Content uploaded by Roland H. C. Yap
Author content
All content in this area was uploaded by Roland H. C. Yap on Dec 21, 2013
Content may be subject to copyright.
Extending BAN Logic for Reasoning with Modern PKI-based Protocols
Sufatrio
Temasek Laboratories,
National University of Singapore
5 Sports Drive 2, Singapore 117508, Singapore
tslsufat@nus.edu.sg
Roland H.C. Yap
School of Computing,
National University of Singapore
Law Link, Singapore 117590, Singapore
ryap@comp.nus.edu.sg
Abstract
BAN Logic is a well-known authentication logic which,
despite other more recent logics and formal methods, re-
mains popular with many protocol designers. BAN Logic
however does not properly deal with the issues of certifi-
cates and the use of Public Key Infrastructure (PKI). This
paper proposes an extension to BAN Logic which focuses on
certificate processing within the PKI setting. Our extension
is along the lines of the work by Gaarder and Snekkenes but
better captures current aspects of PKI. In particular, our ex-
tension redresses the reasoning on the goodness of private
keys, and considers certificate revocation. Common pitfalls
in public-key based protocol design are due to insufficient
attention placed on the “intended recipient” as well as the
“stated sender” of a message. Our extension makes the re-
cipient and sender explicit, which reduces the likelihood of
introducing such flaws into the protocol and its subsequent
proof using BAN Logic. In summary, our logic is primarily
focused on making BAN Logic more concise yet practical to
use on PKI-based protocols.
1. Introduction
Designing a correct protocol specification which satisfies
certain security properties is well recognized as a non-trivial
task. Many logics and formal techniques have been pro-
posed for verifying cryptographic protocols. Among vari-
ous authentication logics, BAN Logic [7, 8] is one of the
best known and most widely used [18, 20, 19]. One reason
for its popularity is that BAN Logic is comparatively easy
to use. As pointed out by Meadows [18, 19], BAN Logic’s
intentional avoidance of many advanced features makes it
a simple and straightforward logic that is easy to apply yet
of substantial use for detecting flaws. This may well ex-
plain the constant appearance of publications applying BAN
Logic even till now [3, 5, 21, 25, 10, 9], with application
domains as diverse as wireless network [25], mobile com-
munication [9] to voting [21].
BAN Logic however gives a rather simplified treatment
of public-key authentication processing. It does not deal
with deeper aspects of public-key authentication such as
certificate processing, presumably because PKI was not
well established when the logic was designed. The situation
is now very different since PKI is common, and many mod-
ern real-world protocols rely on PKI. There exist some work
such as [3, 12, 22] which attempted to extend BAN Logic to
better reason with public-key authentication. Among previ-
ous work, we find the extension by Gaarder and Snekkenes
[12] particularly interesting and useful. In our view, the
extension does improve the expressiveness of BAN Logic
while keeping the logic’s secret-key aspects intact for easy
application. However, it still falls short in capturing many
important concepts and practice of modern PKI usage.
In our work, we begin with the starting point of retain-
ing the popularity of BAN Logic among protocol design-
ers. We propose various public-key related enhancements
to BAN Logic to allow for more concise reasoning on PKI-
based protocols. We address various shortcomings of [12]
by redefining as well as introducing a number of rules and
structures to better capture PKI usage and its good practice.
We also show how our extended BAN Logic can help avoid
loopholes in real-world protocol specifications.
Our approach in presenting the results in this paper is ul-
timately pragmatic. We focus on the logic definition and its
usage application while leaving theoretical analysis of the
logic, e.g. the logic’s soundness and completeness with re-
spect to some well-defined semantics, as a separate treat-
ment beyond this paper’s scope. It is our goal here to
expound an up-to-date yet accessible authentication logic
which can be handily used by protocol designers who may
not be expert in authentication logic or formal method.
The remainder of this paper is organized as follows. We
first survey related work in Section 2. We then give a brief
review of the original BAN Logic and the previous exten-
sion by Gaarder and Snekkenes in Section 3. Section 4
presents our new extended PKI-based BAN Logic, whereas
Section 5 gives insight on its application. We then discuss
related topics in Section 6, and conclude in Section 7.
2 Related Work
There exist various work in the literature which apply
formal methods to PKI [3, 12, 22, 17, 15, 14, 23]. We briefly
survey work which extends authentication logics, particu-
larly BAN Logic, to deal with public-key authentication.
Our focus of comparison will be on: certificate process-
ing, the notion of time duration, and rules on messages en-
crypted (signed) using public (private) keys.
