Revisiting the Foundations of Authentication Logics Joseph Y. Halpern Department of Computer Science Cornell University Riccardo Pucella Department of Computer Science Cornell University Ron van der Meyden School of Computer Science and Engineering University of New South Wales Abstract In this paper, we make the point that the problems with logics in the BAN tradition are not with the idea of basing reasoning about security protocols using epistemic notions, but with some of the specific decisions taken in the formulation of these logics. To illustrate this statement, we describe a formal logic for security protocol analysis based on well-understood modal operators, knowledge, time, and probability. We show how the logic can capture the intuitive high-level concepts of BAN and later logics. In particular, we formalize a translation of the BAN operators into our logic to model reasoning about security protocols in the presence of a Dolev-Yao adversary. We validate our translation by analyzing the Needham-Schroeder authentication protocol using our formalism. This analysis highlights some strong assumptions on nonces made by the Dolev-Yao model of the adversary. We address these concerns by formulating a different translation of the BAN operators using probability, and show how to analyze protocols in the presence of Dolev-Yao adversaries that are allowed guesses. 1 Introduction For the past fifteen years, there has been an intuition in the world of security that formal theories of knowledge and belief should have something interesting to say about security protocols, and cryptographic protocols in particular. The idea is simply to define a logic to put protocol analysis on a firm formal basis, giving protocol designers a way to validate their designs. Unfortunately, this intuition has not come to fruition, despite many attempts. Setting the tone for this line of research, the BAN logic (Burrows, Abadi, and Needham 1990a) was developed in the late 1980s to address the problem of analyzing security protocols. The BAN logic focused on the notion of trust, which is useful for analyzing authentication protocols. BAN has been the subject of many criticisms (Nessett 1990; Boyd and Mao 1993), some more fair than others, and defenses (Burrows, Abadi, and Needham 1990b; van Oorschot 1993a). In no small part, the crux of the criticism rested on the fact that BAN has a multitude of operators, but no semantics to speak of. 1 The main problem with not having an independently motivated semantics is that it is not clear exactly what one is proving when a “proof” of security is exhibited for a protocol. In general, when a BAN style analysis manages to exhibit a bug in a protocol, chances are good there is indeed a bug, but a proof of security does not guarantee much. Compounding the problem are the various generalizations of BAN, further complicating the logic (Gong, Needham, and Yahalom 1990; Abadi and Tuttle 1991; van Oorschot 1993b; Stubblebine and Wright 1996; Syverson and van Oorschot 1994). Starting with the work of Abadi and Tuttle (1991) (AT from now on) 1 Burrows, Abadi, and Needham (1990a) did sketch a semantics, but it merely encodes the rules of the logic. 1