(* Title: HOL/Auth/WooLam 
2 
ID: $Id$ 

3 
Author: Lawrence C Paulson, Cambridge University Computer Laboratory 

4 
Copyright 1996 University of Cambridge 

5 

6 
Inductive relation "woolam" for the WooLam protocol. 

7 

8 
Simplified version from page 11 of 

9 
Abadi and Needham. Prudent Engineering Practice for Cryptographic Protocols. 

10 
IEEE Trans. S.E. 22(1), 1996, pages 615. 

11 

12 
Note: this differs from the WooLam protocol discussed by Lowe in his paper 

13 
Some New Attacks upon Security Protocols. 

14 
Computer Security Foundations Workshop, 1996. 

15 
*) 

16 

17 
WooLam = Shared + 

18 

19 
consts lost :: agent set (*No need for it to be a variable*) 
20 
woolam :: event list set 
21 
inductive woolam 
2274  22 
intrs 
23 
(*Initial trace is empty*) 

24 
Nil "[]: woolam" 
2274  25 

26 
(*The spy MAY say anything he CAN say. We do not expect him to 

27 
invent new nonces here, but he can also use NS1. Common to 

28 
all similar protocols.*) 

29 
Fake "[ evs: woolam; B ~= Spy; 
2274  30 
X: synth (analz (sees lost Spy evs)) ] 
31 
==> Says Spy B X # evs : woolam" 
2274  32 

33 
(*Alice initiates a protocol run*) 

34 
WL1 "[ evs: woolam; A ~= B ] 
35 
==> Says A B (Agent A) # evs : woolam" 
2274  36 

37 
(*Bob responds to Alice's message with a challenge.*) 

38 
WL2 "[ evs: woolam; A ~= B; 
3465  39 
Says A' B (Agent A) : set evs ] 
40 
==> Says B A (Nonce NB) # evs : woolam" 
2274  41 

42 
(*Alice responds to Bob's challenge by encrypting NB with her key. 

43 
B is *not* properly determined  Alice essentially broadcasts 

44 
her reply.*) 

45 
WL3 "[ evs: woolam; 
3465  46 
Says A B (Agent A) : set evs; 
47 
Says B' A (Nonce NB) : set evs ] 

48 
==> Says A B (Crypt (shrK A) (Nonce NB)) # evs : woolam" 
2274  49 

3470  50 
(*Bob forwards Alice's response to the Server. NOTE: usually 
51 
the messages are shown in chronological order, for clarity. 

52 
But here, exchanging the two events would cause the lemma 

53 
WL4_analz_sees_Spy to pick up the wrong assumption!*) 

54 
WL4 "[ evs: woolam; B ~= Server; 
3465  55 
Says A' B X : set evs; 
56 
Says A'' B (Agent A) : set evs ] 

57 
==> Says B Server {Agent A, Agent B, X} # evs : woolam" 
2274  58 

59 
(*Server decrypts Alice's response for Bob.*) 

60 
WL5 "[ evs: woolam; B ~= Server; 
61 
Says B' Server {Agent A, Agent B, Crypt (shrK A) (Nonce NB)} 
3465  62 
: set evs ] 
63 
==> Says Server B (Crypt (shrK B) {Agent A, Nonce NB}) 
64 
# evs : woolam" 
2274  65 

66 
end 