As pointed out by many researchers, such as in [4], the
original BAN Logic is known to have limitations in describ-
ing “serverless protocols”. In PKI setting, the limitations
have to do with accepting the validity of a certificate. This
may happen since the only way of promoting “once said” to
“believe” is by use of the freshness property of a statement,
which is typically in the form of nonce or timestamp. In a
serverless protocol, such freshness guarantee however can-
not be provided, because the server is not necessarily avail-
able at the time of communication. To work around the
problem above, the original BAN Logic has chosen to ig-
nore the initial handling of certificates by assuming that they
have been previously distributed, checked, and accepted as
valid. Aziz and Diffie, who applied BAN Logic in [4], alter-
natively assume a certificate to always be fresh. Hence, the
required belief statements on certificate contents can some-
how be derived.
In their work on formal verification of CCITT X.509 pro-
tocol [12], Gaarder and Snekkenes argue that important as-
pects of public-key authentication are lost when BAN Logic
is used for protocol verification. To amend this deficiency,
they propose enhancements to BAN Logic that take certifi-
cate checking into account as an integral part of the reason-
ing process. The extension defines the notion of duration
to capture some time-related aspects. A principal can there-
fore claim a formulae is, was, or will be good in a time in-
terval. In [22], Stubblebine and Wright however argue that
the assumptions used are too restrictive for reasoning about
long-lived security associations. Additionally, there exist is-
sues on synchronization and synchronization bounds. Nev-
ertheless, the simplicity of the logic proposed in [12], while
improving the ability to reason with PKI-based protocols, is
appealing. Our work here focuses on reworking the logic to
be more accurately in line with current PKI practice.
The work of Syverson [23] also adds time to a logic of
authentication. It incorporates a temporal formalism into
a semantics model of BAN Logic developed in [2] using
temporal notions of “all points in the run prior to the cur-
rent one” and “at some point in the run prior to the current
one.” Here in our work, we adopt the duration model of [12]
which is relatively easier to use, yet enables the analysis of
subtle relationships in PKI-based protocols.
Stubblebine and Wright [22] also propose a logic exten-
sion for dealing with PKI. The logic supports the concept of
synchronization, revocation and recency. In pursuing more
expressiveness, it however becomes far more complex than
the original BAN Logic. We view that the complexity is a
drawback which makes it less likely to be used in practice.
3 BAN Logic and Extension by Gaarder-
Snekkenes
Below, we review briefly the original BAN Logic with
an emphasis on its notation, logic constructs and inference
rules relevant to our extension. We then summarize the ex-
tension logic of Gaarder and Snekkenes, and pinpoint some
problems with it.
3.1 The Original BAN Logic
BAN Logic [7, 8] is a modal-sorted logic constructed
on several sorts of objects: principals, keys, messages and
well-formed formulae. Predicate constructs are used to in-
terpret organized objects into well-formed formulae. BAN
Logic defines the following constructs:
P|≡ X:Pbelieves X;
PX :Psees X;
P|∼ X:Ponce said X;
P⇒X:Phas jurisdiction over X;
(X):Xis fresh;
{X}KPQ :Xencrypted with KPQ;
PKPQ
←→ Q:Pand Qmay use a secret-key KPQ.
For more discussion on BAN Logic, see also [13, 18].
Syverson and Cervesato [24] give a tutorial on the logic, and
also puts it within a broader context of logics of authentica-
tion. For our extended logic in this paper, only the secret-
key rules of the original BAN Logic are relevant since we
redefine all the public-key related rules later in this paper.
3.2 The Extension by Gaarder-Snekkenes
3.2.1 Extension Summary
New Constructs for Public-Key Formalism
The following logic constructs were defined for public-
key authentication (with some slight notational modifica-
tion on keys):
-℘κ(P, KP):Phas associated a good public key KP;
-Π(K−1
P):Phas a good private key K−1
P;
-σ(X, K−1
P):Xsigned with P’s private key K−1
P;
-{X}KP:Xencrypted under P’s public key KP.
In Gaarder-Snekkenes’ extension, it is assumed that dig-
ital signature is always in appendix mode, which we also
adopt here. Hence, the signature construct σ(X, K−1
P)is
actually a contracted form of the following:
σ(X, K−1
P)=X, Sign(K−1
P,hash(X)) (1)
where: Sign() is a signature function, and hash() is a hash
construction function.
Certificate and Its Idealization
As mentioned earlier, one of the extension’s main con-
tributions is the idealization of a certificate. It adopts the
certificate based on the X.509 Standard, whose basic struc-
ture can be described as follows:1
CertP=σ((N, I, δP,P,K
P,A),K−1
I)(2)
where:
-N: unique serial number of the certificate;
-I: name of the issuer;
-δP: validity period of the certificate, which consists of:
tP
1(not before) and tP
2(not after);
-P: the distinguished name of the principal;
-KP: the certified public key of P;
-A: identifier of the signature algorithm employed;
-K−1
I:I’s private key which is used to sign the certificate.
