Exploring the BAN Approach to Protocol Analysis*
Einar Snekkenes
Alcatel Telecom Norway AS
P.B 60, Bkern, 0508 Oslo 5
Norway
Abstract
The B A N ( B u m w s , Abadi and Needham) approach
to analysis of cryptographic protocols tmnsforms a
correctness requirement into a proof obligation of a
formal belief logic. It is shown that the BAN protocol
annotation rules make paws due solely to protocol step
permutation undetectable by the BAN logic. This is
illustrated by a shod etample.
In a recently published critique of the BAN logic D.
Nessett uses the B A N logic to prove ihe correctness
of an insecure profocol. In the style of B A N logic we
define the concept of a terminating idealized protocol.
We then show that the protocol due to D. Nessett
belongs i o the class of non-ierminaiing proiocols.
1 Introduction
Desi nin correct cryptographic protocols is hard,
[21,[4,[177give several examples of weak protocols.
One can identify several classes of problems associated
with the closely related tasks of protocol design and
analysis:
0 algorithm design:- design of the underlying cryp-
to algorithms.
0 parameter choice:- correct choice of algorithm
parameters such as block sizes and key lengths.
0 covert channel analysis:- detection of the possi-
bility for information flow through channels not
intended to be used for communication.
0 logical analysis and design:- combining crypto
algorithms and other mechanisms such as random
numbers and clocks into procedures to implement
security in distributed systems.
In general, all of the above problems must be
solved before a secure distributed system can be
implemented. In this paper we will examine an
approach [l,2,3,6,8] which focuses on problems from
the last category.
There are two major approaches to logical analysis of
protocols:
*Research ~ponsorcdby The Royal Norwegian Council for
Scientific and Industrial Reeuvch (NTNF) under Grant NNIT
0333.22222
171
CH2986-8/91/0000/0171$01.OO 0 1991 IEEE
0 Given a protocol, interpret each protocol step as
a function and identify terms and functions as-
sumed to be known by the penetrator. Then i-
dentify the terms denoting protected information.
A protocol is said t o be secure if the penetra-
tor cannot combine the protocol step functions
and other terms and functions available to him
to obtain a piece of protected information, see
eg.[13, 16, 12, 15, 41. In general, this approach is
only applicable to constructive protocol descrip-
tions.
0 Express the protocol, assumptions and goals in
a formal logic. A proof of security 1s then
translated into a proof in the formal logic see
eg.[3, 6, 18, 22, 21, 91. In some cases, this ap-
proach can give rise to non-constructive protocol
descriptions with the possibility of inconsistency.
Again, considering the latter, there are two distinct
approaches:
0 Modal logics with few operators see eg.[18, 22, 91.
0 Logics with a fairly large number of operators.
see eg.[l, 2, 3, 6, 81.
Correctness proofs (relating to logical analysis in the
above sense) are usually rather long. However, this
does not seem to be the case with the BAN family
k
of logics[l, 2, 3, 6, 8 Here, ,proofs are usually short
and simple. Never t e less, it has been shown in [3]
that the logic can facilitate the discovery of rather
subtle flaws. An objective of the work presented in
this paper is to explore some of the limitations of the
BAN approach. A discussion of the capabilities of the
BAN approach can also be found in [23].
First we give a brief summary of the BAN approach
to the analysis of authentication protocols, then
we prove some properties of the BAN annotation
rules. In particular, we prove that there is a very
direct correspondence between annotated protocols
and BAN formula derivations. In section four we
exemplify a consequence of the theorem from section
three. In section five we consider a weakness of the
logic highlighted in [19] and introduce the notion of
a terminating idealized protocol extending the class
of detectable protocol flaws. Finally we give some
concluding remarks.
2 Analysis of Authentication Proto- P has said X then you also ought to believe that P
cols believes X . This is stated as :
The general idea of the BAN approach[l, 2, 3, 6, 81
to protocol analysis is to translate protocol messages,
assumptions and goals to formulae of a belief logic. A more complete collection of postulates can be found
Assumptions a,messages Xi’s and the goal I’are then in [2].
written down in the following form:
2.2 Annotated Protocols
To prove properties about protocols one employs the
notion of an annotated protocol written:
Our analysis is complete if we mana e to construct a
purely formal proof of our protocol tescription. {A}Sli * - 9 {xi}, * . Sn,{GI
2.1 Formulae and Postulates where A , Si, Xi,G are called assumption, step, asser-
Below we give an indication of the semantics of some tion and goal respectively. Occasionally, assumptions
and goals are called assertions.
of the frequently used symbols, see [2] for details.
Assume P,Q are entity identifiers, K is a key and Below we give the annotation rules of [3] formalised
X is a formula then in [SI. The effect of a protocol step is that its message
becomes visible to the recipient:
P F X : P believes X and will continue to do so A1 I- {Y}Ui + Uj : X{Y,(Vj 0X)}
for the remainder of the protocol. Entities
are assumed not to discard beliefs during a “Matching” protocol annotations can be sequentially
protocol run’. composed:
PFX: The entity P has uttered the formula X
either in the current run or in some previous
run.
A2 -w
x
t- s1 ... Y
I...
,l- Y SI... z
I...

