The Descent of BAN

The famous BAN paper [3] determined the research agenda of security-protocol verification for nearly a decade. Many others had worked on verifying security protocols, and the problem appeared to be intractable. The real-world systems were too complicated; too many different things could go wrong; the formal treatments were unusable. The BAN logic was abstract, formalizing intuitive notions directly. For example, if you receive a message containing a secret password and you know that the password is known only to you and Joe, then the message must have come from Joe. BAN proofs were short and simple, and each reasoning step could easily be rendered into plain English. BAN certainly had some deficiencies. The paper incorrectly claimed that the Otway-Rees protocol could be simplified in a certain way. In fact, an intruder could attack this protocol, masquerading as Bob to Alice, when Bob was not even present [7]. More generally, BAN ignored all non-encrypted information, so it could " verify " any protocol that broadcast the session key in clear. Some criticisms arose from a misunderstanding of the logic's objectives. BAN assumed that the protocol would not give secrets away—a defensible assumption, since cryptanalysts already knew how to investigate such questions. BAN's strength was that it provided a precise notation and deductive mechanism for reasoning about freshness and authenticity. Researchers introduced a great variety of other authentication logics. These were generally more complicated than BAN. Dietrich [4] published a proof of the Secure Sockets Layer (SSL) protocol using the belief logic NCP (Non-monotonic Cryptographic Protocols). This logic allowed formulae to be retracted as well as asserted, and the author accordingly had to write lengthy lists of facts holding at each step. NCP must have been more precise than BAN, but it was obviously difficult to use. Some people attempted to build automatic provers for the BAN logic, which was pointless: BAN logic proofs were easy to write, and if you wrote them yourself, you were unlikely to reach an absurd conclusion. For the more complicated authentication logics, automation became essential; Brackin [2] was a leading exponent of this approach. As do-it-yourself logics