Based on the certificate structure, Gaarder and
Snekkenes gave a certificate the following idealization:
CertP=σ((Θ(tP
1,t
P
2),℘κ(P, KP)),K−1
I).(3)
In its idealized form, a certificate thus basically con-
sists of two parts: its validity period (called duration-
stamp in [12]) and certificate statement. The construct
(Θ(t1,t
2),X)was specifically introduced to say that “cer-
tificate statement Xholds in the time interval (t1,t
2)”.
Hence, the issuer Iwho uttered the duration-stamped cer-
tificate in (3) claims that ℘κ(P, KP)is good in the time
interval of tP
1and tP
2.
New Inference Rules
To reason with the certificate and public-key constructs,
[12] introduced the following inference rules:
•The message meaning (for public-key) Rule:
P|≡ ℘κ(Q, KQ),P|≡ Π(K−1
Q),P σ(X,K −1
Q)
P|≡ Q|∼ X(4)
1To simplify the formalism, [12] considers the certification path to be
of length one. We also take similar approach here.
•The see signed-message Rule:
Pσ(X,K −1
Q)
PX (5)
•The certificate duration-stamp Rule:
P|≡ Q|∼ (Θ(tR
1,t
R
2),CR),P|≡ Q|≡ Δ(tR
1,t
R
2)
P|≡ Q|≡ CR(6)
In the above rule, Qacts as the issuer of a certificate
for R, whose certificate statement is denoted by CR.
The rule thus provides a way of promoting once said
to believe about a certificate statement. For this pur-
pose, Pneeds to believe that Qholds a belief on “good
time interval” tR
1and tR
2(denoted by Δ(tR
1,t
R
2)). In
other words, Pmust believe that the validity period of
(tR
1,t
R
2)still holds according to the current time in Q.
Message-Recipient Construct
Gaarder and Snekkenes also introduced a notion of “in-
tended recipient” of a message. They argued that such as-
surance needs to be explicitly stated as one of the goals
in their X.509 protocol formalism. Moreover, they also
claimed that the original BAN Logic provides no means
of expressing it in the language available. Therefore, the
construct “(X, P )” was introduced to say that “Pis the
intended recipient of message X”.
The construct is defined to appear in the following form:
P→Q:X, (X, Q)(7)
which then should be interpreted as “Psends to Qa partic-
ular message Xtogether with a statement telling that Qis
the intended recipient of X”. This effort clearly represents
a step forward in capturing the notion of explicit principal
naming [1]. In doing so, however, [12] requires the receiver
to hold an assumption about the sender’s jurisdiction over
message recipient statement (i.e. Q|≡ P⇒(X, Q)), an
approach which we will examine more closely below.
3.2.2 Problems and Limitations
Despite its improvements on BAN Logic, there exist some
key aspects of the extension in [12] which we find rather
unsettling:
•Assumption on Π(K−1
Q): In verifying a protocol us-
ing [12], a (supplied) assumption needs to be added
to a principal that he/she believes the goodness of the
private key of another principal involved. That is, a
formula such as “P|≡ Π(K−1
Q)” needs to be vacuously
held at the start of the verification process. Such stip-
ulation is needed so that [12] can process message-
meaning Rule (4). We however view the inclusion
of such assumption is an unsound practice. Such for-
mula should never be supplied as an assumption, but
rather it must be logically derived from certificate rea-
soning within the logic. The only assumption needed
is the goodness of public and private key of the CA
in addition to his/her own. A principal then should be
able to derive the goodness of other principal’s keys
from the certificates issued by the CA. If some keys
are no longer to be considered good, revocation mech-
anisms like Certificate Revocation List (CRL) [11]
should then be incorporated in the defined logic rule(s).
•Assumption for message recipient construct:One
of the consequences of message-recipient construct in
[12] is that it requires a statement (X, P )for every
“tagged” message to be made as a protocol goal. In our
opinion, such assurance does not need to be stipulated
as a formalism goal since we are mainly interested on
deriving goals about the goodness of the generated ses-
sion key(s). In our view, such construct should instead
be incorporated as part of logic rules. Moreover, as
already mentioned, the construct requires the receiver
to hold an assumption about the sender’s jurisdiction
over message recipient statement. In our new exten-
sion, by integrating the intended-recipient requirement
into “message-meaning” rule, we manage to eliminate
the need for sender’s jurisdiction, thus simplifying the
reasoning on message processing.
