(* 
Inductive relation "otway" for the OtwayRees protocol 
3 
extended by Gets primitive. 
5 
Version that encrypts Nonce NB 
6 

1941  7 
*) 
8 

9 
OtwayRees = Shared + 

10 

11 

12 
consts otway :: event list set 
13 
inductive "otway" 
1941  14 
intrs 
15 
(*Initial trace is empty*) 

16 
Nil "[]: otway" 
1941  17 

18 
(** These rules allow agents to send messages to themselves **) 
19 

2032  20 
(*The spy MAY say anything he CAN say. We do not expect him to 
1941  21 
invent new nonces here, but he can also use NS1. Common to 
22 
all similar protocols.*) 

23 
Fake "[ evsa: otway; X: synth (analz (knows Spy evsa)) ] 
24 
==> Says Spy B X # evsa : otway" 
25 

26 
(*A message that has been sent can be received by the 
27 
intended recipient.*) 
28 
Reception "[ evsr: otway; Says A B X : set evsr ] 
29 
==> Gets B X # evsr : otway" 
1941  30 

31 
(*Alice initiates a protocol run*) 

5434
9b4bed3f394c
Got rid of not_Says_to_self and most uses of ~= in definitions and theorems
paulson
parents:
5359
diff
changeset

32 
OR1 "[ evs1: otway; Nonce NA ~: used evs1 ] 
33 
==> Says A B {Nonce NA, Agent A, Agent B, 
34 
Crypt (shrK A) {Nonce NA, Agent A, Agent B} } 
35 
# evs1 : otway" 
1941  36 

6333  37 
(*Bob's response to Alice's message. Note that NB is encrypted.*) 
5434
9b4bed3f394c
Got rid of not_Says_to_self and most uses of ~= in definitions and theorems
paulson
parents:
5359
diff
changeset

38 
OR2 "[ evs2: otway; Nonce NB ~: used evs2; 
39 
Gets B {Nonce NA, Agent A, Agent B, X} : set evs2 ] 
1976  40 
==> Says B Server 
41 
{Nonce NA, Agent A, Agent B, X, 
42 
Crypt (shrK B) 
43 
{Nonce NA, Nonce NB, Agent A, Agent B}} 
44 
# evs2 : otway" 
1941  45 

46 
(*The Server receives Bob's message and checks that the three NAs 

47 
match. Then he sends a new session key to Bob with a packet for 

48 
forwarding to Alice.*) 

5434
9b4bed3f394c
Got rid of not_Says_to_self and most uses of ~= in definitions and theorems
paulson
parents:
5359
diff
changeset

49 
OR3 "[ evs3: otway; Key KAB ~: used evs3; 
50 
Gets Server 
1941  51 
{Nonce NA, Agent A, Agent B, 
52 
Crypt (shrK A) {Nonce NA, Agent A, Agent B}, 
53 
Crypt (shrK B) {Nonce NA, Nonce NB, Agent A, Agent B}} 
54 
: set evs3 ] 
1976  55 
==> Says Server B 
1941  56 
{Nonce NA, 
57 
Crypt (shrK A) {Nonce NA, Key KAB}, 
58 
Crypt (shrK B) {Nonce NB, Key KAB}} 
59 
# evs3 : otway" 
1941  60 

61 
(*Bob receives the Server's (?) message and compares the Nonces with 

62 
those in the message he previously sent the Server. 
63 
Need B ~= Server because we allow messages to self.*) 
64 
OR4 "[ evs4: otway; B ~= Server; 
65 
Says B Server {Nonce NA, Agent A, Agent B, X', 
2284
66 
Crypt (shrK B) 
67 
{Nonce NA, Nonce NB, Agent A, Agent B}} 
68 
: set evs4; 
69 
Gets B {Nonce NA, X, Crypt (shrK B) {Nonce NB, Key K}} 
70 
: set evs4 ] 
71 
==> Says B A {Nonce NA, X} # evs4 : otway" 
1941  72 

2135  73 
(*This message models possible leaks of session keys. The nonces 
74 
identify the protocol run.*) 

5359  75 
Oops "[ evso: otway; 
76 
Says Server B {Nonce NA, X, Crypt (shrK B) {Nonce NB, Key K}} 
77 
: set evso ] 
78 
==> Notes Spy {Nonce NA, Nonce NB, Key K} # evso : otway" 
1941  79 

80 
end 