src/HOL/Auth/OtwayRees_Bad.thy
author paulson
Fri Jul 04 17:34:55 1997 +0200 (1997-07-04)
changeset 3500 0d8ad2f192d8
parent 3465 e85c24717cad
child 3519 ab0a9fbed4c0
permissions -rw-r--r--
New constant "certificate"--just an abbreviation
     1 (*  Title:      HOL/Auth/OtwayRees_Bad
     2     ID:         $Id$
     3     Author:     Lawrence C Paulson, Cambridge University Computer Laboratory
     4     Copyright   1996  University of Cambridge
     5 
     6 Inductive relation "otway" for the Otway-Rees protocol.
     7 
     8 The FAULTY version omitting encryption of Nonce NB, as suggested on page 247 of
     9   Burrows, Abadi and Needham.  A Logic of Authentication.
    10   Proc. Royal Soc. 426 (1989)
    11 *)
    12 
    13 OtwayRees_Bad = Shared + 
    14 
    15 consts  lost    :: agent set        (*No need for it to be a variable*)
    16 	otway   :: event list set
    17 
    18 inductive otway
    19   intrs 
    20          (*Initial trace is empty*)
    21     Nil  "[]: otway"
    22 
    23          (*The spy MAY say anything he CAN say.  We do not expect him to
    24            invent new nonces here, but he can also use NS1.  Common to
    25            all similar protocols.*)
    26     Fake "[| evs: otway;  B ~= Spy;  X: synth (analz (sees lost Spy evs)) |]
    27           ==> Says Spy B X  # evs : otway"
    28 
    29          (*Alice initiates a protocol run*)
    30     OR1  "[| evs: otway;  A ~= B;  B ~= Server;  Nonce NA ~: used evs |]
    31           ==> Says A B {|Nonce NA, Agent A, Agent B, 
    32                          Crypt (shrK A) {|Nonce NA, Agent A, Agent B|} |} 
    33                  # evs : otway"
    34 
    35          (*Bob's response to Alice's message.  Bob doesn't know who 
    36 	   the sender is, hence the A' in the sender field.
    37            We modify the published protocol by NOT encrypting NB.*)
    38     OR2  "[| evs: otway;  B ~= Server;  Nonce NB ~: used evs;
    39              Says A' B {|Nonce NA, Agent A, Agent B, X|} : set evs |]
    40           ==> Says B Server 
    41                   {|Nonce NA, Agent A, Agent B, X, Nonce NB,
    42                     Crypt (shrK B) {|Nonce NA, Agent A, Agent B|}|}
    43                  # evs : otway"
    44 
    45          (*The Server receives Bob's message and checks that the three NAs
    46            match.  Then he sends a new session key to Bob with a packet for
    47            forwarding to Alice.*)
    48     OR3  "[| evs: otway;  B ~= Server;  Key KAB ~: used evs;
    49              Says B' Server 
    50                   {|Nonce NA, Agent A, Agent B, 
    51                     Crypt (shrK A) {|Nonce NA, Agent A, Agent B|}, 
    52                     Nonce NB, 
    53                     Crypt (shrK B) {|Nonce NA, Agent A, Agent B|}|}
    54                : set evs |]
    55           ==> Says Server B 
    56                   {|Nonce NA, 
    57                     Crypt (shrK A) {|Nonce NA, Key KAB|},
    58                     Crypt (shrK B) {|Nonce NB, Key KAB|}|}
    59                  # evs : otway"
    60 
    61          (*Bob receives the Server's (?) message and compares the Nonces with
    62 	   those in the message he previously sent the Server.*)
    63     OR4  "[| evs: otway;  A ~= B;
    64              Says B Server {|Nonce NA, Agent A, Agent B, X', Nonce NB, X''|}
    65                : set evs;
    66              Says S' B {|Nonce NA, X, Crypt (shrK B) {|Nonce NB, Key K|}|}
    67                : set evs |]
    68           ==> Says B A {|Nonce NA, X|} # evs : otway"
    69 
    70          (*This message models possible leaks of session keys.  The nonces
    71            identify the protocol run.*)
    72     Oops "[| evs: otway;  B ~= Spy;
    73              Says Server B {|Nonce NA, X, Crypt (shrK B) {|Nonce NB, Key K|}|}
    74                : set evs |]
    75           ==> Says B Spy {|Nonce NA, Nonce NB, Key K|} # evs : otway"
    76 
    77 end