•Omission of certificate revocation process:The
work [12] apparently has chosen to ignore the incor-
poration of certificate revocation issue in their logic.
Instead, it assumes that each principal always main-
tains the goodness of its private key. As a result, we
need to believe that a certificate, once issued, is al-
ways good for the time-interval specified in its validity
period. Considering the importance of certificate revo-
cation in public-key authentication, its omission in the
formalization represents a limitation of the extension.
4 Our Extended PKI-based BAN Logic
Motivated by the drawbacks of extension in [12], we pro-
pose the following extensions to BAN Logic.
4.1 Inclusion of Π(K−1
P)into Idealized Cer-
tificate
In our formalism work, we idealize a certificate’s state-
ment as follows: 2
CertP=σ((Θ(tP
1,t
P
2),℘κ(P, KP),Π(K−1
P)),K−1
I)(8)
2Note that the complete idealized certificate definition will include
message-recipient construct as defined in (12).
As can be seen, we now include Π(K−1
P)into the ide-
alized certificate’s statement in contrast with previous de-
finition of (3). Hence, a valid certificate now assures that
both public and private key of a principal are good. With
this modification, we thus eliminate the need to have an as-
sumption about the goodness of other principal’s private key
as in [12]. This modification is crucial as it helps formalize
the close relationship between certificate validity and the
goodness a private key. The rule makes it clear that a belief
on Π(K−1
P)should be derived from a valid P’s certificate.
Consequently, should the private key of a principal ever be
compromised, the principal must notify and ask the CA to
revoke his/her certificate, a requirement that is consistent
with current PKI practice.
4.2 New Use of Message-Recipient
Different from [12], message-recipient construct is de-
fined in our extension to be part of signature construct (σ),
which now appears in the following form:
σ((X, P ),K−1
Q).(9)
Unlike the use of message-recipient construct in [12], we
incorporate it into our new Message-meaning Rule (defined
below) as one of its premises. A principal thus needs to
ensure the existence of a valid recipient tag in the signed
message in order to proceed with the rule. With this, we also
manage to eliminate the requirement for stating message-
recipient as a verification goal, as well as the requirement
for introducing an assumption about sender’s jurisdiction
over message-recipient as in [12].
4.3 New Message-Meaning Rule (Private-
Key Signed Message)
In symmetric-key based authentication, the intended re-
cipient of a message can usually be inferred from the shared
secret-key employed in the encryption or Message Authen-
tication Code (MAC) generation. Unfortunately, this does
not apply in private-key signed messages where the same
private key is used to sign messages regardless of their in-
tended recipient. Hence, in public-key authentication, there
is a greater need to follow the “naming principle” [1].3Sur-
prisingly, the same mistake due to disregarding this prin-
ciple seems to be made time after time in many published
protocols (see [16]). Given this concern, we redefine the
“Message-meaning for signed-message” Rule as follows:
P|≡ ℘κ(Q, KQ),P|≡ Π(K−1
Q),P σ((X,P ),K−1
Q)
P|≡ Q|∼ X.(10)
3It is possible to argue that in a few situations, due to privacy consid-
erations, protocol designers might aim to withhold identity information as
long as possible; thus conflicting with the naming principle. We however
focus here on general situations where ensuring secure authentication take
higher precedence over privacy concerns.
With (10), we thus integrate message-recipient construct
into the message-meaning rule. Our requirement for the
third premise above is strongly motivated by the work of
Meadows [18] and Boyd and Mathuria [6], which still man-
aged to successfully find a loophole in Aziz-Diffie protocol
[AD94] despite the application of BAN Logic to the pro-
posed protocol. We will examine this later in Section 5
where we show how the new rule and some cautionary note
on BAN Logic can help pinpoint the problem with the pro-
tocol and its flawed “proof”.
4.4 All-Recipient See Rule
Having defined the new message-meaning rule as above,
we further note that it is possible for a message to be ac-
tually intended for all principals in the protocol. A good
example is a certificate, which is meant to be accepted by
any principal as long as he/she trusts the issuer. We thus
define a special principal name called “all”, and define the
the following rule:
Pσ((X,all),K−1
Q)
Pσ((X,P ),K−1
Q).(11)
4.5 Certificate and Certificate-Validation
In line with the use of all recipient definition above, a
certificate is now to be idealized as follows:
CertP=σ(((Θ(tP
1,t
P
2),℘κ(P, KP),Π(K−1
P)),all),K−1
I).
(12)
This certificate definition now correctly includes the
message-recipient construct, and subsumes the previous in-
terim definition given in (8).
