src/HOL/Auth/Yahalom.thy
author paulson
Thu Oct 24 10:38:35 1996 +0200 (1996-10-24)
changeset 2125 92a08ee6a9cb
parent 2110 d01151e66cd4
child 2156 9c361df93bd5
permissions -rw-r--r--
New Oops message, with Server as source to ensure
correct nonces
     1 (*  Title:      HOL/Auth/Yahalom
     2     ID:         $Id$
     3     Author:     Lawrence C Paulson, Cambridge University Computer Laboratory
     4     Copyright   1996  University of Cambridge
     5 
     6 Inductive relation "yahalom" for the Yahalom protocol.
     7 
     8 From page 257 of
     9   Burrows, Abadi and Needham.  A Logic of Authentication.
    10   Proc. Royal Soc. 426 (1989)
    11 *)
    12 
    13 Yahalom = Shared + 
    14 
    15 consts  yahalom   :: "agent set => event list set"
    16 inductive "yahalom lost"
    17   intrs 
    18          (*Initial trace is empty*)
    19     Nil  "[]: yahalom lost"
    20 
    21          (*The spy MAY say anything he CAN say.  We do not expect him to
    22            invent new nonces here, but he can also use NS1.  Common to
    23            all similar protocols.*)
    24     Fake "[| evs: yahalom lost;  B ~= Spy;  
    25              X: synth (analz (sees lost Spy evs)) |]
    26           ==> Says Spy B X  # evs : yahalom lost"
    27 
    28          (*Alice initiates a protocol run*)
    29     YM1  "[| evs: yahalom lost;  A ~= B |]
    30           ==> Says A B {|Agent A, Nonce (newN evs)|} # evs : yahalom lost"
    31 
    32          (*Bob's response to Alice's message.  Bob doesn't know who 
    33 	   the sender is, hence the A' in the sender field.*)
    34     YM2  "[| evs: yahalom lost;  B ~= Server;
    35              Says A' B {|Agent A, Nonce NA|} : set_of_list evs |]
    36           ==> Says B Server 
    37                   {|Agent B, 
    38                     Crypt {|Agent A, Nonce NA, Nonce (newN evs)|} (shrK B)|}
    39                  # evs : yahalom lost"
    40 
    41          (*The Server receives Bob's message.  He responds by sending a
    42             new session key to Alice, with a packet for forwarding to Bob.*)
    43     YM3  "[| evs: yahalom lost;  A ~= Server;
    44              Says B' Server 
    45                   {|Agent B, Crypt {|Agent A, Nonce NA, Nonce NB|} (shrK B)|}
    46                : set_of_list evs |]
    47           ==> Says Server A
    48                   {|Crypt {|Agent B, Key (newK evs), 
    49                             Nonce NA, Nonce NB|} (shrK A),
    50                     Crypt {|Agent A, Key (newK evs)|} (shrK B)|}
    51                  # evs : yahalom lost"
    52 
    53          (*Alice receives the Server's (?) message, checks her Nonce, and
    54            uses the new session key to send Bob his Nonce.*)
    55     YM4  "[| evs: yahalom lost;  A ~= Server;  A ~= B;  
    56              Says S A {|Crypt {|Agent B, Key K, Nonce NA, Nonce NB|} (shrK A),
    57                         X|}  : set_of_list evs;
    58              Says A B {|Agent A, Nonce NA|} : set_of_list evs |]
    59           ==> Says A B {|X, Crypt (Nonce NB) K|} # evs : yahalom lost"
    60 
    61          (*This message models possible leaks of session keys.  The Nonces
    62            identify the protocol run.*)
    63     Oops "[| evs: yahalom lost;  A ~= Spy;
    64              Says Server A {|Crypt {|Agent B, Key K, Nonce NA, Nonce NB|} 
    65                                    (shrK A),
    66                              X|}  : set_of_list evs |]
    67           ==> Says A Spy {|Nonce NA, Nonce NB, Key K|} # evs : yahalom lost"
    68 
    69 end