src/HOL/Auth/Yahalom2.thy
author paulson
Wed Mar 10 10:42:57 1999 +0100 (1999-03-10)
changeset 6335 7e4bffaa2a3e
parent 5434 9b4bed3f394c
child 11185 1b737b4c2108
permissions -rw-r--r--
updating both Yahalom protocols to the Gets model
     1 (*  Title:      HOL/Auth/Yahalom2
     2     ID:         $Id$
     3     Author:     Lawrence C Paulson, Cambridge University Computer Laboratory
     4     Copyright   1996  University of Cambridge
     5 
     6 Inductive relation "yahalom" for the Yahalom protocol, Variant 2.
     7 
     8 This version trades encryption of NB for additional explicitness in YM3.
     9 Also in YM3, care is taken to make the two certificates distinct.
    10 
    11 From page 259 of
    12   Burrows, Abadi and Needham.  A Logic of Authentication.
    13   Proc. Royal Soc. 426 (1989)
    14 *)
    15 
    16 Yahalom2 = Shared + 
    17 
    18 consts  yahalom   :: event list set
    19 inductive "yahalom"
    20   intrs 
    21          (*Initial trace is empty*)
    22     Nil  "[]: yahalom"
    23 
    24          (*The spy MAY say anything he CAN say.  We do not expect him to
    25            invent new nonces here, but he can also use NS1.  Common to
    26            all similar protocols.*)
    27     Fake "[| evs: yahalom;  X: synth (analz (knows Spy evs)) |]
    28           ==> Says Spy B X  # evs : yahalom"
    29 
    30          (*A message that has been sent can be received by the
    31            intended recipient.*)
    32     Reception "[| evsr: yahalom;  Says A B X : set evsr |]
    33                ==> Gets B X # evsr : yahalom"
    34 
    35          (*Alice initiates a protocol run*)
    36     YM1  "[| evs1: yahalom;  Nonce NA ~: used evs1 |]
    37           ==> Says A B {|Agent A, Nonce NA|} # evs1 : yahalom"
    38 
    39          (*Bob's response to Alice's message.*)
    40     YM2  "[| evs2: yahalom;  Nonce NB ~: used evs2;
    41              Gets B {|Agent A, Nonce NA|} : set evs2 |]
    42           ==> Says B Server 
    43                   {|Agent B, Nonce NB, Crypt (shrK B) {|Agent A, Nonce NA|}|}
    44                 # evs2 : yahalom"
    45 
    46          (*The Server receives Bob's message.  He responds by sending a
    47            new session key to Alice, with a certificate for forwarding to Bob.
    48            Both agents are quoted in the 2nd certificate to prevent attacks!*)
    49     YM3  "[| evs3: yahalom;  Key KAB ~: used evs3;
    50              Gets Server {|Agent B, Nonce NB,
    51 			   Crypt (shrK B) {|Agent A, Nonce NA|}|}
    52                : set evs3 |]
    53           ==> Says Server A
    54                {|Nonce NB, 
    55                  Crypt (shrK A) {|Agent B, Key KAB, Nonce NA|},
    56                  Crypt (shrK B) {|Agent A, Agent B, Key KAB, Nonce NB|}|}
    57                  # evs3 : yahalom"
    58 
    59          (*Alice receives the Server's (?) message, checks her Nonce, and
    60            uses the new session key to send Bob his Nonce.*)
    61     YM4  "[| evs4: yahalom;  
    62              Gets A {|Nonce NB, Crypt (shrK A) {|Agent B, Key K, Nonce NA|},
    63                       X|}  : set evs4;
    64              Says A B {|Agent A, Nonce NA|} : set evs4 |]
    65           ==> Says A B {|X, Crypt K (Nonce NB)|} # evs4 : yahalom"
    66 
    67          (*This message models possible leaks of session keys.  The nonces
    68            identify the protocol run.  Quoting Server here ensures they are
    69            correct. *)
    70     Oops "[| evso: yahalom;  
    71              Says Server A {|Nonce NB, 
    72                              Crypt (shrK A) {|Agent B, Key K, Nonce NA|},
    73                              X|}  : set evso |]
    74           ==> Notes Spy {|Nonce NA, Nonce NB, Key K|} # evso : yahalom"
    75 
    76 end