To derive a belief on a certificate, this Certificate Valida-
tion Rule is used:
P|≡ Q|∼ (Θ(tR
1,t
R
2),CR),P|≡ Q|≡ Δ(tR
1,t
R
2),P|≡ Q|≡ Φ(CR)
P|≡ Q|≡ CR.
(13)
Here CRdenotes a certificate statement, consisting of
℘κ(P, KP),Π(K−1
P). This rule thus supersedes rule (6)
previously defined in [12]. Our addition of the third premise
is done to emphasize the need for “certificate revalidation
step” before deriving any belief of a certificate. Pmust en-
sure the premise by checking that Qstill believes that the
uttered certificate statement remains valid (Q|≡ Φ(CR)).4
In the CRL model, this step is done by checking the absence
of the certificate in question in Q’s recent CRL.
In the rule above, we note that the resulting belief state-
ment (CR)can be argued as an “unstable” statement [8].
That is, the statement is valid only at the time of validation
but not necessarily thereafter, as the corresponding certifi-
cate might be revoked at some point of time in the future.
4Note that although we put CRas the parameter of Φ(), in practice the
matching is done based on the unique certificate’s serial number N.
A more elaborate logic would include a more general time-
related reasoning, an approach that is taken for example by
[22]. To keep our extension simple, however, we avoid do-
ing so. In fact, both BAN Logic [8] and [12] implicitly made
a similar simplification with respect to beliefs derived from
secret-key reasoning, as in practice, a secret key will even-
tually cease to be valid due to expired lifetime or a possible
security breach.
4.6 Message-Sender Construct
Realizing the important of naming principle, we take
another step to additionally define a message-sender con-
struct. The construct introduces the notion of “stated
sender” of a message, and is defined to appear in one of
the following forms:
{S(X, Q)}KPor S({X}KP,Q).(14)
S(X, Q)specifically says “message Xtogether with Qas
the stated sender of the message”. The first form occurs
when the encryption is employed with an additional func-
tion of authentication.5P, who receives the message from
Q, ensures this construct by first decrypting the message,
and then ensuring that it correctly contains Qas the sender
ID together with X. The second form takes place when the
encrypted message ({X}KP) and the clear sender ID (Q)
come in a message signed by Q(see rule (16) below).
4.7 New Message-Meaning Rule (for
Public-Key Encryption Message)
In the case of a private-key signed message, it is impor-
tant to ensure the intended recipient of the message. When
dealing with a message encrypted with the public key of a
recipient, it is the identity of the sender that matters.
To capture two possible forms of message-sender, we de-
fine two following rules of message-meaning for public-key
encryption message:
P|≡ ℘κ(P, KP),P|≡ Π(K−1
P),P {S (X, Q)}KP
P|≡ Q|∼ X(15)
P|≡ ℘κ(P, KP),P|≡ Π(K−1
P),P|≡ Q|∼ S ({X}KP,Q)
P|≡ Q|∼ X.(16)
Rule (15) deals with situation where the stated sender is
concealed within the encrypted message. We later show in
Section 5 how this rule could have helped deal with a loop-
hole in Needham-Schroeder Public-Key protocol whose at-
tack was outlined by Lowe [16]. The rule (16) is to be em-
ployed where Phas previously seen both {X}KPand Q,
perhaps as parts of longer message statement, in a signed
message previously validated using rule (10).6
5It is important to make clear of the role of encryption in a protocol
specification (see [1]).
6In this case of signed encrypted message, both message-recipient and
4.8 Redefined Message-Meaning Rule for
Secret-Key
For completeness, we redefine here a new construct for
message authentication using secret-key based MAC:
μ(X, KPQ)=X,H (KPQ,X).(17)
Similar to signature construction in (1), MAC generation
is performed by applying a chosen keyed hash-construction
function H() to message Xusing KPQ, and then appending
the resulting hash-image to X. The related message mean-
ing (for secret-key using MAC) Rule is defined as follows:
P|≡ QKPQ
←→ P, P μ(X, KPQ)
P|≡ Q|∼ X.(18)
Here we omit the requirement for intended recipient and
stated sender by assuming that the shared secret key is good
and the message Xis unambiguously formatted.
4.9 Additional Rules for See Operator
•The See hashed-message Rule:
Pμ(X, KPQ)
PX (19)
•The See signed-message Rule:
Pσ(X, K−1
Q)
PX (20)
•The See recipient-tagged-message Rule:
P(X, P )
PX (21)
•The See sender-tagged-message Rule:
PS(X, Q)
PX (22)
5 Using the New Extended Logic
We now show how our extension could have helped pre-
vent problems in flawed published protocols.
