A|≡ A ←
−
→
−B 26, 27, −
←
→
− -intro
k
29. A|≡ B|≡ A ←
−
→
−B subgoals 2 and 4

B calculates sessionkey k 0 = (αNA )NB

30. B|≡ ](k) 13, 8, ]()-promotion

31. B|≡ A|≡ NA 14 (subgoal 8)
k0 k
32. B|≡ A −
←
−
→B 30, 17, −
←
→
− -intro (subgoals
5 and 7
k0
33. B|≡ A|≡ A ←
−
−
→B subgoals 6 and 8

First we show the subgoals and results of the analysis for these subgoals:
1 A|≡ NA line 11
2 A|≡ B|≡ αNA line 25
3 A|≡ αNB
4 A|≡ B|≡ NB line 27
5 B|≡ NB line 7
6 B|≡ A|≡ αNB line 20
7 B|≡ αNA line 19
8 B|≡ A|≡ NA line 18
The analysis has more results than in chapters 5.4 and 6.4, but is still impossible to
derive the proof of all goals. Again subgoal 3 cannot be proved, this time because the
freshness of αNB is not sure. It is also shown in the assumptions; not all assumptions
are used in the analysis. The analysis could be completed by sending αNB again
in message 4. With the use of the freshness of αNA the freshness of αNB could be
derived (analogous to the analysis of message 3).
This analysis is not meant to come to a complete proof of the Station-to-Station
protocol, but to show what is and what is not possible with the BAN logic. Next
to the analysis of the beliefs of the participants of the protocol, it can be “abused”
for the analysis of the outsiders of the protocol. This is shown in the next chapter.

17
Chapter 8

Analysis by Outsiders

In the other chapter the knowledge and beliefs of the participants of the protocol
are analysed. Next to the participants, it can be very interesting what outsiders
are able to learn from a run of the protocol. The BAN-logic will be used for this,
although the BAN-logic has not been meant for this.

8.1 Assumptions
For the analysis we do not start with goals, but we only want to see what can be
learned from the analysis. The following assumptions are used (with I standing for
intruder):
1. I|≡ PK(KA , A)
2. I|≡ PK(KB , B)
3. I|≡ Π(A)
4. I|≡ Π(B)
5. A p⇒ αNA
6. B p⇒ αNB
These are the same assumptions as in the previous chapters. It may assumed that
the entity I has access to the certificates of A and B.

8.2 Analysis
1. I|≡ PK(KA , A) assumption
2. I|≡ PK(KB , B) assumption
3. I|≡ Π(A) assumption
4. I|≡ Π(B) assumption
5. I|≡ A p⇒ αNA assumption
6. I|≡ B p⇒ αNB assumption

Message 1: A → B: A
B chooses random NB

(7. B|≡ NB subgoal 5, implicit)

8. B|≡ ](NB ) random introduction

18
 Message 2: B → A: {{(B, KB )}K −1 , αNB }K −1
CA B

9. I / σ({{(B, KB )}K −1 , αNB }K −1 , B) intro /

CA B
10. I|≡ B|∼ αNB 9, 2 , intro |∼for PKCS
A chooses random NA

(11. A|≡ NA subgoal 1, implicit)

12. A|≡ ](NA ) random introduction

Message 3: A → B: {{(A, KA )}K −1 , αNA , αNB }K −1

CA A

13. I / σ({{(A, KA )}K −1 , αNA , αNB }K −1 , A) intro /

CA A
14. I|≡ A|∼ ({(A, KA )}K −1 , αNA , αNB ) 13, 3, intro |∼(PKCS)
CA
15. I|≡ ](({(A, KA )}K −1 , αNA , αNB )) 8, ]()-promotion
CA
16. I|≡ A|≡ ({(A, KA )}K −1 , αNA , αNB ) 15, 14, |∼-elimination
CA
17. I|≡ A|≡ αNA 16
18. I|≡ A|≡ NA 17 (see remark page 10;
subgoal 8
19. I|≡ αNA 5, 17, jurisdiction (subgoal
7)
20. I|≡ A|≡ αNA 16, (subgoal 6)

