src/HOL/Auth/OtwayRees.thy
author paulson
Fri Sep 19 18:27:31 1997 +0200 (1997-09-19)
changeset 3686 4b484805b4c4
parent 3683 aafe719dff14
child 4537 4e835bd9fada
permissions -rw-r--r--
First working version with Oops event for session keys
     1 (*  Title:      HOL/Auth/OtwayRees
     2     ID:         $Id$
     3     Author:     Lawrence C Paulson, Cambridge University Computer Laboratory
     4     Copyright   1996  University of Cambridge
     5 
     6 Inductive relation "otway" for the Otway-Rees protocol.
     7 
     8 Version that encrypts Nonce NB
     9 
    10 From page 244 of
    11   Burrows, Abadi and Needham.  A Logic of Authentication.
    12   Proc. Royal Soc. 426 (1989)
    13 *)
    14 
    15 OtwayRees = Shared + 
    16 
    17 consts  otway   :: event list set
    18 inductive "otway"
    19   intrs 
    20          (*Initial trace is empty*)
    21     Nil  "[]: otway"
    22 
    23          (*The spy MAY say anything he CAN say.  We do not expect him to
    24            invent new nonces here, but he can also use NS1.  Common to
    25            all similar protocols.*)
    26     Fake "[| evs: otway;  B ~= Spy;  
    27              X: synth (analz (spies evs)) |]
    28           ==> Says Spy B X  # evs : otway"
    29 
    30          (*Alice initiates a protocol run*)
    31     OR1  "[| evs1: otway;  A ~= B;  B ~= Server;  Nonce NA ~: used evs1 |]
    32           ==> Says A B {|Nonce NA, Agent A, Agent B, 
    33                          Crypt (shrK A) {|Nonce NA, Agent A, Agent B|} |} 
    34                  # evs1 : otway"
    35 
    36          (*Bob's response to Alice's message.  Bob doesn't know who 
    37 	   the sender is, hence the A' in the sender field.
    38            Note that NB is encrypted.*)
    39     OR2  "[| evs2: otway;  B ~= Server;  Nonce NB ~: used evs2;
    40              Says A' B {|Nonce NA, Agent A, Agent B, X|} : set evs2 |]
    41           ==> Says B Server 
    42                   {|Nonce NA, Agent A, Agent B, X, 
    43                     Crypt (shrK B)
    44                       {|Nonce NA, Nonce NB, Agent A, Agent B|}|}
    45                  # evs2 : otway"
    46 
    47          (*The Server receives Bob's message and checks that the three NAs
    48            match.  Then he sends a new session key to Bob with a packet for
    49            forwarding to Alice.*)
    50     OR3  "[| evs3: otway;  B ~= Server;  Key KAB ~: used evs3;
    51              Says B' Server 
    52                   {|Nonce NA, Agent A, Agent B, 
    53                     Crypt (shrK A) {|Nonce NA, Agent A, Agent B|}, 
    54                     Crypt (shrK B) {|Nonce NA, Nonce NB, Agent A, Agent B|}|}
    55                : set evs3 |]
    56           ==> Says Server B 
    57                   {|Nonce NA, 
    58                     Crypt (shrK A) {|Nonce NA, Key KAB|},
    59                     Crypt (shrK B) {|Nonce NB, Key KAB|}|}
    60                  # evs3 : otway"
    61 
    62          (*Bob receives the Server's (?) message and compares the Nonces with
    63 	   those in the message he previously sent the Server.*)
    64     OR4  "[| evs4: otway;  A ~= B;  
    65              Says B Server {|Nonce NA, Agent A, Agent B, X', 
    66                              Crypt (shrK B)
    67                                    {|Nonce NA, Nonce NB, Agent A, Agent B|}|}
    68                : set evs4;
    69              Says S' B {|Nonce NA, X, Crypt (shrK B) {|Nonce NB, Key K|}|}
    70                : set evs4 |]
    71           ==> Says B A {|Nonce NA, X|} # evs4 : otway"
    72 
    73          (*This message models possible leaks of session keys.  The nonces
    74            identify the protocol run.*)
    75     Oops "[| evso: otway;  B ~= Spy;
    76              Says Server B {|Nonce NA, X, Crypt (shrK B) {|Nonce NB, Key K|}|}
    77                : set evso |]
    78           ==> Says B Spy {|Nonce NA, Nonce NB, Key K|} # evso : otway"
    79 
    80 end