17 |
17 |
18 consts yahalom :: event list set |
18 consts yahalom :: event list set |
19 inductive "yahalom" |
19 inductive "yahalom" |
20 intrs |
20 intrs |
21 (*Initial trace is empty*) |
21 (*Initial trace is empty*) |
22 Nil "[]: yahalom" |
22 Nil "[] \\<in> yahalom" |
23 |
23 |
24 (*The spy MAY say anything he CAN say. We do not expect him to |
24 (*The spy MAY say anything he CAN say. We do not expect him to |
25 invent new nonces here, but he can also use NS1. Common to |
25 invent new nonces here, but he can also use NS1. Common to |
26 all similar protocols.*) |
26 all similar protocols.*) |
27 Fake "[| evs: yahalom; X: synth (analz (knows Spy evs)) |] |
27 Fake "[| evsf \\<in> yahalom; X \\<in> synth (analz (knows Spy evsf)) |] |
28 ==> Says Spy B X # evs : yahalom" |
28 ==> Says Spy B X # evsf \\<in> yahalom" |
29 |
29 |
30 (*A message that has been sent can be received by the |
30 (*A message that has been sent can be received by the |
31 intended recipient.*) |
31 intended recipient.*) |
32 Reception "[| evsr: yahalom; Says A B X : set evsr |] |
32 Reception "[| evsr \\<in> yahalom; Says A B X \\<in> set evsr |] |
33 ==> Gets B X # evsr : yahalom" |
33 ==> Gets B X # evsr \\<in> yahalom" |
34 |
34 |
35 (*Alice initiates a protocol run*) |
35 (*Alice initiates a protocol run*) |
36 YM1 "[| evs1: yahalom; Nonce NA ~: used evs1 |] |
36 YM1 "[| evs1 \\<in> yahalom; Nonce NA \\<notin> used evs1 |] |
37 ==> Says A B {|Agent A, Nonce NA|} # evs1 : yahalom" |
37 ==> Says A B {|Agent A, Nonce NA|} # evs1 \\<in> yahalom" |
38 |
38 |
39 (*Bob's response to Alice's message.*) |
39 (*Bob's response to Alice's message.*) |
40 YM2 "[| evs2: yahalom; Nonce NB ~: used evs2; |
40 YM2 "[| evs2 \\<in> yahalom; Nonce NB \\<notin> used evs2; |
41 Gets B {|Agent A, Nonce NA|} : set evs2 |] |
41 Gets B {|Agent A, Nonce NA|} \\<in> set evs2 |] |
42 ==> Says B Server |
42 ==> Says B Server |
43 {|Agent B, Nonce NB, Crypt (shrK B) {|Agent A, Nonce NA|}|} |
43 {|Agent B, Nonce NB, Crypt (shrK B) {|Agent A, Nonce NA|}|} |
44 # evs2 : yahalom" |
44 # evs2 \\<in> yahalom" |
45 |
45 |
46 (*The Server receives Bob's message. He responds by sending a |
46 (*The Server receives Bob's message. He responds by sending a |
47 new session key to Alice, with a certificate for forwarding to Bob. |
47 new session key to Alice, with a certificate for forwarding to Bob. |
48 Both agents are quoted in the 2nd certificate to prevent attacks!*) |
48 Both agents are quoted in the 2nd certificate to prevent attacks!*) |
49 YM3 "[| evs3: yahalom; Key KAB ~: used evs3; |
49 YM3 "[| evs3 \\<in> yahalom; Key KAB \\<notin> used evs3; |
50 Gets Server {|Agent B, Nonce NB, |
50 Gets Server {|Agent B, Nonce NB, |
51 Crypt (shrK B) {|Agent A, Nonce NA|}|} |
51 Crypt (shrK B) {|Agent A, Nonce NA|}|} |
52 : set evs3 |] |
52 \\<in> set evs3 |] |
53 ==> Says Server A |
53 ==> Says Server A |
54 {|Nonce NB, |
54 {|Nonce NB, |
55 Crypt (shrK A) {|Agent B, Key KAB, Nonce NA|}, |
55 Crypt (shrK A) {|Agent B, Key KAB, Nonce NA|}, |
56 Crypt (shrK B) {|Agent A, Agent B, Key KAB, Nonce NB|}|} |
56 Crypt (shrK B) {|Agent A, Agent B, Key KAB, Nonce NB|}|} |
57 # evs3 : yahalom" |
57 # evs3 \\<in> yahalom" |
58 |
58 |
59 (*Alice receives the Server's (?) message, checks her Nonce, and |
59 (*Alice receives the Server's (?) message, checks her Nonce, and |
60 uses the new session key to send Bob his Nonce.*) |
60 uses the new session key to send Bob his Nonce.*) |
61 YM4 "[| evs4: yahalom; |
61 YM4 "[| evs4 \\<in> yahalom; |
62 Gets A {|Nonce NB, Crypt (shrK A) {|Agent B, Key K, Nonce NA|}, |
62 Gets A {|Nonce NB, Crypt (shrK A) {|Agent B, Key K, Nonce NA|}, |
63 X|} : set evs4; |
63 X|} \\<in> set evs4; |
64 Says A B {|Agent A, Nonce NA|} : set evs4 |] |
64 Says A B {|Agent A, Nonce NA|} \\<in> set evs4 |] |
65 ==> Says A B {|X, Crypt K (Nonce NB)|} # evs4 : yahalom" |
65 ==> Says A B {|X, Crypt K (Nonce NB)|} # evs4 \\<in> yahalom" |
66 |
66 |
67 (*This message models possible leaks of session keys. The nonces |
67 (*This message models possible leaks of session keys. The nonces |
68 identify the protocol run. Quoting Server here ensures they are |
68 identify the protocol run. Quoting Server here ensures they are |
69 correct. *) |
69 correct. *) |
70 Oops "[| evso: yahalom; |
70 Oops "[| evso \\<in> yahalom; |
71 Says Server A {|Nonce NB, |
71 Says Server A {|Nonce NB, |
72 Crypt (shrK A) {|Agent B, Key K, Nonce NA|}, |
72 Crypt (shrK A) {|Agent B, Key K, Nonce NA|}, |
73 X|} : set evso |] |
73 X|} \\<in> set evso |] |
74 ==> Notes Spy {|Nonce NA, Nonce NB, Key K|} # evso : yahalom" |
74 ==> Notes Spy {|Nonce NA, Nonce NB, Key K|} # evso \\<in> yahalom" |
75 |
75 |
76 end |
76 end |