All annotations except the assumption can be weak-

P CSX: The entity P has jurisdiction over the
formula X and should be trusted with
respect to the formula X.
P 0X: The formula X is visible to P .
#(X):The formula X has not occurred as a
subformula in any messages communicated
prior to the current run of the protocol.
P A Q:The key K can be used to obtain a secure
channel between A and B.
5P :K is the public key belonging to P . K-’
denoting P’s private key will only be dis-
covered by P or an entity trusted by P .
{ X } K : The formula X encrypted with the key K.
If we from assumption X can construct a formal proof
of Y1 (written X I- Y1) and from assumption X can
derive the formula Yz,then we can also construct a
formal proof of the list (Yl,Y2)from the assumption
X thus, we have:
I1
x I- Y1, x I- Y2
x t- (Yl,YZ)
The semantics of the formulae are reflected in a
collection of postulates such as: If you believe that the
formula X has not occurred in any messages prior to
the curreni run of the protocol and you believe that
’This assumption dmplifia the logic, but has as a come
quence that the andyds technique is strictly not applicable to
protocola which d i d beliefa during a run.
ened:
We may always add extra assumptions:
t- { X } S ...{ Y},Xt- X‘
A4 I- { X , X } S ...{Y}
3 Formula and Annotations
In this section we explore some consequences of the
annotation rules. In particular, we prove that for all
assumptions, protocols and goals A , S,G :
where S is defined below.
Unfortunately the proof is rather long thus, we first
give a brief overview. The crux of the theorem is
that any proof of a theorem of the form { A } S { G }
exists if and only one can construct a proof of a
certain structure. That is, a proof P can always be
transformed to some proof PI such that PI consists
of applications of A1 followed by applications of A2
followed by a single application of A3. The proof given
below describes this transformation.
Definition 1 A proof P of { A } S { G } is a finite
sequence of applications of the rules A l l 42, A9,
A4 such that each premise of each annotatton rule
application is the conclusion of some earlier rule
application and the consequence of the last rule
application is { A } S { G } .

172

_. ~
Definition 2 Ifs denotes the proiocol,
A1 +B1 : Xi;
...
...
An* Bn : Xn
then S denotes ihe formula
(B1 0 x 1 , OXi, OXn)
Let IS1 stand for the number of protocol steps in S.
Definition 3 A proofP is minimal with respect to
a proof P' iff P and P' prove ihe same theorem, P
is some projeciion of P' and P is isomorphic t o some
labeled connected graph.
Informally, transforming a proof to a corresponding
minimal proof removes "unnecessaryn parts of the
proof. Note that a minimal proof is not unique since
we allow annotations referenced, say n times to be
derived m times for any m 5 n.
If P is a proof, then P ( i ) denotes the i'th annotation
rule application of P .
Lemma 1 For all proofs P', there is some proof P
such that P is minimal with respect to P'.
Proof : We give the outline of a procedure for
transforming an arbitrary proof to some correspond-
ing minimal proof. Assume P' proves T . Since P' is
a proof, it corresponds to some finite forest where at
least one of the trees in the forest, say a has the root
T. Finally, a can be linearised to some proof P such
that P is a projection of P'.
0
Lemma 2 I f P = P<P2'XP32 is a proof ofT, >
0 , A is the instance ofsome annotation rule and each
premise of A occurs in the conclusion of some rule
instance in P I , then P' = PlnKP2-P3 is also a proof
of T .
Let A denote some annotation rule (typically A l l A2
or A3). Then
stands for the annotation rule instance A' obtained
by a simultaneous substitution of X I , .. .,Xn by
Y1,...,Yn in A. Due to the column width, substi-
tutions of the above form may sometimes have to be
broken across lines.
The next lemma states that rather than first estab-
lishing { X } S { Y } and then weakening the assumption
usin A4 to obtain { X ' , X } S { Y } (assuming X I- XI),
we &ow that we could have constructed the proof
without A4. We simply "redon the proof adding X'
to each assertion. Finally we apply A3 to remove ex-
cess instances of XI.
Lemma 3 The rule A4' is derivable from A l , A2,
A 8.
Assume P is some proof that I-
{ Y ) where P only contains applications of
1 , A2, A3. We give a procedure for transformin P
to P' such that P' is a proof that I- { X ,X ' } S . . .f Y }
and P' only contains instances of A l l A2, AX If AX
is an annotation rule, then let AXk be a particular
instance of AX as shown below. In 1 we extract the
old values of the variables and in 2 we construct a new
instance of the rule from old variable values and new
formulae.
For each instance
of A1 in P use instead the instance
Similarly, for each instance of A2 in P
use instead the instance