5.1 Needham-Schroeder Public-Key Au-
thentication Protocol
In [16], Lowe published an attack on Needham-
Schroeder public-key protocol. The protocol proceeds as
follows:
1. A→S:A,B
2. S→A:{KB,B}K−1
S
message-sender are checked. Although it looks rather strict, here we opt to
do so as to help non-specialist protocol designers to avoid any unforeseen
“small”’ mistake, which can prove costly once it is found. Alternatively,
the extension logic can be made to relax this requirement.
3. A→B:{NA,A}KB
4. B→S:B,A
5. S→B:{KA,A}K−1
S
6. B→A:{NA,N
B}KA
7. A→B:{NA}KB.
Despite the assumption that each principal has each
other’s public key correctly, Lowe managed to find an
attack on the protocol. The problem with the protocol has
to do with the encryption using public key of the recipient
without clear identity of the sender. Lowe proposed the
modification of message 6 into:
6.B→A:{B, NA,N
B}KA.
In our new logic, with our new message-meaning (for
public-key encrypted message) rule, the derivation of the
flawed beliefs would then be impossible. This is the case
since the requirement of S(..., B)is unfulfilled for mes-
sage 6. This example highlights the value of integrating
message-sender construct into message-meaning rule.
5.2 Aziz-Diffie Protocol
We analyze below the protocol by Aziz and Diffie [4]
which was still broken despite the use of the original BAN
Logic by the authors to verify it.
The protocol uses public-key cryptography for securing
the wireless link between a Mobile (M) and a Base (B).
In the following, alg list denotes a list of flags represent-
ing potential secret-key algorithms chosen by M. The flag
sel alg represents the particular algorithm selected by B
from the list alg list, and is to be employed to encrypt the
subsequent data call. The protocol for providing the con-
nection setup between Mand Bis as follows ([6]):
1. M→B:Cert(M),NM,alg list
2. B→M:Cert(B),{XB}KM,sel alg,
{hash({XB}KM, sel alg , NM,alg list)}K−1
B
3. M→B:{XM}KB,{hash({XM}KB,{XB}KM}K−1
M
Here NMis a nonce from M.XBand XMdenote the par-
ticular session key values chosen by Band M, respectively.
The final session key xis calculated as XM⊕XB.
The protocol was verified in [4] using BAN Logic. In
our analysis, the given proof apparently contains a seri-
ous flaw. The flaw is introduced in the error-prone ideal-
ization step of the formalism. [4] idealized message 2 as:
{{ KB
−→ B}K−1
Ca ,M XB
←→ B,NM}K−1
B.The problem with
this is that what can actually be derived from the message
is {MXB
←→ B}KM, and not MXB
←→ B. This formalism
pitfall allowed [4] to incorrectly derive the desired goals de-
spite the loophole in the protocol.
Subsequently, both [18] and [6] managed to mount an at-
tack on the protocol. The attack outlined in [6] makes use
of two parallel open sessions. Impersonating Min the first
session, an attacker Cis able to obtain {XB}KMfrom the
message 2. In the second session, Cthen replays {XB}KM
to the initiating Mwhen it plays a role as Base. [6] cor-
rectly pointed out the source of the problem is that Ccan
construct message 2 without the knowledge of XB.Tofix
the protocol, [6] proposed the modification of message 2
and 3 into:
2.B→M:Cert(B),NB,{XB}KM,sel alg,
{hash(XB,M,N
M,alg list)}K−1
B
3.M→B:{XM}KB,{hash(XM,B,N
B}K−1
M
Nonce NBnow provides freshness assurance, taking the
role of {XB}KMin the original protocol. Note that mes-
sage 2contains Min the signed hash’s arguments. Like-
wise, message 3now contains B.7Such inclusions are thus
in line with our requirement of message-recipient in mes-
sage meaning rule (for signed message), highlighting the
need for such assurance in robust protocol design.
In message 2,{XB}KMis however sent without sender-
tag assurance, seemingly playing down the message-sender
requirement in encrypted message. However, we can no-
tice that XB, instead of {XB}KM, is now part of the signed
message portion. Thus, after decrypting {XB}KMinto XB,
Mis required to check that the hash is correctly constructed
with XBas its input, and is subsequently signed by B.This
provides B’s “authorship” (sender-tag) assurance on XB.
However, since designing a protocol is an error-prone activ-
ity, we opt to make the assurance explicit, either by suggest-
ing {XB,B}KM, or adding Bin the signed hash portion to
enable rule (16). Such inclusion will increase the protocol
assurance while incurring small extra overheads.
