(* Title: HOL/Auth/Yahalom2 
New version of Yahalom, as recommended on p 259 of BAN paper
ID: $Id$ 
Author: Lawrence C Paulson, Cambridge University Computer Laboratory 
Copyright 1996 University of Cambridge 
Inductive relation "yahalom" for the Yahalom protocol, Variant 2. 
This version trades encryption of NB for additional explicitness in YM3. 
3432  9 
Also in YM3, care is taken to make the two certificates distinct. 
10 

From page 259 of 
Burrows, Abadi and Needham. A Logic of Authentication. 
Proc. Royal Soc. 426 (1989) 
*) 
Yahalom2 = Shared + 
consts yahalom :: event list set 
inductive "yahalom" 
intrs 
(*Initial trace is empty*) 
Nil "[]: yahalom" 
(*The spy MAY say anything he CAN say. We do not expect him to 
invent new nonces here, but he can also use NS1. Common to 
all similar protocols.*) 
6335  27 
Fake "[ evs: yahalom; X: synth (analz (knows Spy evs)) ] 
==> Says Spy B X # evs : yahalom" 
6335  30 
(*A message that has been sent can be received by the 
31 
intended recipient.*) 

32 
Reception "[ evsr: yahalom; Says A B X : set evsr ] 

33 
==> Gets B X # evsr : yahalom" 

34 

(*Alice initiates a protocol run*) 
YM1 "[ evs1: yahalom; Nonce NA ~: used evs1 ] 
==> Says A B {Agent A, Nonce NA} # evs1 : yahalom" 
6335  39 
(*Bob's response to Alice's message.*) 
YM2 "[ evs2: yahalom; Nonce NB ~: used evs2; 
6335  41 
Gets B {Agent A, Nonce NA} : set evs2 ] 
3432  42 
==> Says B Server 
43 
{Agent B, Nonce NB, Crypt (shrK B) {Agent A, Nonce NA}} 

# evs2 : yahalom" 
(*The Server receives Bob's message. He responds by sending a 
new session key to Alice, with a certificate for forwarding to Bob. 
Both agents are quoted in the 2nd certificate to prevent attacks!*) 
YM3 "[ evs3: yahalom; Key KAB ~: used evs3; 
6335  50 
Gets Server {Agent B, Nonce NB, 
51 
Crypt (shrK B) {Agent A, Nonce NA}} 

: set evs3 ] 
==> Says Server A 
{Nonce NB, 
Crypt (shrK A) {Agent B, Key KAB, Nonce NA}, 
Crypt (shrK B) {Agent A, Agent B, Key KAB, Nonce NB}} 
# evs3 : yahalom" 
(*Alice receives the Server's (?) message, checks her Nonce, and 
uses the new session key to send Bob his Nonce.*) 
YM4 "[ evs4: yahalom; 
6335  62 
Gets A {Nonce NB, Crypt (shrK A) {Agent B, Key K, Nonce NA}, 
63 
X} : set evs4; 

Says A B {Agent A, Nonce NA} : set evs4 ] 
==> Says A B {X, Crypt K (Nonce NB)} # evs4 : yahalom" 
2155  67 
(*This message models possible leaks of session keys. The nonces 
68 
identify the protocol run. Quoting Server here ensures they are 

69 
correct. *) 

5359  70 
Oops "[ evso: yahalom; 
2155  71 
Says Server A {Nonce NB, 
Crypt (shrK A) {Agent B, Key K, Nonce NA}, 
X} : set evso ] 
==> Notes Spy {Nonce NA, Nonce NB, Key K} # evso : yahalom" 
end 