Message 4: B → A: {{(B, KB )}K −1 , αNA }K −1

CA B

21. I / σ({{(B, KB )}K −1 , αNA }K −1 , B) intro /

CA B
22. I|≡ B|∼ ({(B, KB )}K −1 , αNA ) 21, 2, 3, intro |∼
CA
23. I|≡ ](({(B, KB )}K −1 , αNA )) 12, ]()-promotion
CA
24. I|≡ B|≡ ({(B, KB )}K −1 , αNA ) 23, 22, |∼-elimination
CA
25. I|≡ B|≡ αNA 24, ‘,’-usage (subgoal 2 )

Conclusion: I only has knowledge of αNA and αNB . With this, it should be impos-
sible for I to calculate NA and NB .

19
Chapter 9

Method

This chapter shortly describes, in my opinion, how the BAN logic is applied best.
The method is a natural one, but it has to applied with discipline.
The method is:
1. Determine the goals of the protocol, for what the different parties want to
achieve with the protocol. In general this could be something like (without
explicit key confirmation):
k
• A|≡ A −
←
→
−B
k
• B|≡ A ←
−→
−B
However, it could that the goals reach further (with explicit key confirma-
tion):
k
• A|≡ A −
←
→
−B
k
• B|≡ A ←
−
→
−B
k
• A|≡ B|≡ A −
←
→
−B
k
• B|≡ A|≡ A −←→
−B
2. Determine the assumptions, as far these can be destilled from the description.
Mostly the assumptions deal with the necessary beliefs in the keys of the
communicating parties in order to communicate with each other.
3. Start the analysis with the assumptions and see how the beliefs develop
on the basis of the exchange of the messages. This should be done in a
“bookkeeping” way, in which is written down for every step which beliefs
and rules are used. This should be done untill the analysis stops or untill the
goals are reached. When the analysis stops, it should be examined on what
message the analysis stops. Also, it should be examined what possibilities
this gives for an attack on the protocol.
4. In a second analysis-round the analysis can be reversed: we start at the end
and then is tried to work back to the start. This round is used for verifying
that the steps taken are correct, it should be avoided that “quantum leaps”
are made.
5. Write down explicitly what rules are applied.
6. Verify the validity of the assumptions.
It could be possible, that during the analysis extra assumptions are necessary. Extra
assumptions as such is no problem, but they undermine the strength of the protocol.

20
Chapter 10

Conclusions

In this document the Station-to-Station protocol is analysed four times. It shows

what can be done with the BAN logic, but it also shows the imperfections of the
BAN logic:
• The BAN logic cannot handle multi-role attacks.
• The BAN logic cannot handle explicit arithmetic in protocols. It has been
shown to be virtually impossible to derive anything from message 2, in which
αNB is sent. On a meta level can be seen that can be done without harm.
This is not a specific problem of the BAN logic, but a more general problem.
• A third problem is the concept of identity: extensions are necessary for deal-
ing with identity (see chapter 7). This is not always useful and it disturbs
the simplicity of the BAN logic.
• A last point is the deceitful simplicity of BAN. This is not as much an
imperfection, but more something which should be kept in mind.
The different analyses also another danger: in order to prove the protocol, it might
be very tempting to “repair” the protocol. In this case, this is the message 2. How-
ever, this is not necessary. It shows the limitations (and dangers) of the application
of formal methods.

21
Bibliography

[BAN89] M. Burrows, M. Abadi, and R. Needham. A logic of authentication.

ACM Operating Systems Review, 23(5):1–13, december 1989. A fuller
version was published as DEC System Research Center Report number
39, Palo Alto, California, February, 1989.
[GS91] Klaus Gaarder and Einar Snekkenes. Applying a formal analysis tec-
nique to the ccitt x.509 strong two-way authentication protocol. Journal
of Cryptology, 3(2):81–98, 1991.
[MvOV97] A.J. Menezes, P. van Oorschot, and S. Vanstone. Handbook of Applied
Cryptography. CRC-Press, Boca Raton, Florida, 1997.

22