(* Title: HOL/Auth/NS_Public 
2 
ID: $Id$ 

3 
Author: Lawrence C Paulson, Cambridge University Computer Laboratory 

4 
Copyright 1996 University of Cambridge 

5 

6 
Inductive relation "ns_public" for the NeedhamSchroeder PublicKey protocol. 

2538  7 
Version incorporating Lowe's fix (inclusion of B's identity in round 2). 
2318  8 
*) 
9 

10 
NS_Public = Public + 

11 

12 
consts ns_public :: event list set 
2549  13 

2318  14 
inductive ns_public 
15 
intrs 

16 
(*Initial trace is empty*) 

17 
Nil "[]: ns_public" 

18 

19 
(*The spy MAY say anything he CAN say. We do not expect him to 

20 
invent new nonces here, but he can also use NS1. Common to 

21 
all similar protocols.*) 

22 
Fake "[ evs: ns_public; X: synth (analz (spies evs)) ] 
2318  23 
==> Says Spy B X # evs : ns_public" 
24 

25 
(*Alice initiates a protocol run, sending a nonce to Bob*) 

26 
NS1 "[ evs1: ns_public; Nonce NA ~: used evs1 ] 
2497  27 
==> Says A B (Crypt (pubK B) {Nonce NA, Agent A}) 
28 
# evs1 : ns_public" 
2318  29 

30 
(*Bob responds to Alice's message with a further nonce*) 

31 
NS2 "[ evs2: ns_public; Nonce NB ~: used evs2; 
32 
Says A' B (Crypt (pubK B) {Nonce NA, Agent A}) : set evs2 ] 
2497  33 
==> Says B A (Crypt (pubK A) {Nonce NA, Nonce NB, Agent B}) 
34 
# evs2 : ns_public" 
2318  35 

36 
(*Alice proves her existence by sending NB back to Bob.*) 

37 
NS3 "[ evs3: ns_public; 
38 
Says A B (Crypt (pubK B) {Nonce NA, Agent A}) : set evs3; 
39 
Says B' A (Crypt (pubK A) {Nonce NA, Nonce NB, Agent B}) 
40 
: set evs3 ] 
41 
==> Says A B (Crypt (pubK B) (Nonce NB)) # evs3 : ns_public" 
2318  42 

43 
(**Oops message??**) 

44 

45 
end 