src/HOL/Auth/OtwayRees_Bad.thy
author paulson
Thu Sep 23 13:06:31 1999 +0200 (1999-09-23)
changeset 7584 5be4bb8e4e3f
parent 6333 b1dec44d0018
child 11185 1b737b4c2108
permissions -rw-r--r--
tidied; added lemma restrict_to_left
     1 (*  Title:      HOL/Auth/OtwayRees_Bad
     2     ID:         $Id$
     3     Author:     Lawrence C Paulson, Cambridge University Computer Laboratory
     4     Copyright   1996  University of Cambridge
     5 
     6 Inductive relation "otway" for the Otway-Rees protocol.
     7 
     8 The FAULTY version omitting encryption of Nonce NB, as suggested on page 247 of
     9   Burrows, Abadi and Needham.  A Logic of Authentication.
    10   Proc. Royal Soc. 426 (1989)
    11 *)
    12 
    13 OtwayRees_Bad = Shared + 
    14 
    15 consts  otway   :: event list set
    16 
    17 inductive otway
    18   intrs 
    19          (*Initial trace is empty*)
    20     Nil  "[]: otway"
    21 
    22          (*The spy MAY say anything he CAN say.  We do not expect him to
    23            invent new nonces here, but he can also use NS1.  Common to
    24            all similar protocols.*)
    25     Fake "[| evs: otway;  X: synth (analz (knows Spy evs)) |]
    26           ==> Says Spy B X  # evs : otway"
    27 
    28          (*A message that has been sent can be received by the
    29            intended recipient.*)
    30     Reception "[| evsr: otway;  Says A B X : set evsr |]
    31                ==> Gets B X # evsr : otway"
    32 
    33          (*Alice initiates a protocol run*)
    34     OR1  "[| evs1: otway;  Nonce NA ~: used evs1 |]
    35           ==> Says A B {|Nonce NA, Agent A, Agent B, 
    36                          Crypt (shrK A) {|Nonce NA, Agent A, Agent B|} |} 
    37                  # evs1 : otway"
    38 
    39          (*Bob's response to Alice's message. 
    40            This variant of the protocol does NOT encrypt NB.*)
    41     OR2  "[| evs2: otway;  Nonce NB ~: used evs2;
    42              Gets B {|Nonce NA, Agent A, Agent B, X|} : set evs2 |]
    43           ==> Says B Server 
    44                   {|Nonce NA, Agent A, Agent B, X, Nonce NB,
    45                     Crypt (shrK B) {|Nonce NA, Agent A, Agent B|}|}
    46                  # evs2 : otway"
    47 
    48          (*The Server receives Bob's message and checks that the three NAs
    49            match.  Then he sends a new session key to Bob with a packet for
    50            forwarding to Alice.*)
    51     OR3  "[| evs3: otway;  Key KAB ~: used evs3;
    52              Gets Server 
    53                   {|Nonce NA, Agent A, Agent B, 
    54                     Crypt (shrK A) {|Nonce NA, Agent A, Agent B|}, 
    55                     Nonce NB, 
    56                     Crypt (shrK B) {|Nonce NA, Agent A, Agent B|}|}
    57                : set evs3 |]
    58           ==> Says Server B 
    59                   {|Nonce NA, 
    60                     Crypt (shrK A) {|Nonce NA, Key KAB|},
    61                     Crypt (shrK B) {|Nonce NB, Key KAB|}|}
    62                  # evs3 : otway"
    63 
    64          (*Bob receives the Server's (?) message and compares the Nonces with
    65 	   those in the message he previously sent the Server.
    66            Need B ~= Server because we allow messages to self.*)
    67     OR4  "[| evs4: otway;  B ~= Server;
    68              Says B Server {|Nonce NA, Agent A, Agent B, X', Nonce NB,
    69                              Crypt (shrK B) {|Nonce NA, Agent A, Agent B|}|}
    70                : set evs4;
    71              Gets B {|Nonce NA, X, Crypt (shrK B) {|Nonce NB, Key K|}|}
    72                : set evs4 |]
    73           ==> Says B A {|Nonce NA, X|} # evs4 : otway"
    74 
    75          (*This message models possible leaks of session keys.  The nonces
    76            identify the protocol run.*)
    77     Oops "[| evso: otway;  
    78              Says Server B {|Nonce NA, X, Crypt (shrK B) {|Nonce NB, Key K|}|}
    79                : set evso |]
    80           ==> Notes Spy {|Nonce NA, Nonce NB, Key K|} # evso : otway"
    81 
    82 end