6 Discussion
We have presented an extension of BAN Logic which
deals with PKI. It addresses a number of issues in [12]
which are vital to a more accurate reasoning with certificate-
based protocols. In summary, our main contributions are:
•We present an improved idealization of certificate, in
which the assurance of a private key is also derived
from certificate. This eliminates the need to have an
assumption about the goodness of the other principal’s
private key as in [12].
•We define a new message-meaning for the private-
key signed message rule, which contains the message-
recipient construct. By doing so, we manage to elim-
inate the requirement for stating message-recipient as
a goal, as well as for introducing an assumption about
sender’s jurisdiction over message-recipient as in [12].
7Although Mand Bare not included in clear portion of message 2
and 3respectively, they are actually present from the message transfer
context. As such, we should take their presence into account in our ideal-
ized protocol and verification.
•We also modify the certificate-validation rule, which
now includes the third premise to highlight the need
for certificate revalidation step. In CRL model, the
new rule thus makes explicit of two requirements in
certificate validation: time synchronization with cer-
tificate issuer, and the check with issuer’s recent CRL.
•We define the message-meaning rule for the public-
key encrypted message which now requires message-
sender construct. This modification is vital as it pre-
vents a common mistake in public-key protocol design,
as clearly illustrated among others by Lowe’s attack on
Needham-Schroeder public-key protocol [16].
Although some of the modifications above may look
simple, they are however crucial for better reasoning with
PKI-based protocols. Table 1 contrasts several constructs
and rules from [12] with our new extension.
Lastly, we also would like to address a subtle issue in
BAN Logic, namely the reasoning of: (i) signed encrypted
message: a signed message contains encrypted message
portion(s); and (ii) encrypted signed message: a signed
message is sent encrypted.
We already consider case (i) when defining rule (16). To
be more complete, we can additionally define:
P|≡ ℘κ(P, KP),P|≡ Π(K−1
P),P|≡ Q|≡ S ({X}KP,Q)
P|≡ Q|≡ X.(23)
This rule applies when the freshness assurance comes in the
signed message rather than the encrypted portion. Hence,
we simply derive a belief about the encrypted message. For
case (ii), we can similarly define:
P|≡ ℘κ(Q, KQ),P|≡ Π(K−1
Q),P|≡ σ((X, P ),K−1
Q)
P|≡ Q|≡ X.(24)
7 Conclusion
We have presented our Extended BAN Logic built upon
the previous work by Gaarder and Snekkenes [12] for better
reasoning with certificate-based public-key authentication.
Our extensions removes various limitations of [12] to make
the logic more in line with concepts and practice in modern
PKI setting. Examples on the usage of our extension are
given. These help prevent common mistakes in public-key
protocol design and verification. Given that BAN Logic is
a well-understood and popular logic, we envisage that our
extension provides a practical and valuable tool without re-
quiring the users to manipulate substantially complex for-
malism. It is indeed our aim to make formal analysis on
PKI-based protocols become more handily accessible to a
wider range of protocol designers, thus allowing more par-
ties to improve the security of their protocols.
Category Gaarder-Snekkenes’ Extension [12] Our Extended Logic
Idealized certificate σ((Θ(tP
1,t
P
2),℘κ(P, KP)),K−1
I)σ(((Θ(tP
1,t
P
2),℘κ(P, KP),Π(K−1
P)),all),K−1
I)
Certificate-validation P|≡ Q|∼ (Θ(tR
1,tR
2),CR),P |≡ Q|≡ Δ(tR
1,tR
2)
P|≡ Q|≡ CR
P|≡ Q|∼ (Θ(tR
1,tR
2),CR),P |≡ Q|≡ Δ(tR
1,tR
2),P |≡ Q|≡ Φ(CR)
P|≡ Q|≡ CR
Message-recipient (X, P )σ((X, P ),K−1
Q)
Stated-sender −{S(X, Q)}KPor S({X}KP,Q)
Msg-meaning (signed) P|≡ ℘κ(Q,KQ),P |≡ Π(K−1
Q),P σ(X,K−1
Q)
P|≡ Q|∼ X
P|≡ ℘κ(Q,KQ),P |≡ Π(K−1
Q),P σ((X,P ),K−1
Q)
P|≡ Q|∼ X
Msg-meaning (encrypted) −P|≡ ℘κ(P,KP),P |≡ Π(K−1
P),P {S(X,Q)}KP
P|≡ Q|∼ X
P|≡ ℘κ(P,KP),P |≡ Π(K−1
P),P |≡ Q|∼ S({X}KP,Q)
P|≡ Q|∼ X
Table 1. Comparison of relevant constructs and rules from [12] and our new extension.