Proof: Directly from definition 1

0 For each instance
We now define the rule A4' stating that the assump-
tion may always be strengthened. Below we show that
a proof of T containing instances of A4' can be re-
placed by a proof without instances of A4'. Since A4
is derivable from A4' it follows that we can restrict
our attention to proofs constructed solely by means
of A l l A2, A3. use instead the instance

A4'
~ ~~ ~

rdenotea the sequence concatenation operator.

noting that we can easily construct a roof that {X}S2{X‘,a. Since Y = X’,& it follows that
Xi, X I- (Xi, X’) whenever Xi I- Xi (by 115. 0 {X}S2{Y).
I-
Finally, we obtain a proof that
If we allow instances of A3 to be replaced by other A3
.
I- {X,X ’ } S .. {Y} instances, we can move instances of A2 “to the left”
of all A3 instances.
by appending IS1 applications of A3.
U Lemma6 I f P = P i z n < A 3 1 , ...,A3n1A21 >-P3 is
a proof of T = {A}S{G} and Plo is some A l , A 2
Corollary 1 The rule Ad is derivable from A l , A$ proof, then P’ = Pi; < A3,,A3,,A31,...,A3n >
A 9. ^P;<A3,> is a p r o o f o f T , wherePi2 issomeAl,A2
proof.
Corollary 2 An7 proof P of T can be transformed
i o some proof P of T such that P’ only contains Proof : We give a procedure for transforming P to
applications of A l l A%, A3. P’. From
Let A3, be the trivial instantiations of A3 92-< A31,. . .,A3,,A21 >nP3
we obtain
P12^< A&, . . .,A3,, A21 >^P3^< A3, >
When A3, is used later in the text, we will leave to by definition of proof (definition 1) and A3,. Again
the reader to work out the appropriate instantiation. from the definition of a proof, we may insert a copy
of A31,. ..,A3, after A21 in P obtaining
Lemma 4 If P is a proof of T , then there ezisis a
proof P‘ = PrPi of T such that Pi is a sequence
of applications of A1 and Pi is a proof without
applications of A l . Since A21 has only two premises, (a ain from the
definition of a proof) we may delete ab but at most
Proof : First append A3,, then apply lemma 1 two of the A3 applications preceding A21. From this
resulting in some minimal proof P”. Finally, all A1 we obtain
instances in P“ can be moved left, by at most !PI
applications of lemma 2.
cl since we can always insert one or two trivial A3
The “rule” A3 does in fact define a collection of rules. applications. We now have the following situation (or
Let A3’ be the instance of A3 which weakens the its symmetric brother) :
i’th assertion of A3 and A 9 , A3f, Ali denote some
arbitrary instantiation of A3’, A3’, A1 respectively.
Similarly, let A33,,j denote some A 9 instance which
A3i A3j
has w as its protocol assumption and where 8 is the
protocol being annotated. 1 1 (3)
A21
Recall that A3 weakens the non-assumptions of an
assertion, We now show that A3 can be used
to construct an annotation with a strengthened
assump tion. Moving A3j is easy, we simply modify the second

