author  paulson 
Thu, 08 Jan 1998 18:10:34 +0100  
(* Title: HOL/Auth/OtwayRees 
2 
ID: $Id$ 

3 
Author: Lawrence C Paulson, Cambridge University Computer Laboratory 

4 
Copyright 1996 University of Cambridge 

5 

6 
Inductive relation "otway" for the OtwayRees protocol. 

7 

8 
Simplified version with minimal encryption but explicit messages 

9 

10 
Note that the formalization does not even assume that nonces are fresh. 
11 
This is because the protocol does not rely on uniqueness of nonces for 
12 
security, only for freshness, and the proof script does not prove freshness 
13 
properties. 
14 

2090  15 
From page 11 of 
16 
Abadi and Needham. Prudent Engineering Practice for Cryptographic Protocols. 

17 
IEEE Trans. SE 22 (1), 1996 

18 
*) 

19 

20 
OtwayRees_AN = Shared + 

21 

22 
consts otway :: event list set 
23 
inductive "otway" 
2090  24 
intrs 
25 
(*Initial trace is empty*) 

26 
Nil "[]: otway" 
2090  27 

28 
(*The spy MAY say anything he CAN say. We do not expect him to 

29 
invent new nonces here, but he can also use NS1. Common to 

30 
all similar protocols.*) 

31 
Fake "[ evs: otway; B ~= Spy; 
3683  32 
X: synth (analz (spies evs)) ] 
33 
==> Says Spy B X # evs : otway" 
2090  34 

35 
(*Alice initiates a protocol run*) 

36 
OR1 "[ evs1: otway; A ~= B; B ~= Server ] 
eddedfe2f3f8
Renamed "evs" to "evs1", "evs2", etc. in protocol inductive definition
paulson
parents:
3519
diff
changeset

37 
==> Says A B {Agent A, Agent B, Nonce NA} # evs1 : otway" 
2090  38 

39 
(*Bob's response to Alice's message. Bob doesn't know who 

40 
the sender is, hence the A' in the sender field.*) 

41 
OR2 "[ evs2: otway; B ~= Server; 
eddedfe2f3f8
Renamed "evs" to "evs1", "evs2", etc. in protocol inductive definition
paulson
parents:
3519
diff
changeset

42 
Says A' B {Agent A, Agent B, Nonce NA} : set evs2 ] 
43 
==> Says B Server {Agent A, Agent B, Nonce NA, Nonce NB} 
3659
eddedfe2f3f8
Renamed "evs" to "evs1", "evs2", etc. in protocol inductive definition
paulson
parents:
3519
diff
changeset

44 
# evs2 : otway" 
2090  45 

46 
(*The Server receives Bob's message. Then he sends a new 

47 
session key to Bob with a packet for forwarding to Alice.*) 

48 
OR3 "[ evs3: otway; B ~= Server; A ~= B; Key KAB ~: used evs3; 
2090  49 
Says B' Server {Agent A, Agent B, Nonce NA, Nonce NB} 
50 
: set evs3 ] 
2090  51 
==> Says Server B 
52 
{Crypt (shrK A) {Nonce NA, Agent A, Agent B, Key KAB}, 
53 
Crypt (shrK B) {Nonce NB, Agent A, Agent B, Key KAB}} 
54 
# evs3 : otway" 
2090  55 

56 
(*Bob receives the Server's (?) message and compares the Nonces with 

57 
those in the message he previously sent the Server.*) 

58 
OR4 "[ evs4: otway; A ~= B; 
eddedfe2f3f8
Renamed "evs" to "evs1", "evs2", etc. in protocol inductive definition
paulson
parents:
3519
diff
changeset

59 
Says B Server {Agent A, Agent B, Nonce NA, Nonce NB} : set evs4; 
60 
Says S' B {X, Crypt(shrK B){Nonce NB,Agent A,Agent B,Key K}} 
3659
eddedfe2f3f8
Renamed "evs" to "evs1", "evs2", etc. in protocol inductive definition
paulson
parents:
3519
diff
changeset

61 
: set evs4 ] 
eddedfe2f3f8
Renamed "evs" to "evs1", "evs2", etc. in protocol inductive definition
paulson
parents:
3519
diff
changeset

62 
==> Says B A X # evs4 : otway" 
2090  63 

2131  64 
(*This message models possible leaks of session keys. The nonces 
65 
identify the protocol run. B is not assumed to know shrK A.*) 

66 
Oops "[ evso: otway; B ~= Spy; 
2131  67 
Says Server B 
68 
{Crypt (shrK A) {Nonce NA, Agent A, Agent B, Key K}, 
80ebd1a213fd
Swapped arguments of Crypt (for clarity and because it is conventional)
paulson
parents:
2131
diff
changeset

69 
Crypt (shrK B) {Nonce NB, Agent A, Agent B, Key K}} 
70 
: set evso ] 
71 
==> Notes Spy {Nonce NA, Nonce NB, Key K} # evso : otway" 
2090  72 

73 
end 