src/HOL/Auth/Yahalom2.thy
author paulson
Thu Dec 19 11:58:39 1996 +0100 (1996-12-19)
changeset 2451 ce85a2aafc7a
parent 2378 fc103154ad8f
child 2516 4d68fbe6378b
permissions -rw-r--r--
Extensive tidying and simplification, largely stemming from
changing newN and newK to take an integer argument
     1 (*  Title:      HOL/Auth/Yahalom
     2     ID:         $Id$
     3     Author:     Lawrence C Paulson, Cambridge University Computer Laboratory
     4     Copyright   1996  University of Cambridge
     5 
     6 Inductive relation "yahalom" for the Yahalom protocol, Variant 2.
     7 
     8 This version trades encryption of NB for additional explicitness in YM3.
     9 It also omits encryption in YM2.  The resulting protocol no longer guarantees
    10 that the other agent is present.
    11 
    12 From page 259 of
    13   Burrows, Abadi and Needham.  A Logic of Authentication.
    14   Proc. Royal Soc. 426 (1989)
    15 *)
    16 
    17 Yahalom2 = Shared + 
    18 
    19 consts  yahalom   :: agent set => event list set
    20 inductive "yahalom lost"
    21   intrs 
    22          (*Initial trace is empty*)
    23     Nil  "[]: yahalom lost"
    24 
    25          (*The spy MAY say anything he CAN say.  We do not expect him to
    26            invent new nonces here, but he can also use NS1.  Common to
    27            all similar protocols.*)
    28     Fake "[| evs: yahalom lost;  B ~= Spy;  
    29              X: synth (analz (sees lost Spy evs)) |]
    30           ==> Says Spy B X  # evs : yahalom lost"
    31 
    32          (*Alice initiates a protocol run*)
    33     YM1  "[| evs: yahalom lost;  A ~= B |]
    34           ==> Says A B {|Agent A, Nonce (newN(length evs))|} # evs : yahalom lost"
    35 
    36          (*Bob's response to Alice's message.  Bob doesn't know who 
    37 	   the sender is, hence the A' in the sender field.*)
    38     YM2  "[| evs: yahalom lost;  B ~= Server;
    39              Says A' B {|Agent A, Nonce NA|} : set_of_list evs |]
    40           ==> Says B Server {|Agent A, Agent B, Nonce NA, Nonce (newN(length evs))|}
    41                  # evs : yahalom lost"
    42 
    43          (*The Server receives Bob's message.  He responds by sending a
    44            new session key to Alice, with a packet for forwarding to Bob.
    45            Fields are reversed in the 2nd packet to prevent attacks.*)
    46     YM3  "[| evs: yahalom lost;  A ~= B;  A ~= Server;
    47              Says B' Server {|Agent A, Agent B, Nonce NA, Nonce NB|}
    48                : set_of_list evs |]
    49           ==> Says Server A
    50                {|Nonce NB, 
    51                  Crypt (shrK A) {|Agent B, Key (newK(length evs)), Nonce NA|},
    52                  Crypt (shrK B) {|Nonce NB, Key (newK(length evs)), Agent A|}|}
    53                  # evs : yahalom lost"
    54 
    55          (*Alice receives the Server's (?) message, checks her Nonce, and
    56            uses the new session key to send Bob his Nonce.*)
    57     YM4  "[| evs: yahalom lost;  A ~= Server;  A ~= B;  
    58              Says S A {|Nonce NB, Crypt (shrK A) {|Agent B, Key K, Nonce NA|},
    59                         X|}
    60                : set_of_list evs;
    61              Says A B {|Agent A, Nonce NA|} : set_of_list evs |]
    62           ==> Says A B {|X, Crypt K (Nonce NB)|} # evs : yahalom lost"
    63 
    64          (*This message models possible leaks of session keys.  The nonces
    65            identify the protocol run.  Quoting Server here ensures they are
    66            correct. *)
    67     Oops "[| evs: yahalom lost;  A ~= Spy;
    68              Says Server A {|Nonce NB, 
    69                              Crypt (shrK A) {|Agent B, Key K, Nonce NA|},
    70                              X|}  : set_of_list evs |]
    71           ==> Says A Spy {|Nonce NA, Nonce NB, Key K|} # evs : yahalom lost"
    72 
    73 end