Lemma 5 If P is some A l , A 2 proof of the theorem

T = {X’}S2{Y} and X I- X’,then there is a proof
P’ = P r A 3 2 i , , 1 of {X}S2{Y} such ihai Pi is an
A l , A 2 proof.
Proof: By induction on the length of S2 it is easy to
show that Y = X’,& modulo formula permutation.
Thus we have established I- {X’}S2{X‘,sz). But
then there trivially exists another A l , A2 roof where
X is substituted for X’,that is : l- { X f & { X , a .
By a single application of A3Fh2 we obtain I-
i
premise and consequently also parts of the conclu-
sion) of 21 to be the first premise of A3j. From the
second premise of A3j one can produce an A3 instance
A3jl having Z’ l- Z as its second premise. Thus, the
proof segment (3) can be transformed to some seg-
ment
< A3i,A211,A3jl>
If A3i does not weaken the goal of its premise
one can easily construct some proof segment <
A21u,A3l1A3 >. Note that A2 is applicable
whenever we%ave some formula Y occurring as the
goal of one annotation and as the assumption of some
assertion.
The remaining cases are captured by the following
instantiations:
A31
To summarise, from the assumptions, we have estab-
lished:
1. The existence of some Al,A2 proof that I-
{X} Sl{Y'1.
2. Y ' I - Y
3. The existence of some Al,A2 proof that I-
{Y}S',{Z)*
By applying lemma 5 to 2 and 3 above, we obtain
some proof P{~A3$~~s:,1of { Y ' } S i { Z } . Since we
have shown above how an A3 instance feeding the
second premise of A21 can be moved to the right, we
conclude that
P{,^< >^P3^<A3, >
A21l,A3,,A3ylA31,...,A3n
is a proof of T.
0
Lemma 7 If P is a proof of T = { X } S { Y } , then
there is a minimal proof P' = Pl^P<P3 of T such that
P I , Pa, Ps consist solely of applications of Al, A2, A3
respectively.
Proof : By applying lemma 4, we obtain a proof
P1^P' where PI is some A1 proof and P' does not
contain any a plications of Al. Then, the desired
result follows Ey applying lemma 6 at most once for
each application of A2 in Pt.
I-?
U A P such that P' = PrPrPi where Pi,P&Pi are
Recall that A3 weakens one assertion at the time. One
application of A3' (defined below) may weaken all
non-assump t ion assertions.
Lemma 8 A3 and A3' are mutually derivable.
Proof : First A3 from A3'. For all Xj I- Xj where
i # j in A3' choose Xj = Xj,then A3' from A3,
apply A3 n times.
0 XOl&l...l&.
175
Deftnition 4 A3t,,,,i denotes some arbitrary in-
stance i of A3' which has w as the assumption of the
annotated protocol (both i n premise and conclusion)
and 8 is the list of protocol steps.
Let A3: be the trivial A3' instance
.
I- { W y l . .{Xl 1 . . .{Xn) ,
A3: X1 I- 1 , . . .,Xn I- Xn
. .
I- {W}Sl.. {XI}..{Xj}. {Xn}
Lemma9 I f P = P i n < A 3 f , ...,/U:,> isaproof
of T, then there is some proof P' = PI- < A3:+1 >
of T.
Proof : Obviously, F < A3: > also is a proof
of T. Using lemma 1, we obtain some minimal prof
P" = Pr
< A3',', ... ,A3: > of T. Assume the
formulae are labeled as follows: let the formula X i , j
belong to the i'th formula derivation of the j'th A3"
instance. Then we have a collection of derivations
Xi,j I- Xi,jli = 1.. .m,j = 1.. .n
where Xjj+l = Since formula derivations are
transitive , we obtain
Xi,l I- Xi,,
Thus, the sequence of A3"s can be replaced by the
A3' instance
noting that Wj = Wn,S1,j = S1,jl and the conclusion
of P{(lP{l)) occurs as the first premise of A3',' since
P'' is minimal.
0
Lemma 10 If there etists a proof P of A P =
{A}S{G}, then there also exists a proof P' of
proofs constructed using on$ A l l A2, A3* respectively.
Furihennore, Pi contains etactly one application of
A3'.
Proof : By lemma 7 we obtain a proof P'' =
P1^P2-P3 such that PI,9,P3 consists solely of ap-
plications of A l l A2, A3. Then, A3 occurrences are
transformed to A3' occurrences by lemma 8. Finally,
by lemma 9, we can reduce P3 to length one.
0
Lemma 11 If P = Pl^PZ is a proof of T =
{Xo}Si{Xi}. . .{Xn-I}Sn{Xn} where Pi, P 2 consists
of applications of Al,A2 respectively, then Xn =
Proof: We first establish that all annotations occur-
ring in P are of the form {Xi}Si+l{Xi+l}. ..Sj{Xj}
for some i ,j where Xi+l = Xi, si+l.
If Ali is the instance annotating Sj, then Ali =
{Xi-l}Si{Xi} = {Xi-l}Si{Xi-l,%} since all A1
instances are of the form {A}Sj (A, Sj}. Otherwise,
no A l , A2 proof of {Xo} . . .{X,,} canxe constructed.
Let P2(k) denote the k’th ste of Pa. By induction
on k it is easy to show that goth premises and the
conclusion of 4 ( k ) are of the form
{Xi}si+l.. .Sj{Xj}
for some i , j . But then T also is of the form
{Xi}Si+l.. .Sj{Xj} for i = 1 , j = n.
Finally, by induction we have that Xi = Xo,&, . . .,
so x, =XI),$,...,s,.
0 key. Finally, M sends Rsi,j (signed with M’s private
Theorem 1 For all assumpfions, protocols and goals
A, S, G:
t- {A)S{G) iff AS I- G
1
Proof : We first show if t- {A S{G} then A , S t- G.
Assume there is a proof P o {A}S{G}, then by
lemma 10 there is some minimal proof P’ = P,^p,^p,
such that lP31 = 1 and PI,Pa, P3 contains solely
applications of A l , A2, A3’ respectively. But then by
lemma 11 PlAP2is a proof that t- {A}S{A,S}. Since
by lemma 10 we know the structure of 4,it follows
that A, S I- G.
What remains is to show is that if A , S I- G fhen
I- {A}S{G}. By IS1 applications of A1 and IS1 - 1
applications of A2, we obtain a proof that
t- {A}S{A,Sl
By applying A3 once, using the assumptions A , S I- G,
we immediately obtain
t- {AlS{G}
0 { (Rsi,j, Questionij, Answeri,j))ksi, j = 1,. ..,n
This theorem applies to any reasonable extension of
BAN.
4 The Permutation Problem
In this section we first give an example illustrating
that the BAN approach cannot detect flaws caused
solely by step permutations. We then give a theorem
to the effect that this applies to any protocol. By
means of an example we also show that it is likely
that any proposed zero knowledge [5, 7] extension
to BAN will fail in detecting serious flaws in such
authentication protocols.
176
4.1 An Example
Consider a realtime monitoring application employ-
ing a master computer M , and a collection of micro-
.
processor controlled sensors S I , . . ,s,. Several times
each day M requires information from the sensors.
For security reasons, sensor responses have to be giv-
en a timely digital signature such that M can be sure
that the response correctly reflects the sensors state.
Consider the protocol PR1 stated below.
1. M -+ Si : Questionif
2. Si -+ M : {(Rsij,Questioni,j,Answeri,j)},-*
Si
3. M + Si : { R ~ ~ j } , ; i