References
[1] M. Abadi and R. Needham. Prudent engineering practice
for cryptographic protocols. IEEE Transactions on Software
Engineering, 22(1):6–15, 1996.
[2] M. Abadi and M. R. Tuttle. A semantics for a logic of au-
thentication. In ACM Symposium on Principles of Distrib-
uted Computing (PODC), 1991.
[3] N. Agray, W. van der Hoek, and E. P. de Vink. On BAN
logics for industrial security protocols. In Fro m Theory to
Practice in Multi-Agent Systems. LNAI Vol. 2296, 2002.
[4] A. Aziz and W. Diffie. Privacy and authentication for wire-
less local area networks. IEEE Personal Communication,
1(1):25–31, 1994.
[5] K. Bicakci and N. Baykal. One-time passwords: security
analysis using BAN logic and integrating with smartcard au-
thentication. In International Symposium on Computer and
Information Sciences (ISCIS). LNCS Vol. 2869, 2003.
[6] C. Boyd and A. Mathuria. Key establishment protocols for
secure mobile communications: a selective survey. In Aus-
tralasian Conference on Information Security and Privacy
(ACISP). LNCS Vol. 1438, 1998.
[7] M. Burrows, M. Abadi, and R. Needham. A logic of au-
thentication. Proceedings of the Royal Society, 426(1871),
1989.
[8] M. Burrows, M. Abadi, and R. Needham. A logic of authen-
tication, revised. SRC Technical Report 39. Digital Systems
Research Centre, 1990.
[9] C. Chang, H. Pan, and H. Jia. A secure short message com-
munication protocol. International Journal of Automation
and Computing, 5(2):202–207, 2008.
[10] L. Chen, G. Zhang, and X. Li. Efficient identity authentica-
tion protocol and its formal analysis. In International Con-
ference on Computational Intelligence and Security Work-
shops (CISW), 2007.
[11] D. Cooper, S. Santesson, S. Farrell, S. Boeyen, R. Housley,
andW.Polk. Internet X.509 Public Key Infrastructure cer-
tificate and Certificate Revocation List (CRL) profile. IETF
RFC 5280, 2008.
[12] K. Gaarder and E. Snekkenes. Applying a formal analysis
technique to the CCITT X.509 strong two-way authentica-
tion protocol. Journal of Cryptology, 3(2):81–98, 1991.
[13] S. Gritzalis, D. Spinellis, and P. Georgiadis. Security pro-
tocols over open networks and distributed systems: formal
methods for their analysis, design, and verification. Com-
puter Communications, 22(8):697–709, 1999.
[14] J. Howell and D. Kotz. A formal semantics for SPKI. In Eu-
ropean Symposium on Research in Computer Security (ES-
ORICS). LNCS Vol. 1895, 2000.
[15] R. Kohlas and U. Maurer. Reasoning about public-key cer-
tification: on bindings between entities and public keys.
Journal on Selected Areas in Communications, 18:551–560,
2000.
[16] G. Lowe. Some new attacks upon security protocols. In
IEEE Computer Security Foundations Workshop, 1996.
[17] U. Maurer. Modelling a public-key infrastructure. In Eu-
ropean Symposium on Research in Computer Security (ES-
ORICS). LNCS Vol. 1146, 1996.
[18] C. Meadows. Formal verification of cryptographic proto-
cols: a survey. In Advances in Cryptology - Asiacrypt’94.
LNCS Vol. 917, 1994.
[19] C. Meadows. Formal methods for cryptographic protocol
analysis: emerging issues and trends. IEEE Journal on Se-
lected Areas in Communications, 21(1), 2003.
[20] B. Schneier. Applied cryptography: protocols, algorithms,
and source code in C. Wiley, New York, 2nd edition, 1996.
[21] T. Storer, U. Martin, and I. Duncan. BAN logic analysis of
the UK postal voting system. Research report. University of
St. Andrews, 2003.
[22] S. Stubblebine and R. Wright. An authentication logic with
formal semantics supporting synchronization, revocation,
and recency. IEEE Transactions on Software Engineering,
28(3):256–285, 2002.
[23] P. Syverson. Adding time to a logic of authentication. In
ACM Conference on Computer and Communications Secu-
rity (CCS), 1993.
[24] P. Syverson and I. Cervesato. The logic of authentication
protocols. In Foundations of Security Analysis and Design.
LNCS Vol. 2171, 2001.
[25] S. Xu and C. Huang. Attacks on PKM protocols of IEEE
802.16 and its later versions. In International Symposium
on Wireless Communication Systems (ISWCS), 2006.