First M sends a numbered request to Si. Then Si
responds by sending a nonce (Rsi,j) together with the
question and answer pair, all signed with Si’s private
key) to Si.
To prevent replay, M keeps track of those Rs,,j’s
(nonces) previously received. The last message tells Si
that M received message 2. Thus, making the usual
cryptographic assumptions we have3
Mb#(Rsi,j)
a1 :
a2 : M b h Si
~3 : MESi 4 (Questioni,j, Answerif)
At the end of the protocol, M should believe the
question, answer pair.
r: Mb(Questionij, Answerj,j)
Let o = al,a2,o3 then one can construct a purely
formal proof that
t- {a}PRi{r}
Unfortunately, in spite of the existence of a formal
proof, the protocol does not quite work as expected.
Consider the threat where a process C is inserted
between M and Si. Then C may interact with Si
several times, obtaining a collection of formulae
This is enough information for C to violate the
security5 of the system since he has a choice of
responses he can make.
3a1 : M believes that R s i , j is fresh. a1 : M believes that
Ki is a good public key for Si and that Si’s private key will
never be discovered by any principal except Si or a principal
trusted by Si. a3 : M believes that Si is competent to provide
correct question and answer pairs.
‘If the assumptiomai,a4,a3 don’t hold, some of the BAN
inference rules will fail to be applicable resulting in a possible
failure of the god of the protocol.
5We use the term recvrity in a broad sense.
By a slight modification of the message orderin (in-
terchange messages 2 and 3 and letting M decik the
6
value of each I& * this new and more dependable)
protocol PR2 wid essentially ave the same idealiza-
tion as P R I . Furthermore, we may construct a purely
formal proof that I- { ~ Y } P R ~ { I ' } .
4.1.1 A Generalisation
The step permutation problem is in fact applicable to
any protocol.
Theorem 2 If P R , P R are protocols identical mod-
ulo step permutation where P R is correct with respect
t o assumption A and goal G and PR' is demonstrably
insecure, then PR' can be proven correct.
Proof: Using theorem 1 we transform the erroneous
protocol to its corresponding sequent of the annota-
tion logic. Let D1, D2 be sequents corresponding to
secure and correct protocols respectively. Then we
have that D1, D2 are mutually derivable since the for-
mula logic allows formulae to be permuted (lists are
interpreted as conjunctions). Since D2 is assumed to
hold, so will D1.
0 I- {a}FFS'{I'}
Since this proof does not de end on any properties
of the BAN belief logic gxcept for lists being
permutable), theorem 2 will also holds for arbitrarily
extended collections of formula derivation rules.
From theorem 2 and the example above, we note that
extreme care has to be taken when making freshness
assumptions. In particular, we may disallow an entity
to assume the freshness of a formula it did not itself
generate.
There are at least two ways one may attempt to avoid
the consequences of theorem 2:
0 use a belief logic where lists of formulae cannot
be permuted and thus are not interpreted as
conjunctions (at least not in the usual sense) and
hence invalidating theorem 1.
0 find a different collection of annotation rules.
It may be claimed that it is not particularly hard to
detect the error exemplified above, never the less it is
somewhat discomforting to know that no such error in
any potentially long and complicated authentication
protocol can be detected if one adopts the annotation
rules A l , A2, A3, A4!
4.2 Zero Knowledge Protocols
Here we show that it is unlikely that there exists an
extension to BAN suitable for the analysis of zero
knowledge protocols. The zero knowled e protocol
below is taken from (51, Similar exampfa can be
constructed for other zero knowledge protocols [20].
Assume A wants to prove to B that he is in fact A .
For key generation A will do the following:
in
1 . Choose k random numbers S I , ...,Sk in 2,.
2. Choose each I j (randomly and independently) as
f l / q ( m o d n).
3. Publish I = 1 1 , .. .,I k and keep S = S I , .. .,Sk
secret.
where n is the product of two primes of the form 4n+3.
The actual authentication protocol (FFS)is:
Repeat 1 - 4 t times:
l.A +B :X = f R 2 ( m o d n)
2.B + A .
:E l , . . ,EL
3.A + B : Y = R - n E j = l I j ( m o dn)
4. B verifies that X = f Y 2 . IIEj=lIj(mod n)
6
where R is a random number chosen by A one number
for each round and ( E l , . . .,Ek)is a ran om boolean
b'
vector chosen y B (one vector for each round).
Assume that we can express the required assumptions
in some extension of BAN as the formula a,the goal
as I' and let FFS' be the idealization of FFS. We
then would expect
to be a theorem.
Consider the protocol P R being identical to FFS
except that step 1 and 2 are interchanged.
Repeat 1 - 4 t times:
l . B ---* A : E l , . . .,Ek
2.A+ B : X =fR2(modn)
3 . A - B : Y =R*nEj=lIj(mOdn)
4. B verifies that X = f Y 2 . IIE,,lIj(mod n)
If PR' is the idealization of PR, it follows from
theorem 2 that
I- {cr}FFS'{I'} iff I- {a}PR'{I'}
From B's point of view, PR cannot be distinguished
from the protocol PR1:
Repeat 1 - 4 t times:
1. B + A : El,.. . Eh .
4. B verifies that X = f Y 2 IIEji=lIj(modn)
where A chooses Y randomly and calculates X .
Here, B's check will always succeed thus, the protocol
will not be well suited as an authentication protocol.
To summarise, we have shown that an extended
BAN approach facilitates a proof that a good zero
knowledge protocol achieves its goals if and only
if a significantly flawed protocol can be proven to
achieve the same goals. Thus, a BAN analysis of zero
knowledge protocols will provide little extra comfort.
5 The Termination Problem where A , S is in some sense inconsistent. From
theorem 1 it follows that { A } S { G } is provable.
Now we turn t o a slightly different problem, highlight- However, the solution to the above problems is well
ed in [19]. Consider the idealized protocol P: known: a statement or protocol siep S terminates
after finite iime only if FALSE is not a derivable
M1 A+B assertion succeeding S.
We now present a partial solution to the above
M2 B 4 A problem. Let F denote some formula of BAN logic,
P , Q be entity identifiers and K be a key. Then we
Let a = 01,. . . , a 5 denote the assumptions of the have
protocol where:
Definition 5 Let A : Formula Formula where
a1 :
a2 :
P A Q
when K is a symmetric k e y
as : when K is a public key
a4 : F when K" is a private key
cy5 :

P 0A ( F )
Let r = I'll.. .,r4 denote the goals of the protocol
where:
rl : A~A~*B
r2 : B F A E A ~ B
r3 : B ~ A - B 6
Informally, A F) projects out the parts of F observ-
able without aving access to private or symmetric
keys.
r4 : A E B E A&
K B
Definition 6 When X is a subformula of Y we write
Then it is easy to show that I- { a } P { r }is derivable in x 5Y.
the BAN lo ic presented in[2]. It is noted in [19] that
in spite of &e existence of a "BAN security proof", We now introduce the termination rules T1 and T2.
the protocol P is obviously insecure6. Intuitively, TI corresponds to the requirement that
In the remainder of this section we take the view only the owner of the session key K and trusted
that the above problem occurs since BAN logic only entities should be able to derive formulae in which
considers partial correctness. K occurs non-encrypted.
Consider the annotation rule of the assignment Rule T1 states that if from the assumption that P
statement believes a can derive that P believes that some
{P,X}X := e { P } (where Q is not known to be trusted wrt. the key 18
can observe K and that P believes that K is a good
stated in [lo]. Since we have key, then we can derive Ifrom a.

k (Y < 5 A FALSE) j X > 5 P b a I- PEQ @ F , a I- PEP1

K
P2

-
~1 c--)

then by the right consequence rule a tL

K
provided PI A P2 5 A ( F ) , P Q 4 PI P2
is not derivable from a anC P Q # P I ,P2

where 0 E {b, 0, 4, k}.

we can easily establish
All entities are assumed to know the derivation rules
I- {Y < 5 A FALSE}X := 2{X >5) thus, we have the rationality rule[8]:

Clearly, the program is correct with respect to its XI-Y

specification, but still something is wrong. T2 T
Similarly, in the world of belief logic, it is possible to
find some proof of If S is an idealized protocol where IS1 = n then let
ASI-G m E N such that m > 2n. When 1 k , l 5 m,
1 5 i 5 n we define
6Anybody with the access to A's public key will be able to
deduce the symmetric key K A Bshared by A snd B . Al' :I- {X}& + pi : X j { X , PI 0 X i , . .,Pm 0 X i }

178
reflecting the assumption that sent messages are Proof : From theorem 3 it suffices to show
visible to some arbitrary large finite collection of cu,
Ml+m,M2" I-L.
entities. Assume
a,Ml". M2" (4)
Let S" denote the protocol S modified such that
all messages are observable by at least all parties From 4
participating in the protocol.
C 0 {N*,A B}K~-I for C # A , B (5)
Definition 7 Let From definition 5
*m
: Idealized protocol + Idealized protocol
A((NA,A Ka } ( N A , AK
B } K ~ - I= a
B) (6)
where: From the assumptions in 4
Sm= S When (SI= O
(Pi + Pj : Xi;S)" = (Pi + PI : X i ; A F A KABB (7)
From T2,4,5

A b ( & ,M1. M2) F A b C 0 { N A ,A Ka

Note that *m distributes over protocols. That is, we
have
9"=S~*m;...;S"+m
where n = IS1
Let B A N denote the collection of postulates from [3]
(ie. the inference rules of the belief logic), BAN'
be B A N extended with T1, T2, let A' denote the
system consisting of Al', A2, A 3 , A4 and let A denote
the system consisting of A l , A2, A3, A4.
We now show that a slightly modified theorem 1 for
the new system (A') of annotation rules.
B } K ~ - (I8 )
From the assumption a we see that A does not believe
in the competence of other processes (i.e. we do not
have a F A b P 4 F for for any P, F). Without the
use of the jurisdiction rule[2, 31
PbQ +x,PkQbX
PFX
the communicated messages will a t most result in
A b P F F for some P , F. Then the jurisdiction rule
cannot become applicable thus, A F C 4 F for any F
is not derivable.

Theorem 3 For any finite protocol S , IS1 = n where

AECFA Ka
B is not derivable (9)
m E N,m > 2n we have: From definition 6
FBANWAJ {4s{r}iff a , S m k B A N r7
8 A -
KAB
B 5 ( N A , A KAE! B )
From T1, 8, 7,lO and 9 we finally obtain
(10)

Proof: See the appendix.

0
I (11)
Definition 8 A protocol P with assumptions a is Thus, we have shown that I is derivable so the
said to terminate : ~ ) L B A N ' " A{' ( r } P { L } s . protocol does not terminate.
0

Note that if P terminates with assumption a , one can 6 Conclusion

always find an a' such that P does not terminate with
respect to (a,a').The above rules will not in general
allow formal (i.e. purely syntactic) termination proofs
to be constructed.
We now show that the protocol proposed in[19] does
not terminate.
Claim 1 The protocol M1;M2 does not terminate
with assumption a (M 1,M2, a as defined above).
' l - ~F : F is derivable in the system L
* ) L B A N ' ~ A ' F : F is not derivable in the system BAN'UA'.
One reason for some of the problems with the BAN
approach appears to be that cryptographic protocols
are viewed at a very high level of abstraction. In
some cases, this may be acceptable or even desirable
provided the BAN user is aware of the limitations of
the technique.
In [23] it is explained why the BAN approach is not
suited for the analysis of protocol security. (231 focuses
on the derivation of formulae from sets of formulae and
in particular limitations of BAN which other lo ics
(eg. KPL [22]) may remove. We have shown tfat
the step permutation problem relies on the annotation

179
rules Al(Al’), A2, A3, A4 and is almost independent
of the logic. However, the step permutation problem
can be reatly reduced by only allowing the first
sender o f a nonce n t o assume the freshness of n.
We have suggested that an apparent flaw in the BAN
logic[l9] is due to BAN 1oe;icbeing restricted to partial
correctness and not termmation. By introducing an
extra termination proof obligation, we have indicated
how the BAN logic can be used to detect a broader
class of security flaws. Employing the notion of
termination, it has been shown that the protocol due
to D.Nessett does not terminate.
Work suggests that termination proofs are more com-
plicated than the usual BAN correctness proofs.
Thus, when combining the complexity of BAN cor-
rectness and termination proofs with other a proach-
es to protocol analysis, see eg.[15, 11, 14, 12rit is by
no means obvious that the BAN approach is simpler.
However, in practice it may well be the case that se-
curity flaws manifest themselves as partial correctneas
flaws giving the BAN approach a very attractive flaw
detection over effort ratio.
Acknowledgements
I would like to thank Klaus Gaarder for several helpful
comments and K t e Presttun for his encouragement
and continued support. Comments by the anonymous
referees helped in improving the presentation.
References
Michael Burrows, Martin Abadi, and Fbger
Needham. Authentication: A practical study
in belief and action. Technical Report 138,
University of Cambridge Computer Laboratory,
1988.
Michael Burrows, Martin Abadi, and Roger
Needham. A logic of authentication. Technical
Report 39, Digital Systems Research Center,
1989.
Michael Burrows, Martin Abadi, and Ro er
Needham. A logic of authentication. A8M
Zhnsactions on Computer Systems, 8( 1):1&36,
February 1990.
Paul-Chen Cheng and Virgil D. Gligor. On
the formal specification and verification of a
multiparty session protocol. In Proceedings of the
IEEE Computer Society Symposium on Security
and Privacy, pages 216-233,1990.
U. Feige, A.Fiat, and A. Shamir. Zero-knowledge
proofs of identity. Journal of Cryptology, 1(2):77-
94, 1988.
K. Gaarder and E. Snekkenes. On the formal
analysis of PKCS authentication protocols. In
-
Advances in Crypiology Auscrypt’90, Lecture
Notes in Computer Science, pages 106 - 121.
Springer, 1990. no. 453.
180
[7] S. Goldwasser, S . Micali, and C. Rackoff. Knowl-
edge complexity of interactive proof system-
s. SIAM Journal of Computing, 18(1):186-208,
1989.
[8] L. Gong, R. Needham, and R.Yahalom. Reason-
ing about belief in cryptographic protocols. In
Proceedings of the IEEE Computer Society Sym-
posium on Security and Privacy, pages 234-248,
1990.
[9] Joseph Y. Halpern and Michael 0. Rabin. A logic
to reason about likehood. Ariifical Intelligence,
32(3):379-405, July 1987.
[lo] C.A.R. Hoare. An axiomatic basis for computer
programming. CACM,12(10):576-580,1969.
[ll] Tad0 Kasami, Saburo Yamamura, and Kenichi
Mori. A key management scheme for end-to-
end encryption and a formal verification of its
-
security. Systems- Comput. Conirols, 13(3):59-
69, 1982.
[12] Richard A. Kemmerer. Analyzing encryption
protocols using formal verification techniques.
IEEE Journal on Selected areas in Communica-
tions, 7(4):448-457, May 1989.
[13] Dennis Longley. Expert systems applied to the
analysis of key management schemes. Computers
and Security, 6(1):54-67, February 1987.
[14] Wen-Pai Lu and Malur K. Sundareshan. Secure
communication in internet environments: A hier-
archical key management scheme for end-to-end
encryption. IEEE Tkansactions on communica-
tions, 37(10):1014-23, October 1989.
[15] Catherine Meadows. Using narrowing in the anal-
ysis of key management protocols. In Proceedings
of the IEEE Computer Society Symposium on Se-
curity and Privacy, pages 138-147, 1989.
[16] J.K. Millen, S.C. Clark, and S.B. Freedman.
The interrogator: Protocol security analysis.
IEEE Tkansactions on Sofiware Engineering,
13(2):186-208, February 1987.
[17] J.H. Moore. Protocol failures in crypto systems.
Proceedings of the IEEE, 76(5):594-602, May
1988.
[18] L.E. Moser. A logic of knowledge and belief
for re-ning about computer security. In Pro-
ceedings of the Computer Security Foundations
Workshop II, pages 57-63. IEEE Computer Soci-
ety Press, 1989.
[19] Dan M. Nessett. A Critique of the Burrows,
Abadi and Needham Logic. Operating System
Review, 24(2), April 1990.
[20] Jean-Jacques Quisquater and Louis Claude Guil- We then show that if a,S+" I-BANJ r then I-BAN'UA~
lou. Des procddb d'authentification bas& sur {a)S{I'). First construct I-BAN'UA' {a)S{p, S*m)
une publication de problbmes complexes et per-
sonnali& dont les solutions maintenues secretes
constituent autant d'accr/'editations. In Proceed-
by IS1 applications of All and IS
of A2. From the premise and 3
~nB A N W A{a)S*m{r).
~
d- 1 applications
it follows that
ings of SECURICOM, pages 149 -158,1989. U

[21] P. Venkat Rangan. An axiomatic basis for trust in

distributed systems. In Proceedings of the IEEE Lemma 12 For any idealized protocol S, assumption
Computer Society Symposium on Security and a, goal r, m > 2 p l l
Privacy, pages 204-211, 1988.
If I - B A N W A ~ {a)s{r)then I-BANUA {a)S*m{rl.
[22] Paul Syverson. Formal semantics for logics of
cryptographic protocols. In Proceedings of the Proof : Assume P' is a proof of I - B A N ' U A ~
Computer Security Foundations Workshop III. { a } S { r ) , then we can construct a proof P of
IEEE Computer Society Press, 1990. I-BAN'UA {a)S*m{I')as follows: For each instance
[23] Paul Syverson. The use of logic in the analysis of Al' in P' we simply substitute m instances of A1
of cryptographic protocols. In Proceedings of the followed by m - 1 instances of A2. Thus, for the i'th
IEEE Computer Society Symposium on Security instance A'lj of All in P' we have a A l , A2 proof of
and Privacy, 1991. {ai}Si+m{ri} in P. By propagating through the
rest of P' we obtain the proof P of the form:
A Proof of Theorem 3 {a)~;m{. ..I;. .. s ; m . . .{r)
Theorem 3 For any finite protocol S I IS1 = n where But since *m distributes over sequences of steps
m E N, m > 2n we have: it follows that we have constructed a proof of
"
{a}s*m { r 1.
I - B A N U A ~ {Q}S{r) iff 0, s'" I-BAN' r U

Proof : First we show that if I-BAN~UA; {a)S{I')

then a, BAN' l". This follows immediately from
lemma 12 (see below) and theorem 1.

181